# ldap - advice needed

## carpman

Hello, ok setting up a small office mail server to collect external email and deliver locally, plus have access outside office via webmail with the normal email client being thunderbird, sales also use Sunbird calender.

When out of office a user would have access to mail but they will not have access to address book or calender, so in an effort to centralize things i will be using WebCalender to which Sunbird can subscribe. For address book ldap looks good except thunderbird cannot write to ldap?

where i am a little lost is just how much i can and should use ldap?

Should i use ldap across the boards as lot of software installed can use ldap?

```

curl

apr-util

apache-2

courier-authlib

openssh

cyrus-sasl

postfix

php-5

gnupg

spamassassin

amavisd-new

squirrelmail

webcalender

```

From this lot it looks like following would be most useful to setup with ldap:

```

openssh

cyrus-sasl

postfix

courier-authlib

squirrelmail

webcalender

```

Not sure if spamassassin and amavisd-new should also be included?

What i want to be able to is create local user, have their email collected and processed and delivered to local inbox, they then use IMAP to view mail, also what central address book and calender, now i could leave things as they are but that is not good, or just set it up so there default address book via ldap and also create calender users manually.

Looking at ldap is seems if i can get it working it would be better but just not sure how it all ties together?

If setup whole system to use ldap would it just be a case of creating  local user account and then they would setup in ldap for mail auth, address book and calender use?

Also how easy would it be to move ldap server to another server when i get one?

Currently this is all being done on one server but later will have 2 servers to play with, hopefully the second one being used for some sort of groupware plus samba server.

cheers

----------

## bunder

 *Quote:*   

> Should i use ldap across the boards as lot of software installed can use ldap? 

 

depends on how you see it.

install ldap for pam authentication, and if you want ldap support within a certain package (squirrelmail, for instance, can do a central address book), then configure it.  i have the ldap use flag enabled, but i have never configured any daemons to specifically use ldap (besides pam).

----------

## carpman

 *bunder wrote:*   

>  *Quote:*   Should i use ldap across the boards as lot of software installed can use ldap?  
> 
> depends on how you see it.
> 
> install ldap for pam authentication, and if you want ldap support within a certain package (squirrelmail, for instance, can do a central address book), then configure it.  i have the ldap use flag enabled, but i have never configured any daemons to specifically use ldap (besides pam).

 

Thanks for reply, so if setup ldap pam authentication if i want and need to it would easier to incorporate other apps that use ldap for authentication?

----------

## bunder

typically most daemons can use pam for authentication, so any other configuration is unnecessary.  

```
daemons (ssh, postfix, courier, apache+squirrelmail ) -> pam -> ldap database (as opposed to /etc/passwd)
```

in the case of squirrelmail and the central database, as long as you are using the ldap use flag, you can run the squirrelmail config script and enable the central database that way.  i'm not too familiar with webcalendar.

hope that helps a little.   :Smile: 

----------

## carpman

Thanks for reply, i found the Gentoo ldap guide but it says it is

 *Quote:*   

> Disclaimer :  This document is not valid and is not maintained anymore.

 

from

www.gentoo.org/doc/en/ldap-howto.xml

Is it still ok to use this guide? 

cheers

----------

## bunder

worked fine for me...

cheers

----------

## carpman

 *bunder wrote:*   

> worked fine for me...
> 
> cheers

 

ok, but what about the migrationtools as they no longer seem to be in portage?

----------

## bunder

hmm... they say its broken and whatnot, but i've never had an issue with it.  i almost forgot they removed it.

here you go, straight from the portage-tree archives:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-nds/migrationtools/migrationtools-46.ebuild?hideattic=0&sortby=date&view=markup

----------

## carpman

 *bunder wrote:*   

> hmm... they say its broken and whatnot, but i've never had an issue with it.  i almost forgot they removed it.
> 
> here you go, straight from the portage-tree archives:
> 
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-nds/migrationtools/migrationtools-46.ebuild?hideattic=0&sortby=date&view=markup

 

Thanks.

I have been going through the howto but have come with an problem, the server this is on is setup as sub-domain so have filled out configs using following format:

slapd.conf

```

suffix          "dc=sub,dc=domain,dc=co,dc=uk"

rootdn          "cn=office.admin,dc=domain,dc=co,dc=uk"

```

ldap.conf

```

BASE    dc=sub, dc=domain, dc=co, dc=uk

URI     ldaps://auth.sub.domain.co.uk:636/

```

but get error when testing:

```

 ldapsearch -D "cn=office.admin,dc=sub,dc=domain,dc=co,dc=uk" -W

Enter LDAP Password:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

```

also tried

```

ldapsearch -D "cn=office.admin,dc=domain,dc=co,dc=uk" -W

Enter LDAP Password:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

```

The bit not sure about is cn=  i assume this email contact so have set it to domain and not sub-domain email account, is this correct?

cheers

----------

## bunder

take the spaces out of the ldap.conf.

cheers

----------

## carpman

 *bunder wrote:*   

> take the spaces out of the ldap.conf.
> 
> cheers

 

Thanks for reply, i had spaces as that is how it is laid in example i given in that file, that said even with spaces removed i still get same error

```

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

```

----------

## bunder

does it work with tls and ssl off?

cheers

----------

