Improve active.directory.md.
New: upgrade.ubuntu.18.04-20.04.html (DRAFT).
This commit is contained in:
parent
8c9980ece2
commit
a76480c70d
|
@ -39,6 +39,9 @@ To integrate Microsoft Active Directory with iRedMail, you should have:
|
|||
installed and working properly, listen on port 389 (ldap://) or 636
|
||||
(ldaps://), and allow LDAP connections from iRedMail server.
|
||||
|
||||
If you need to enable LDAP over SSL, please read
|
||||
[this tutorial](https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority).
|
||||
|
||||
## Install iRedMail
|
||||
|
||||
Please follow [iRedMail installaion guides](./index.html)
|
||||
|
@ -73,10 +76,15 @@ With iRedMail (OpenLDAP backend), we have a low-privileged account
|
|||
`cn=vmail,dc=xxx,dc=xxx` with read-only privilege. And we suggest you create a
|
||||
same account `vmail` in AD, with strong and complex password.
|
||||
|
||||
__NOTE__: [Dovecot will treat characters as comment after a inline `#`, so
|
||||
please just don't use `#` in password](https://forum.iredmail.org/post8630.html#p8630)
|
||||
__NOTES__:
|
||||
|
||||
Please make sure this newly created user is able to connect to AD server with
|
||||
* Dovecot treats characters as comment after a inline `#`, please don't use
|
||||
`#` in password.
|
||||
* Seems Windows Server 2019 doesn't like user id without domain part by
|
||||
default, please create the `vmail` user with your domain name instead. for
|
||||
example, `vmail@domain.com` (replace `domain.com` by your real domain name).
|
||||
|
||||
Make sure this newly created user is able to connect to AD server with
|
||||
below command on iRedMail server:
|
||||
|
||||
```shell
|
||||
|
@ -86,6 +94,14 @@ Enter password: password_of_vmail
|
|||
|
||||
If it prints all users stored in AD server, then it's working as expected.
|
||||
|
||||
If you're using LDAPS, replace `-h ad.example.com` by
|
||||
`-H ldaps://ad.example.com:636` instead:
|
||||
|
||||
```shell
|
||||
# ldapsearch -x -H ldaps://ad.example.com:636 -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
|
||||
Enter password: password_of_vmail
|
||||
```
|
||||
|
||||
### Enable LDAP query with AD in Postfix
|
||||
|
||||
Disable unused iRedMail special settings:
|
||||
|
@ -138,7 +154,7 @@ postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
|
|||
example.com dovecot
|
||||
```
|
||||
|
||||
__Note__: `dovecot` used here is a Postfix transport defined in
|
||||
__Note__: the name `dovecot` used here is a Postfix transport defined in
|
||||
`/etc/postfix/master.cf`, used to deliver received emails to local user mailboxes.
|
||||
|
||||
Run `postmap` so that postfix can read it:
|
||||
|
@ -182,9 +198,8 @@ result_format = %d/%u/Maildir/
|
|||
debuglevel = 0
|
||||
```
|
||||
|
||||
__Note__: Here, we hard-code user's mailbox path in
|
||||
`[domain]/[username]/Maildir/` format (`result_format` parameter). for example:
|
||||
`example.com/postmaster/Maildir/`.
|
||||
__Note__: We hard-code user's mailbox path in `result_format =` parameter, it
|
||||
will be something like `example.com/username/Maildir/`.
|
||||
|
||||
* Create file: `/etc/postfix/ad_virtual_group_maps.cf`:
|
||||
|
||||
|
@ -205,7 +220,7 @@ result_attribute= userPrincipalName
|
|||
debuglevel = 0
|
||||
```
|
||||
|
||||
__Note__:
|
||||
__Notes__:
|
||||
|
||||
* If your user have email address in both `mail` and `userPrincipalName`, you
|
||||
will get duplicate result. Comment out `leaf_result_attribute` line will fix it.
