LDAP: Cross authentication with James server

[alexcustos]

Each part is working well, but not together for some reason. I'm using the default docker-compose.yml with linagora/james-ldap-project:latest image. Here's a good example of working LDAP directory structure https://github.com/linagora/james-project/blob/master/server/data/data-ldap/src/test/resources/ldif-files/populate.ldif.

On the one side of the issue, James server refuses to authenticate users using james-user@james.org as login but working well with just james-user and password. On the other side, OpenPaaS accepts only emails as login. At first look, it appears as a simple configuration issue, but I already ran out of good ideas.

In brief: 1) It seems James server ignores defaultDomain and domainNames/domainName settings, so considering uid attribute literally as login. 2) Trying to authenticate against mail attribute or to make uid that looks like email works, but James refuses to deliver emails locally with 5.1.1 Unknown user: ... error. 3) OpenPaaS holds LDAP settings at the domain level, so it's good to expect that it could extend uid attribute properly, but it doesn't. 4) Using mail as Username field populates account which James accepts, but can't work with it properly, as it's described in (2).

[rouazana]

Hi, The default docker-compose configuration file is based on a non LDAP configuration. If you want to enable LDAP configuration, you need to modify the userrepository.xml file to configure it with the LDAP connection. See James' documentation: http://james.apache.org/server/config-users.html

[alexcustos]

@rouazana Hello, thank you for the answer. It's good to know that OpenPaaS should work with LDAP James server somehow. Can you please confirm that linagora/james-ldap-project:latest is the broken image. Should I recompile it from the master branch or use the Apache repository instead?

Anyway, could you please provide me with an LDAP directory structure for multi-domain configuration. It seems it's the only problem because my James server refuses to accept emails as login or doesn't work with such accounts properly. The following URL is the only relevant document I found, but it's not helping a lot https://james.apache.org/server/archive/usingLDAP_v1_2.html. It's hard to find something useful because Google shows random examples with James as a person name.

[rouazana]

The image is not broken, you just need to configure it correctly to support LDAP authentication. See my previous answer, which is already explaining which file you need to modify and where is the documentation for this file.

[alexcustos]

That part is working perfectly for me too. My only issue with making James accept authentication in the way that OpenPaaS like. Let me start from the beginning. Here is my userrepository.xml:

<repository name="LocalUsers"
    ldapHost="ldap://ldap.example.com:389" 
    principal="cn=admin,dc=example,dc=com" 
    credentials="password" 
    userBase="ou=people,dc=example,dc=com" 
    userIdAttribute="uid"
    userObjectClass="inetOrgPerson"
    maxRetries="4"
    retryStartInterval="0"
    retryMaxInterval="8"
    retryIntervalScale="1000"/>

Here is my directory structure:

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

dn: ou=people,dc=example,dc=com
ou: people
objectClass: organizationalUnit

dn: uid=alex,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
uid: alex
cn: Alex Example
sn: Example
mail: alex@example.com
userPassword: {SSHA}...
description: Example user

And what I receive: 1) SMTP authentication works well with AUTH PLAIN base64(\0alex\0password) and James works as expected, but OpenPaaS refuses to accept alex as login; 2) SMTP doesn't accept AUTH LOGIN at all with 501 Could not decode parameters for AUTH LOGIN; 3) When I set uid=alex@example.com, I can authenticate to both OpenPaaS and James with AUTH PLAIN base64(\0alex@example.com\0password), but James fails to accept local emails with 5.1.1 Unkown user: alex@example.com.

As I can see, the issue not related to James or OpenPaaS directly. James is just processes LDAP directory in some way I can't figure out. And neither the documentation nor the examples provided are helping with this issue.

[rouazana]

Did you simply try:

    userIdAttribute="mail"

It should work in every cases.

[rouazana]

Oh and also in James you need to activate virtualHosting. That would give you:

<repository name="LocalUsers"
    ldapHost="ldap://ldap.example.com:389" 
    principal="cn=admin,dc=example,dc=com" 
    credentials="password" 
    userBase="ou=people,dc=example,dc=com" 
    userIdAttribute="mail"
    userObjectClass="inetOrgPerson"
    maxRetries="4"
    retryStartInterval="0"
    retryMaxInterval="8"
    retryIntervalScale="1000">
        <supportsVirtualHosting>true</supportsVirtualHosting>
</usersrepository>

[alexcustos]

@rouazana Thank you very much! Enabling virtual hosting with mail ID resolved the issue.