# iRedmail and pure-ftpd with openldap backend



## spring_64 (Jun 7, 2017)

Hi all,
I installed Iredmail 0.9.6 with ldap backend, after that I install pure-ftpd. The problem is I can't connect from client.
This is my configs:


```
#hosname -f
server1.example.com
```
#ldap.conf

```
BASE    dc=example,dc=com
URI     ldap://127.0.0.1:389
TLS_CACERT /etc/ssl/certs/iRedMail.crt
```
# slapd.conf

```
# Schemas.
include     /usr/local/etc/openldap/schema/core.schema
include     /usr/local/etc/openldap/schema/corba.schema
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema
include     /usr/local/etc/openldap/schema/nis.schema
# Amavisd-new schema.
include     /usr/local/etc/openldap/schema/amavisd-new.schema
# iRedMail schema.
include     /usr/local/etc/openldap/schema/iredmail.schema
include /usr/local/etc/openldap/schema/pureftpd.schema

# Where the pid file is put. The init.d script will not stop the
# server if you change this.
pidfile     /var/run/openldap/slapd.pid

# List of arguments that were passed to the server
argsfile    /var/run/openldap/slapd.args

modulepath  /usr/local/libexec/openldap
moduleload  back_mdb

# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
moduleload  pw-sha2

# The syncprov overlay
#moduleload syncprov.la

# TLS files.
TLSCACertificateFile /etc/ssl/certs/iRedMail.crt
TLSCertificateFile /etc/ssl/certs/iRedMail.crt
TLSCertificateKeyFile /etc/ssl/private/iRedMail.key

# Disallow bind as anonymous.
disallow    bind_anon

# Uncomment below line to allow binding as anonymous.
#allow bind_anon_cred

# Specify LDAP protocol version.
require     LDAPv3
#allow       bind_v2

# Log level.
#   -1:     enable all debugging
#    0:     no debugging
#   128:    access control list processing
#   256:    stats log connections/operations/results
loglevel    256

# Access Control
# Allow users to change their own passwords and mail forwarding addresses.
access to attrs="userPassword,mailForwardingAddress,storageBaseDirectory,homeDirectory,mailMessageStore"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users        none
# Allow to read others public info.
access to attrs="cn,sn,gn,givenName,telephoneNumber"
    by anonymous    auth
    by self         write
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users        read

# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users        read

access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users        none

# User attrs.
access to attrs="employeeNumber,mail,accountStatus,domainStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress
    by anonymous    auth
    by self         read
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by us
access to dn="cn=vmail,dc=example,dc=com"
    by anonymous                    auth
    by self                         write
    by users                        none

access to dn="cn=vmailadmin,dc=example,dc=com"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Allow users to access their own domain subtree.
# Allow domain admin to modify accounts under same domain.
#
access to dn.regex="domainName=([^,]+),o=domains,dc=example,dc=com$"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=com"   read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=example,dc=com$" write
    by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=example,dc=com$" read
    by users                        none

#
# Grant correct privileges to vmail/vmailadmin.
#
access to dn.subtree="o=domains,dc=example,dc=com"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=com"    read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users                        none

access to dn.subtree="o=domainAdmins,dc=example,dc=com"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=vmail,dc=example,dc=com"    read
    by dn.exact="cn=vmailadmin,dc=example,dc=com"  write
    by users                        none

#
# Set permission for "cn=*,dc=example,dc=com".
#
access to dn.regex="cn=[^,]+,dc=example,dc=com"
    by anonymous                    auth
    by self                         write
    by users                        none

#
# Set default permission.
#
access to *
    by anonymous                    auth
    by self                         write
    by users                        read

#######################################################################
# Databases
#######################################################################
database    mdb
suffix      dc=example,dc=com
directory   /var/db/openldap-data/example.com

rootdn      cn=Manager,dc=example,dc=com
#rootdn      cn=vmail,dc=example,dc=com
rootpw      {SSHA}m9aX0qGRJZKh4Vsp4/dV9lCgShtwrTZmVYt0XA==

# Specify the maximum number of entries to return from a search operation.
# Defaults to 500. Use `unlimited` to specify no limits.
siz
# Default indexes.
#
index objectclass,entryCSN,entryUUID                eq
index uidNumber,gidNumber,uid,memberUid,loginShell  eq,pres
index homeDirectory,mailMessageStore                eq,pres
index ou,cn,mail,surname,givenname,telephoneNumber,displayName  eq,pres,sub
index nisMapName,nisMapEntry                        eq,pres,sub
index shadowLastChange                              eq,pres

#
# Index for mail attrs.
#
# Domain object
index domainName,mtaTransport,accountStatus,enabledService,disabledService  eq,pres,sub
index domainAliasName    eq,pres,sub
index domainMaxUserNumber eq,pres
index domainAdmin,domainGlobalAdmin,domainBackupMX    eq,pres,sub
index domainSenderBccAddress,domainRecipientBccAddress  eq,pres,sub

# Group object
index accessPolicy,hasMember,listAllowedUser   eq,pres,sub

# User object
index mailForwardingAddress,shadowAddress   eq,pres,sub
index backupMailAddress,memberOfGroup   eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress  eq,pres,sub

#Index fo
index FTPQuotaFiles,FTPQuotaMBytes eq,pres
index FTPUploadRatio,FTPDownloadRatio eq,pres
index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres
index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres
```
#pureftpd-ldap.conf

```
LDAPScheme ldap
LDAPServer localhost
LDAPPort   389
LDAPBaseDN o=domains,dc=example,dc=com
LDAPBindDN cn=vmail,dc=example,dc=com
LDAPBindPW 3718643a9df486241acceaeab5f8f9eb
LDAPDefaultUID 2000
LDAPDefaultGID 2000
LDAPFilter (&(objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled))
LDAPHomeDir FTPHomeDir
LDAPVersion 3
LDAPAuthMethod PASSWORD
```

*PROBLEM*

```
root@client:~ # lftp localhost
lftp localhost:~> debug 4                     
lftp localhost:~> login user1@example.com
Password:
lftp user1@example.com@localhost:~> ls
---- Connecting to localhost (::1) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 1 of 50 allowed.
<--- 220-Local time is now 18:03. Server port: 21.
<--- 220 You will be disconnected after 15 minutes of inactivity.
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  MFMT
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  AUTH TLS
<---  PBSZ
<---  PROT
<---  UTF8
<---  ESTA
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTP
<--- 211 End.
<--- 500 This security scheme is not implemented
<--- 200 OK, UTF-8 enabled
<--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
<--- 331 User user1@example.com OK. Password required
`ls' at 0 [Sending commands...]


<--- 530 Login authentication failed
ls: Login failed: 530 Login authentication failed
<--- 530 You aren't logged in
lftp user1@example.com@localhost:~>
<--- 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
<--- 221 Logout.
lftp user1@example.com@localhost:~>
```


----------