|
||||
|
@ -279,6 +294,11 @@ dnpass = passwd_of_vmail
|
|||
base = cn=users,dc=example,dc=com
|
||||
scope = subtree
|
||||
deref = never
|
||||
|
||||
# Below two are required by command 'doveadm mailbox ...'
|
||||
iterate_attrs = userPrincipalName=user
|
||||
iterate_filter = (&(userPrincipalName=*)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
|
||||
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_attrs = userPassword=password
|
||||
|
@ -288,17 +308,28 @@ user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/,=mail=maildir:~/Maildir/
|
|||
|
||||
Restart dovecot service to make it work.
|
||||
|
||||
__Note__: we don't have per-user quota limit here, you can set a hard-coded
|
||||
quota for all users in `/etc/dovecot/dovecot.conf`. For example:
|
||||
!!! attention
|
||||
|
||||
```
|
||||
plugin {
|
||||
[... omit other settings here ...]
|
||||
We don't have per-user quota limit here, you can set a hard-coded
|
||||
quota for all users in `/etc/dovecot/dovecot.conf`. For example:
|
||||
|
||||
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
}
|
||||
```
|
||||
```
|
||||
plugin {
|
||||
[... omit other settings here ...]
|
||||
|
||||
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
}
|
||||
```
|
||||
|
||||
Or, you can modify the `user_attrs =` line to get per-user quota from a
|
||||
LDAP attribute in AD. For example, query per-user quota limit from
|
||||
attribute `postOfficeBox` which contain an integer number and treated as
|
||||
number of gigabytes:
|
||||
|
||||
```
|
||||
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/,=mail=maildir:~/Maildir/,postOfficeBox=quota_rule=*:storage=%{ldap:postOfficeBox}G
|
||||
```
|
||||
|
||||
Now use command `telnet` to verify AD query after restarted Dovecot service:
|
||||
|
||||
|
@ -354,20 +385,30 @@ $config['ldap_public']["global_ldap_abook"] = array(
|
|||
|
||||
// mapping of contact fields to directory attributes
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'name' => 'cn',
|
||||
'displayname' => 'displayName',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'jobtitle' => 'title',
|
||||
'department' => 'department',
|
||||
'company' => 'company',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:home' => 'homePhone',
|
||||
'phone:mobile' => 'mobile',
|
||||
'phone:workfax' => 'facsimileTelephoneNumber',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto',
|
||||
'phone:pager' => 'pager',
|
||||
'phone:other' => 'ipPhone',
|
||||
'street:work' => 'streetAddress',
|
||||
'zipcode:work' => 'postalCode',
|
||||
'locality:work' => 'l',
|
||||
'region:work' => 'st',
|
||||
'country:work' => 'c',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto', // Might be 'thumbnailPhoto' for
|
||||
// compatibility with some other
|
||||
// Microsoft software
|
||||
'website' => 'wWWHomePage',
|
||||
),
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
|
@ -388,6 +429,95 @@ $config['ldap_public']["global_ldap_abook"] = array(
|
|||
);
|
||||
```
|
||||
|
||||
## Enable Active Directory integration in SOGo Groupware
|
||||
|
||||
Edit SOGo config file `/etc/sogo/sogo.conf`, comment out the LDAP address book
|
||||
setting added by iRedMail, and add new setting for AD like below:
|
||||
|
||||
```
|
||||
SOGoUserSources = (
|
||||
{
|
||||
// Used for user authentication
|
||||
type = ldap;
|
||||
id = users;
|
||||
canAuthenticate = YES;
|
||||
isAddressBook = NO;
|
||||
displayName = "LDAP Authentication";
|
||||
|
||||
hostname = "ldap://ad.example.com:389"; // <- Set to ldaps://ad.example.com:636 for LDAPS.
