need virtualmin to add mail attribute to ldap user

Hi all,
I need to set Virtualmin to add the mail attribute to an LDAp user when creating said user in Virtualmin.

I use joomla for a website, with LDAP auth, and it won’t work if the mail attribute isn’t set, and I don’t want to have to do it manually, so can anyone help?

Also, is there any way to modify the templates to change premissions on a sub-domains folder, to prevent the Apache 403 errors I’m getting.
say I have forum.example.com, I have to go chmod a+x forum.example.com, and public_html inside that folder before Apache will let me see webpages for that domain :frowning:

I use joomla for a website, with LDAP auth, and it won't work if the mail attribute isn't set, and I don't want to have to do it manually, so can anyone help?

There are probably multiple ways to solve this one. I don’t have an LDAP system handy to test on, but I’m betting there’s a way to preconfigure this attribute for new users in the LDAP Server module. But, I might be wrong.

I assume you’ve read through Jamie’s Virtualmin with LDAP guide here:

http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/

Anyway, if there isn’t a way to inject the mail attribute automatically with Virtualmin, you could do it with one of the “Commands to run after changes” options. Look in Webmin->System->Users and Groups->Module Config->Before and after commands. You could use an LDAP command to update the user to add that attribute. There are ENV variables set by Virtualmin when creating and modifying users, so you can make a script to do what you need with the information it needs to do the job…usually in just a line or two. Variables are documented here (though not all variables are set for all situations):

http://www.virtualmin.com/documentation/id,template_variable_listing/

I’m not an expert on LDAP, so I’ll ask Jamie to chime in on this thread.

Also, is there any way to modify the templates to change premissions on a sub-domains folder, to prevent the Apache 403 errors I'm getting. say I have forum.example.com, I have to go chmod a+x forum.example.com, and public_html inside that folder before Apache will let me see webpages for that domain :(

Apache isn’t getting group membership set correctly. I’m not sure how that’s done in LDAP…but I would think it would be covered by the docs Jamie wrote on the topic, but I might be wrong. In short, Apache gets automatically added to your new virtual server group, which gives it access to the home directories, while allowing them to remain mode 750 (which means no users can see other users content, but Apache can see everybody).

For LDAP, you can have Virtualmin add the mail attribute to users … assuming that you have already set it up to create users and groups in LDAP, as documented on the page Joe linked to. Just go to System Settings -> Module Config -> Advanced options, and enable the ‘Add mail attribute to LDAP users?’ setting.

Joe wrote:

There are probably multiple ways to solve this one. I don't have an LDAP system handy to test on, but I'm betting there's a way to preconfigure this attribute for new users in the LDAP Server module. But, I might be wrong.

I assume you’ve read through Jamie’s Virtualmin with LDAP guide here:

http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/

Yeah, I followed that guide.

Also, is there any way to modify the templates to change premissions on a sub-domains folder, to prevent the Apache 403 errors I'm getting. say I have forum.example.com, I have to go chmod a+x forum.example.com, and public_html inside that folder before Apache will let me see webpages for that domain :(

Apache isn’t getting group membership set correctly. I’m not sure how that’s done in LDAP…but I would think it would be covered by the docs Jamie wrote on the topic, but I might be wrong. In short, Apache gets automatically added to your new virtual server group, which gives it access to the home directories, while allowing them to remain mode 750 (which means no users can see other users content, but Apache can see everybody).[/quote]

I looked, and my user is getting added to the www-data group, but I still get the 403 errors unless my sub-domains main folder, and it’s public_html folder are chmod’d a+x (751 I think). So I dunno what’s going on :frowning:

For LDAP, you can have Virtualmin add the mail attribute to users .. assuming that you have already set it up to create users and groups in LDAP, as documented on the page Joe linked to. Just go to System Settings -> Module Config -> Advanced options, and enable the 'Add mail attribute to LDAP users?' setting.
I found that and set it, hope it works

What are the permissions on the sub-domain’s home and public_html directories being set to before you change them?

750 for both, AFAIK. This might just be a bug with Ubuntu, as I’ve heard of a lot of people getting the 403 error, and the fix was to change the permissions to 751, and I can set Virtualmin to go that, but only for the public_html folder. I need the home to also be 751 instead of 750, or else Apache will 403 me.

The difference between 750 and 751 is whether Apache is a member of the group that owns the directories in question. Sounds like in your case, it is not. I don’t know how LDAP interacts in that equation.

It looks like the user Apache runs as it’s being added to domain’s groups in LDAP. You might want to double-check what that user is (the ps auxwww command will tell you), and then make sure it is in each domain’s group as a secondary member.

Well, from what I can tell, my memebers are getting added to the apache group, here’s a screenshot from the LDAP Groups part of the LDAP User & Groups module. As you can see, I have two users, static & spark.

That looks good to me. If you login to the system and run the command "groups www-data", does it show those groups?

Also, if you run "ps axuwwww | grep www-data", does it find the Apache processes?

The first command returns "www-data subversion", and the second command returns the apache processes.

For LDAP, you can have Virtualmin add the mail attribute to users .. assuming that you have already set it up to create users and groups in LDAP, as documented on the page Joe linked to. Just go to System Settings -> Module Config -> Advanced options, and enable the 'Add mail attribute to LDAP users?' setting.
This didn't work, the new user I created (with a domain), doesn't have a mail attribute in their LDAP attributes :(

EDIT: (Reply actually, since EDIT is broke). You have to specify an administrative mailbox when creating a domain for the mail attribute to be set, it won’t set up a default one, like say, username@domain.com

The first command returns "www-data subversion", and the second command returns the apache processes.

Odd, that’s exactly what it should be.
I don’t suppose that restarting Apache perhaps helps?

Nope, tried that multiple times. I don’t suppose it would help if I re-created the apache user/group in LDAP, then delete the system user, do you think that might work?

That shouldn’t be needed - non-LDAP users should still be able to have LDAP secondary groups.

If you like, I can login to your system myself and take a look at this. My email is jcameron@virtualmin.com

Email sent

I don’t see the email … what was the subject line?

The subject line was the name of this topic, and it came from static dot anime at hotmail dot com

Got it, thanks!

After some looking around on your system, I finally found it! In /etc/ldap.conf there is a line nss_initgroups_ignoreusers that lists users for whom secondary groups won’t come from LDAP … and www-data was in that list. Once I removed it, all was good.