ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

Allow Open Source MAIA Mailguard to Authenticate Users to a NetWare LDAP Server Using TLS

Commodore
Commodore
0 5 4,588
0 Likes
Modifications to Maia Mailguard anti-spam and anti-virus e-mail gateway to allow user login using LDAP authentication to Novell eDirectory LDAP server.

Our Environment:

OpenSuSE10.3 with Maia Mailguard mail scanning/gateway software installed: (Should work with most Linux distributions).


For a good how-to guide on setting up the basic mail gateway, see Stephen Carter's cool solution: SUSE 10 Professional Anti-Spam & Anti-Virus Gateway Build Guide For Beginners: http://www.novell.com/coolsolutions/feature/16093.html
If not using Suse 10, there may be some minor file location differences due to different versions and distributions. May need to find additional repositories and such.


NetWare 6.5 LDAP server - with "requires TLS for simple binds with password" enabled.


Problem:
I wanted to use LDAP for user logins so that we didn't need to migrate users to the gateway machine, and it would alleviate needing to remember to update user lists and such on that system as users are added/deleted. Also, it does not require users to remember yet another ID and password.

Following the instructions in the open source spam filtering / virus scanner, MAIA Mailguard, I could not login using LDAP authentication to our NetWare 6.5 LDAP server because it is configured to "require TLS for simple binds with password".

login errors reported: could not bind to ldap, login failed, or confidentiality Required error received.

An analysis of the TCP/IP traffic shows a LDAP "resultCode: confidentialityRequired" message to the request.

The standard configuration files for MAIA Mailguard 1.0.2a (and earlier?) ldap lookups do not include an option for TLS.

Solution:

Two files need to get modified:

1. /srv/www/htdocs/mail/config.php
2. /srv/www/htdocs/mail/auth.php


config.php: (in addition to the changes mentioned in the documentation to enable LDAP authentication)


find the "Authenticating via LDAP section"
anywhere within that section add a line:
$auth_ldap_use_tls = "yes";

Then set the following attributes:
set $auth_Ldap_server to your ldap server ip address

set $auth_ldap_query = "(&(cn=%%USER%%)(objectclass=person))"; (that will select only user accounts to authenticate with. Users will use their Novell login ID and password)
[using tls, you don't need to use a ldap user/password or a bind_dn to authenticate the users because you are not directly binding.]

set $auth_ldap_base_dn = your base context (top level to start the search from)

set $auth_ldap_attribute = "mail"; retrieve the users e-mail address from e-directory and use in MAIA as primary e-mail address (should use the first address listed if more than one)

set $auth_ldap_version = 3; (it may work at the default of 2, I changed it to 3 early on and didn't try changing it back.)



auth.php:


find the auth_ldap function:

add to the other globals there:


global $auth_ldap_use_tls;



Then, after this code:

$ldap_conn = ldap_connect($auth_ldap_server)
or die($lang['error_ldap_connect']);


add:

# if using tls: attempt to start tls
if (isset($auth_ldap_use_tls)) {
@ldap_start_tls($ldap_conn)
or die('error ldap_start_tls');
}



If the mail scanner server is in a DMZ, you will need to add a filter exception to your firewall to allow the ldap request to go through.


+------------------------------------------------------------------------------+
¦ Define Exception ¦
¦------------------------------------------------------------------------------¦
¦ Source Interface Type: Interface ¦
¦ Source Interface: DMZ (Private) ¦
¦ Source Circuit: ¦
¦ ¦
¦ Destination Interface Type: Interface ¦
¦ Destination Interface: INTERNAL (Private) ¦
¦ Destination Circuit: ¦
¦ ¦
¦ Packet Type: LDAP Protocol: TCP ¦
¦ Src Port(s): <All> Dest Port(s): 389 ¦
¦ ACK Bit Filtering: Disabled Stateful Filtering: Enabled ¦
¦ ¦
¦ Src Addr Type: Host ¦
¦ Src IP Address: AAA.BBB.CCC.DDD (mail scanner) ¦
¦ Dest Addr Type: Host ¦
¦ Dest IP Address: WWW.XXX.YYY.ZZZ (ldap server) ¦
¦ Logging: Disabled ¦
¦ Comment: ldap user lookup from gateway to ldap ¦
+------------------------------------------------------------------------------+



Users should now be able to login to the Maia Mailguard interface using their Novell user and password, it should also link their e-mail address automatically.

Mail that had already been quarantined by the gateway will not automatically get linked to their account, but all new mail should be properly associated with the user after initial login.

If you want to associate existing mail in the caches to new users, log into mysql, connect to the maia database and run the following mysql command:
update maia_mail_recipients a, users b, maia_mail c set a.recipient_id=b.maia_user_id where a.mail_id=c.id and c.envelope_to=b.email;
5 Comments
Absent Member.
Absent Member.
Thanks for the input, we've added it to the 1.0.3 tree.

I don't have LDAP set up right now, so I'd appreciate any testing comments to be sent to the Maia Developers mailing list.
Absent Member.
Absent Member.
Running SLES 10 with Stephen Carter's cool solution: SUSE 10 Professional Anti-Spam & Anti-Virus Gateway Build Guide For Beginners.

Not only is this a excellent Spam/Virus Gateway setup the ldap authentication works like a charm!

One Question, how would I set it up for multiple ldap servers? - fail over?
Absent Member.
Absent Member.

I've read in the Maia forums that they are working on multiple ldap authentication (for different domains) in a future release.

Absent Member.
Absent Member.
Will this work to get Maia to authenticate to an LDAP server running within ConsoleOne on SLES 9 or does the LDAP need to reside on Netware?
Absent Member.
Absent Member.
I don't believe that the LDAP would need to reside on Netware. I have not tested it as we do not have LDAP running on any of our SLES servers at this point. Should work against any ldap server, there would be changes required if it wasn't using the same field names as eDirectory.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.