|
||||
baseDN = "cn=users,dc=example,dc=com";
|
||||
bindDN = "vmail";
|
||||
bindPassword = "password_of_vmail";
|
||||
filter = "objectClass=person AND userPrincipalName='*' AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
|
||||
scope = SUB;
|
||||
|
||||
// always keep binding to the LDAP server using the DN of the
|
||||
// currently authenticated user. bindDN and bindPassword are still
|
||||
// required to find DN of the user.
|
||||
// Note: with default LDAP acl configured by iRedMail, user doesn't
|
||||
// have privilege to query o=domains,dc=delmsgs,dc=freeddns,dc=org.
|
||||
// so this doesn't work.
|
||||
bindAsCurrentUser = YES;
|
||||
|
||||
// The algorithm used for password encryption when changing
|
||||
// passwords without Password Policies enabled.
|
||||
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
|
||||
userPasswordAlgorithm = ssha512;
|
||||
|
||||
CNFieldName = cn;
|
||||
IDFieldName = userPrincipalName;
|
||||
// value of UIDFieldName must be unique on entire server
|
||||
UIDFieldName = userPrincipalName;
|
||||
IMAPLoginFieldName = userPrincipalName;
|
||||
MailFieldNames = (userPrincipalName);
|
||||
bindFields = (userPrincipalName);
|
||||
},
|
||||
{
|
||||
// Used for global address book
|
||||
type = ldap;
|
||||
id = global_addressbook;
|
||||
canAuthenticate = NO;
|
||||
isAddressBook = YES;
|
||||
displayName = "Global Address Book";
|
||||
bindAsCurrentUser = YES;
|
||||
|
||||
// Listing of this LDAP source is only possible when performing a
|
||||
// search (respecting the SOGoSearchMinimumWordLength parameter)
|
||||
// or when explicitely typing a single dot.
|
||||
// Defaults to YES when unset.
|
||||
//
|
||||
// WARNING: if you have many accounts in this address book, it may
|
||||
// reach server-side query size limit, or cause
|
||||
// performance issue.
|
||||
listRequiresDot = NO;
|
||||
|
||||
// Set to ldaps://ad.example.com:636 for LDAPS.
|
||||
hostname = "ldap://ad.example.com:389";
|
||||
baseDN = "cn=users,dc=example,dc=com";
|
||||
bindDN = "vmail";
|
||||
bindPassword = "password_of_vmail";
|
||||
filter = "(objectClass=person OR (objectClass=group AND mail='*')) AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
|
||||
scope = SUB;
|
||||
|
||||
IDFieldName = userPrincipalName;
|
||||
bindFields = (userPrincipalName);
|
||||
// value of UID field must be unique on whole server.
|
||||
UIDFieldName = userPrincipalName;
|
||||
IMAPLoginFieldName = userPrincipalName;
|
||||
|
||||
CNFieldName = cn;
|
||||
SearchFieldNames = (mail, cn, sAMAccountName, displayName, sn, givenName);
|
||||
|
||||
mapping = {
|
||||
ou = ("department", "ou");
|
||||
street = ("streetAddress", "street");
|
||||
mozillaworkurl = ("wWWHomePage", "mozillaworkurl");
|
||||
description = ("info", "description");
|
||||
};
|
||||
}
|
||||
);
|
||||
```
|
||||
|
||||
## Additions documents
|
||||
|
||||
* If your mail domain name is different than Windows Active Directory domain: [https://forum.iredmail.org/topic3165-integration-with-windows-domain.html](https://forum.iredmail.org/topic3165-integration-with-windows-domain.html)
|
||||
|
|
|
@ -157,6 +157,18 @@ files under `/opt/iredmail/custom/<software>/`.
|
|||
details, please check our
|
||||
[Best Practice](./iredmail-easy.best.practice.html#postfix) tutorial.
|
||||
|
||||
### Amavisd
|
||||
|
||||
- Copy DKIM keys from `/var/lib/dkim/` to `/opt/iredmail/custom/amavisd/dkim/`.
