Stalwart LDAP Directory <-> Kanidm

[ToxicMushroom]

Accounts should show up in stalwart after logging in once
Sadly they cannot receive mails on their aliases without having their primary mail address been queried, either via logging in or via receiving mail on the primary address.

Under Authentication > Settings, Directory should be set to your kanidm-ldap directory. don't miss it like I did
Kanidm users must have posix set kanidm person credential posix set personname to get working ldap.

Configuration

Directory Id: kanidm-ldap
Type: LDAP Directory
URL: ldaps://idm.domain.com:3636
Base DN: dc=idm,dc=domain,dc=tld # You can change this with kanidm system domain set-ldap-basedn
Timeout: 5

Binding

Bind DN: dn=token # Read https://kanidm.github.io/kanidm/stable/integrations/ldap.html#service-accounts for context on this section.
Bind Secret: use a serviceaccount token
Enable Bind Auth: TRUE
Bind Auth DN: identifier=?
Use Auth DN for search: FALSE

TLS

Enable TLS: TRUE
Allow Invalid Certs: FALSE

LDAP Filters

Name: (&(|(objectClass=person))(|(uid=?)(spn=?)(name=?)))
E-mail: (&(objectClass=person)(|(mail=?)))

Object Attributes
Name:

• uid
• spn
• name

Type:

• objectClass

Description:

• description

Secret:

• entryuuid # This will be unused and mapped to a useless existing ldap field since it can't be left out in the current release of stalwart yet.

Groups:

• memberOf

E-mail:

• emailprimary # emailprimary is for old kanidm versions, new versions list mails under mail, with the first entry being the primary.
• mail

E-mail Aliases:

• emailalternative # you can add aliases with kanidm person update --mail primary@domain.tld --mail alias1@domain.tld personname, Or use the profile manager in the web-ui if you're in the idm_people_self_mail_write group.

Debugging

You can sanity check the kanidm LDAP responses in case this guide wasn't updated for a while and things changed:

• ldapsearch -H ldaps://idm.yourdomain.tld:3636 -b 'dc=idm,dc=yourdomain,dc=tld' -D "dn=token" -x '(name=yourpersonname)' -w "service_account_token"

Stalwart needs to be set to TRACE logging to see ldap queries, kanidm logs ldap by default.

Comments with improvements or notes are very welcome !

[kri164]

I have similiar setup with small difference.

LDAP FILTERS
Name: (&(objectClass=posixAccount)(name=?))
Email: (&(objectClass=posixAccount)(mail=?))

OBJECT ATTRIBUTES
Description: displayName

There is one problem. Users with multiple mail addresses cannt login to POP3 or IMAP with error "User already exist".
Have no solution yet. Is you setup working?

[ToxicMushroom]

Mine is working yes. Strange error message

[kri164]

I recreated config and it is wokring now. There was some relict of unconsistent config from my previous attempts.
Thank you for example. Do you publish it in Doc Example section?

[Firstyear]

If your kanidm domain == your mail domain => you could use spn as email address too.

Don't do this, names can change.

[ToxicMushroom]

Yeah, I'll remove it so it does not cause future troubles

[Firstyear]

E-mail: (&(objectClass=person)(|(emailprimary=?)(emailalternative=?)))

There is a "mail" attribute that contains all of these values.

[ToxicMushroom]

Thanks, tested and works, that is simpler :)

[rmsc]

I'd just add that groups in stalwart are useful too. They show up as shared folders in group member's accounts.

I currently have this:

name = "(&(|(class=account)(class=group))(|(uid=?)(spn=?)(name=?)))"
email = "(&(|(class=account)(class=group))(mail=?))"

[rmsc]

Actually not a bad idea, it's just fragile. Some times the group mailbox gets correctly created, others a new individual account in the name of the group gets created.

I don't understand exactly what is happening, but I think it depends on which happens first, user login or receiving e-mails.

[Gabgobie]

Did you ever figure out when or why that happens? Would be great if I could automatically have shared mailboxes created and accessible to group members.

[nivaddo]

is anyone able to update this guide to more in depth?