Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[enhancement]: Groups are not working without memberOf and objectClass #764

Open
1 task done
jejbq opened this issue Sep 17, 2024 · 0 comments
Open
1 task done

[enhancement]: Groups are not working without memberOf and objectClass #764

jejbq opened this issue Sep 17, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@jejbq
Copy link

jejbq commented Sep 17, 2024
edited
Loading

Which feature or improvement would you like to request?

Groups are not working without memberOf and objectClass

Is your feature request related to a problem?

We are experiencing several challenges while configuring the Stalwart Mail Server with both OpenLDAP and Active Directory, particularly concerning group management. Below are the details of the issues we have encountered:

OpenLDAP Integration (useless without memberOf):

  • We are encountering difficulties utilizing the memberOf overlay when employing slapadd to construct our LDAP from scratch using an LDIF feed. This approach fails to populate the memberOf attribute, which is crucial for effective group management, as Stalwart currently relies on this attribute for determining group membership instead of retrieving all groups from LDAP.

https://www.openldap.org/lists/openldap-technical/201112/msg00074.html

directory.openldap.attributes.class = "objectClass"
directory.openldap.attributes.description = "cn"
directory.openldap.attributes.email = "mail"
directory.openldap.attributes.email-alias = "mailAlias"
directory.openldap.attributes.groups = "memberOf"
directory.openldap.attributes.name = "uid"
directory.openldap.attributes.quota = "diskQuota"
directory.openldap.attributes.secret = "userPassword"
directory.openldap.base-dn = "dc=example,dc=com"
directory.openldap.bind.auth.dn = "uid=?,ou=users,dc=example,dc=com"
directory.openldap.bind.auth.enable = true
directory.openldap.bind.dn = "uid=user,ou=users,dc=example,dc=com"
directory.openldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=groupOfNames))(uid=?))"
directory.openldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=groupOfNames))(|(mail=?)(mailAlias=?)(mailList=?)))"
directory.openldap.filter.domains = "(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=groupOfNames))(|(mail=*@?)(mailAlias=*@?)))"
directory.openldap.filter.expand = "(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=groupOfNames))(mailList=?))"
directory.openldap.filter.verify = "(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=groupOfNames))(|(mail=*?*)(mailAlias=*?*)))"
directory.openldap.type = "ldap"
directory.openldap.url = "ldaps://ldap.example.com:636"

Active Directory Integration: (useless without groups):

  • Stalwart is misidentifying groups as individual users, which causes significant complications in access control and group management. All groups listed in the memberOf attribute are being treated as users instead of distinct groups. In Active Directory, users are identified by their cn (Common Name) format, which typically includes their first and last names, rather than by uid (Login). As a result, the directory.ad.filter.email functionality does not work for groups, since it relies on the uid attribute for filtering.
directory.ad.attributes.class = "objectClass"
directory.ad.attributes.description = "displayName"
directory.ad.attributes.email = "mail"
directory.ad.attributes.email-alias = "userPrincipalName"
directory.ad.attributes.groups = "memberOf"
directory.ad.attributes.name = "sAMAccountName"
directory.ad.attributes.secret = "userPassword"
directory.ad.base-dn = "DC=ad,DC=example,DC=com"
directory.ad.bind.auth.dn = "?@ad.example.com"
directory.ad.bind.auth.enable = true
directory.ad.bind.dn = "AD\\Administrator"
directory.ad.filter.domains = "(&(|(objectClass=person)(objectClass=group))(|(mail=*@?)(userPrincipalName=*@?)))"
directory.ad.filter.email = "(&(|(objectClass=person)(objectClass=group))(|(mail=?)(userPrincipalName=?)))"
directory.ad.filter.expand = "(&(|(objectClass=person)(objectClass=group))(userPrincipalName=?))"
directory.ad.filter.name = "(&(|(objectClass=person)(objectClass=group))(sAMAccountName=?))"
directory.ad.filter.verify = "(&(|(objectClass=person)(objectClass=group))(|(mail=*?*)(userPrincipalName=*?*)))"
directory.ad.type = "ldap"
directory.ad.url = "ldaps://ldap.example.com:636"

Operation not allowed
LDAP directory cannot be managed. Only internal directories support inserts and update operations.

Additionally, email addresses are not retrieved from LDAP during the login process. It's unfortunate that mixed authentication—both local and LDAP—is not supported. This limitation prevents the creation of internal groups that can include LDAP users. Furthermore, I find it concerning that Stalwart returns a 500 error when an incorrect password is entered.

Logs are not very useful even in trace mode:

"{"type":"about:blank","status":401,"title":"Unauthorized","detail":"You have to authenticate first."}", code = 401,
LDAP query executed
details = "(&(|(objectClass=person)(objectClass=group))(sAMAccountName=user))", result = ["ResultEntry(StructureTag { class: Application, id: 4, payload: C([StructureTag { class: Universal, id: 4, payload: P([...

Code of Conduct

  • I agree to follow this project's Code of Conduct
@jejbq jejbq added the enhancement New feature or request label Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jejbq