|
||||
- Move all your `dkim_key(...)` parameters from Amavisd config file
|
||||
(`/etc/amavisd/amavisd.conf` (RHEL/CentOS), or `/etc/amavis/conf.d/50-user`
|
||||
(Debian/Ubuntu), `/etc/amavisd.conf` (OpenBSD), `/usr/local/etc/amavisd.conf`
|
||||
(FreeBSD)) to `/opt/iredmail/custom/amavisd/amavisd.conf`.
|
||||
|
||||
!!! attention
|
||||
|
||||
Please make sure no duplicat keys, otherwise Amavisd can not start.
|
||||
|
||||
### SpamAssassin
|
||||
|
||||
Split custom settings from `/etc/mail/spamassassin/local.cf` to
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
# Upgrade Ubuntu from 18.04 to 20.04
|
||||
|
||||
!!! warning
|
||||
|
||||
THIS IS A DRAFT DOCUMENT, DO NOT APPLY IT.
|
||||
|
||||
## Packages
|
||||
|
||||
Install required Python-2 packages:
|
||||
|
||||
```
|
||||
apt install python2-dev
|
||||
pip2 install uwsgi web.py==0.51 pycurl netifaces
|
||||
ln -sf /usr/local/bin/uwsgi /etc/alternatives/uwsgi
|
||||
echo "SQL_DB_DRIVER = 'pymysql'" >> /opt/iredapd/settings.py
|
||||
```
|
||||
|
||||
If you're running OpenLDAP backend:
|
||||
|
||||
```
|
||||
pip2 install python-ldap==3.2.0
|
||||
```
|
||||
|
||||
## Configurations
|
||||
|
||||
* `/etc/php/7.4/fpm/pool.d/www.conf`
|
||||
|
||||
```
|
||||
[inet]
|
||||
user = www-data
|
||||
group = www-data
|
||||
|
||||
listen = 127.0.0.1:9999
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
listen.mode = 0660
|
||||
|
||||
; IP addresses must be separated by comma, and no space between comma and ip.
|
||||
listen.allowed_clients = 127.0.0.1
|
||||
|
||||
pm = dynamic
|
||||
pm.max_children = 200
|
||||
pm.start_servers = 10
|
||||
pm.min_spare_servers = 5
|
||||
pm.max_spare_servers = 10
|
||||
pm.max_requests = 500
|
||||
|
||||
pm.status_path = /php-fpm-status
|
||||
ping.path = /php-fpm-ping
|
||||
|
||||
request_terminate_timeout = 60s
|
||||
|
||||
access.log = /var/log/php-fpm/access.log
|
||||
slowlog = /var/log/php-fpm/slow.log
|
||||
request_slowlog_timeout = 10s
|
||||
```
|
|
@ -31,6 +31,7 @@
|
|||
</li>
|
||||
<li><a href="#enable-active-directory-integration-in-dovecot">Enable Active Directory integration in Dovecot</a></li>
|
||||
<li><a href="#enable-active-directory-integration-in-roundcube-webmail-for-global-ldap-address-book">Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book</a></li>
|
||||
<li><a href="#enable-active-directory-integration-in-sogo-groupware">Enable Active Directory integration in SOGo Groupware</a></li>
|
||||
<li><a href="#additions-documents">Additions documents</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
@ -70,9 +71,13 @@
|
|||
<p>To integrate Microsoft Active Directory with iRedMail, you should have:</p>
|
||||
<ul>
|
||||
<li>A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.</li>
|
||||
<li>A working Microsoft Windows (2000/2003) server, with Active Directory
|
||||
<li>
|
||||
<p>A working Microsoft Windows (2000/2003) server, with Active Directory
|
||||
installed and working properly, listen on port 389 (ldap://) or 636
|
||||
(ldaps://), and allow LDAP connections from iRedMail server.</li>
|
||||
(ldaps://), and allow LDAP connections from iRedMail server.</p>
|
||||
<p>If you need to enable LDAP over SSL, please read
|
||||
<a href="https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority">this tutorial</a>.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<h2 id="install-iredmail">Install iRedMail</h2>
|
||||
<p>Please follow <a href="./index.html">iRedMail installaion guides</a>
|
||||
|
@ -110,15 +115,27 @@ achieve this AD integration by simply modifying some configure files.</p>
|
|||
<p>With iRedMail (OpenLDAP backend), we have a low-privileged account
|
||||
<code>cn=vmail,dc=xxx,dc=xxx</code> with read-only privilege. And we suggest you create a
|
||||
same account <code>vmail</code> in AD, with strong and complex password.</p>
|
||||
<p><strong>NOTE</strong>: <a href="https://forum.iredmail.org/post8630.html#p8630">Dovecot will treat characters as comment after a inline <code>#</code>, so
|
||||
please just don't use <code>#</code> in password</a></p>
|
||||
<p>Please make sure this newly created user is able to connect to AD server with
|
||||
<p><strong>NOTES</strong>:</p>
|
||||
<ul>
|
||||
<li>Dovecot treats characters as comment after a inline <code>#</code>, please don't use
|
||||
<code>#</code> in password.</li>
|
||||
<li>Seems Windows Server 2019 doesn't like user id without domain part by
|
||||
default, please create the <code>vmail</code> user with your domain name instead. for
|
||||
example, <code>vmail@domain.com</code> (replace <code>domain.com</code> by your real domain name).</li>
|
||||
</ul>
|
||||
<p>Make sure this newly created user is able to connect to AD server with
|
||||
below command on iRedMail server:</p>
|
||||
<pre><code class="shell"># ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
|
||||
Enter password: password_of_vmail
|
||||
</code></pre>
|
||||
|
||||
<p>If it prints all users stored in AD server, then it's working as expected.</p>
|
||||
<p>If you're using LDAPS, replace <code>-h ad.example.com</code> by
|
||||
<code>-H ldaps://ad.example.com:636</code> instead:</p>
|
||||
<pre><code class="shell"># ldapsearch -x -H ldaps://ad.example.com:636 -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
|
||||
Enter password: password_of_vmail
|
||||
</code></pre>
|
||||
|
||||
<h3 id="enable-ldap-query-with-ad-in-postfix">Enable LDAP query with AD in Postfix</h3>
|
||||
<p>Disable unused iRedMail special settings:</p>
|
||||
<pre><code class="shell">postconf -e virtual_alias_maps=''
|
||||
|
@ -163,7 +180,7 @@ postconf -e virtual_mailbox_domains='example.com'
|
|||
<pre><code>example.com dovecot
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>: <code>dovecot</code> used here is a Postfix transport defined in
|
||||
<p><strong>Note</strong>: the name <code>dovecot</code> used here is a Postfix transport defined in
|
||||
<code>/etc/postfix/master.cf</code>, used to deliver received emails to local user mailboxes.</p>
|
||||
<p>Run <code>postmap</code> so that postfix can read it:</p>
|
||||
<pre><code># postmap hash:/etc/postfix/transport
|
||||
|
@ -204,9 +221,8 @@ result_format = %d/%u/Maildir/
|
|||
debuglevel = 0
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>: Here, we hard-code user's mailbox path in
|
||||
<code>[domain]/[username]/Maildir/</code> format (<code>result_format</code> parameter). for example:
|
||||
<code>example.com/postmaster/Maildir/</code>.</p>
|
||||
<p><strong>Note</strong>: We hard-code user's mailbox path in <code>result_format =</code> parameter, it
|
||||
will be something like <code>example.com/username/Maildir/</code>.</p>
|
||||
<ul>
|
||||
<li>Create file: <code>/etc/postfix/ad_virtual_group_maps.cf</code>:</li>
|
||||
</ul>
|
||||
|
@ -226,7 +242,7 @@ result_attribute= userPrincipalName
|
|||
debuglevel = 0
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>:</p>
|
||||
<p><strong>Notes</strong>:</p>
|
||||
<ul>
|
||||
<li>If your user have email address in both <code>mail</code> and <code>userPrincipalName</code>, you
|
||||
will get duplicate result. Comment out <code>leaf_result_attribute</code> line will fix it.</li>
|
||||
|
@ -287,6 +303,11 @@ dnpass = passwd_of_vmail
|
|||
base = cn=users,dc=example,dc=com
|
||||
scope = subtree
|
||||
deref = never
|
||||
|
||||
# Below two are required by command 'doveadm mailbox ...'
|
||||
iterate_attrs = userPrincipalName=user
|
||||
iterate_filter = (&(userPrincipalName=*)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
|
||||
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_attrs = userPassword=password
|
||||
|
@ -295,16 +316,24 @@ user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/,=mail=maildir:~/Maildir/
|
|||
</code></pre>
|
||||
|
||||
<p>Restart dovecot service to make it work.</p>
|
||||
<p><strong>Note</strong>: we don't have per-user quota limit here, you can set a hard-coded
|
||||
<div class="admonition attention">
|
||||
<p class="admonition-title">Attention</p>
|
||||
<p>We don't have per-user quota limit here, you can set a hard-coded
|
||||
quota for all users in <code>/etc/dovecot/dovecot.conf</code>. For example:</p>
|
||||
<pre><code>plugin {
|
||||
[... omit other settings here ...]
|
||||
|
||||
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
}
|
||||
<p>```
|
||||
plugin {
|
||||
[... omit other settings here ...]</p>
|
||||
<pre><code># Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
</code></pre>
|
||||
|
||||
<p>}
|
||||
```</p>
|
||||
<p>Or, you can modify the <code>user_attrs =</code> line to get per-user quota from a
|
||||
LDAP attribute in AD. For example, query per-user quota limit from
|
||||
attribute <code>postOfficeBox</code> which contain an integer number and treated as
|
||||
number of gigabytes:</p>
|
||||
<p><code>user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/,=mail=maildir:~/Maildir/,postOfficeBox=quota_rule=*:storage=%{ldap:postOfficeBox}G</code></p>
|
||||
</div>
|
||||
<p>Now use command <code>telnet</code> to verify AD query after restarted Dovecot service:</p>
|
||||
<pre><code># telnet localhost 143 # <- Type this
|
||||
* OK [...] Dovecot ready.
|
||||
|
@ -354,20 +383,30 @@ $config['ldap_public']["global_ldap_abook"] = array(
|
|||
|
||||
// mapping of contact fields to directory attributes
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'name' => 'cn',
|
||||
'displayname' => 'displayName',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'jobtitle' => 'title',
|
||||
'department' => 'department',
|
||||
'company' => 'company',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:home' => 'homePhone',
|
||||
'phone:mobile' => 'mobile',
|
||||
'phone:workfax' => 'facsimileTelephoneNumber',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto',
|
||||
'phone:pager' => 'pager',
|
||||
'phone:other' => 'ipPhone',
|
||||
'street:work' => 'streetAddress',
|
||||
'zipcode:work' => 'postalCode',
|
||||
'locality:work' => 'l',
|
||||
'region:work' => 'st',
|
||||
'country:work' => 'c',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto', // Might be 'thumbnailPhoto' for
|
||||
// compatibility with some other
|
||||
// Microsoft software
|
||||
'website' => 'wWWHomePage',
|
||||
),
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
|
@ -388,6 +427,92 @@ $config['ldap_public']["global_ldap_abook"] = array(
|
|||
);
|
||||
</code></pre>
|
||||
|
||||
<h2 id="enable-active-directory-integration-in-sogo-groupware">Enable Active Directory integration in SOGo Groupware</h2>
|
||||
<p>Edit SOGo config file <code>/etc/sogo/sogo.conf</code>, comment out the LDAP address book
|
||||
setting added by iRedMail, and add new setting for AD like below:</p>
|
||||
<pre><code> SOGoUserSources = (
|
||||
{
|
||||
// Used for user authentication
|
||||
type = ldap;
|
||||
id = users;
|
||||
canAuthenticate = YES;
|
||||
isAddressBook = NO;
|
||||
displayName = "LDAP Authentication";
|
||||
|
||||
hostname = "ldap://ad.example.com:389"; // <- Set to ldaps://ad.example.com:636 for LDAPS.
|
||||
baseDN = "cn=users,dc=example,dc=com";
|
||||
bindDN = "vmail";
|
||||
bindPassword = "password_of_vmail";
|
||||
filter = "objectClass=person AND userPrincipalName='*' AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
|
||||
scope = SUB;
|
||||
|
||||
// always keep binding to the LDAP server using the DN of the
|
||||
// currently authenticated user. bindDN and bindPassword are still
|
||||
// required to find DN of the user.
|
||||
// Note: with default LDAP acl configured by iRedMail, user doesn't
|
||||
// have privilege to query o=domains,dc=delmsgs,dc=freeddns,dc=org.
|
||||
// so this doesn't work.
|
||||
bindAsCurrentUser = YES;
|
||||
|
||||
// The algorithm used for password encryption when changing
|
||||
// passwords without Password Policies enabled.
|
||||
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
|
||||
userPasswordAlgorithm = ssha512;
|
||||
|
||||
CNFieldName = cn;
|
||||
IDFieldName = userPrincipalName;
|
||||
// value of UIDFieldName must be unique on entire server
|
||||
UIDFieldName = userPrincipalName;
|
||||
IMAPLoginFieldName = userPrincipalName;
|
||||
MailFieldNames = (userPrincipalName);
|
||||
bindFields = (userPrincipalName);
|
||||
},
|
||||
{
|
||||
// Used for global address book
|
||||
type = ldap;
|
||||
id = global_addressbook;
|
||||
canAuthenticate = NO;
|
||||
isAddressBook = YES;
|
||||
displayName = "Global Address Book";
|
||||
bindAsCurrentUser = YES;
|
||||
|
||||
// Listing of this LDAP source is only possible when performing a
|
||||
// search (respecting the SOGoSearchMinimumWordLength parameter)
|
||||
// or when explicitely typing a single dot.
|
||||
// Defaults to YES when unset.
|
||||
//
|
||||
// WARNING: if you have many accounts in this address book, it may
|
||||
// reach server-side query size limit, or cause
|
||||
// performance issue.
|
||||
listRequiresDot = NO;
|
||||
|
||||
// Set to ldaps://ad.example.com:636 for LDAPS.
|
||||
hostname = "ldap://ad.example.com:389";
|
||||
baseDN = "cn=users,dc=example,dc=com";
|
||||
bindDN = "vmail";
|
||||
bindPassword = "password_of_vmail";
|
||||
filter = "(objectClass=person OR (objectClass=group AND mail='*')) AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
|
||||
scope = SUB;
|
||||
|
||||
IDFieldName = userPrincipalName;
|
||||
bindFields = (userPrincipalName);
|
||||
// value of UID field must be unique on whole server.
|
||||
UIDFieldName = userPrincipalName;
|
||||
IMAPLoginFieldName = userPrincipalName;
|
||||
|
||||
CNFieldName = cn;
|
||||
SearchFieldNames = (mail, cn, sAMAccountName, displayName, sn, givenName);
|
||||
|
||||
mapping = {
|
||||
ou = ("department", "ou");
|
||||
street = ("streetAddress", "street");
|
||||
mozillaworkurl = ("wWWHomePage", "mozillaworkurl");
|
||||
description = ("info", "description");
|
||||
};
|
||||
}
|
||||
);
|
||||
</code></pre>
|
||||
|
||||
<h2 id="additions-documents">Additions documents</h2>
|
||||
<ul>
|
||||
<li>If your mail domain name is different than Windows Active Directory domain: <a href="https://forum.iredmail.org/topic3165-integration-with-windows-domain.html">https://forum.iredmail.org/topic3165-integration-with-windows-domain.html</a></li>
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
<li><a href="#copy-files-to-new-locations">Copy files to new locations</a></li>
|
||||
<li><a href="#split-custom-settings">Split custom settings</a><ul>
|
||||
<li><a href="#postfix">Postfix</a></li>
|
||||
<li><a href="#amavisd">Amavisd</a></li>
|
||||
<li><a href="#spamassassin">SpamAssassin</a></li>
|
||||
<li><a href="#roundcube-webmail">Roundcube Webmail</a></li>
|
||||
<li><a href="#iredapd">iRedAPD</a></li>
|
||||
|
@ -296,6 +297,20 @@ details, please check our
|
|||
<a href="./iredmail-easy.best.practice.html#postfix">Best Practice</a> tutorial.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<h3 id="amavisd">Amavisd</h3>
|
||||
<ul>
|
||||
<li>Copy DKIM keys from <code>/var/lib/dkim/</code> to <code>/opt/iredmail/custom/amavisd/dkim/</code>.</li>
|
||||
<li>
|
||||
<p>Move all your <code>dkim_key(...)</code> parameters from Amavisd config file
|
||||
(<code>/etc/amavisd/amavisd.conf</code> (RHEL/CentOS), or <code>/etc/amavis/conf.d/50-user</code>
|
||||
(Debian/Ubuntu), <code>/etc/amavisd.conf</code> (OpenBSD), <code>/usr/local/etc/amavisd.conf</code>
|
||||
(FreeBSD)) to <code>/opt/iredmail/custom/amavisd/amavisd.conf</code>.</p>
|
||||
<div class="admonition attention">
|
||||
<p class="admonition-title">Attention</p>
|
||||
<p>Please make sure no duplicat keys, otherwise Amavisd can not start.</p>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
<h3 id="spamassassin">SpamAssassin</h3>
|
||||
<p>Split custom settings from <code>/etc/mail/spamassassin/local.cf</code> to
|
||||
<code>/opt/iredmail/custom/spamassassin/custom.cf</code>.</p>
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>Upgrade Ubuntu from 18.04 to 20.04</title>
|
||||
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<div id="navigation">
|
||||
<a href="https://www.iredmail.org" target="_blank">
|
||||
<img alt="iRedMail web site"
|
||||
src="./images/logo-iredmail.png"
|
||||
style="vertical-align: middle; height: 30px;"
|
||||
/>
|
||||
<span>iRedMail</span>
|
||||
</a>
|
||||
// <a href="./index.html">Document Index</a></div><h1 id="upgrade-ubuntu-from-1804-to-2004">Upgrade Ubuntu from 18.04 to 20.04</h1>
|
||||
<div class="admonition warning">
|
||||
<p class="admonition-title">Warning</p>
|
||||
<p>THIS IS A DRAFT DOCUMENT, DO NOT APPLY IT.</p>
|
||||
</div>
|
||||
<h2 id="packages">Packages</h2>
|
||||
<p>Install required Python-2 packages:</p>
|
||||
<pre><code>apt install python2-dev
|
||||
pip2 install uwsgi web.py==0.51 pycurl netifaces
|
||||
ln -sf /usr/local/bin/uwsgi /etc/alternatives/uwsgi
|
||||
echo "SQL_DB_DRIVER = 'pymysql'" >> /opt/iredapd/settings.py
|
||||
</code></pre>
|
||||
|
||||
<p>If you're running OpenLDAP backend:</p>
|
||||
<pre><code>pip2 install python-ldap==3.2.0
|
||||
</code></pre>
|
||||
|
||||
<h2 id="configurations">Configurations</h2>
|
||||
<ul>
|
||||
<li><code>/etc/php/7.4/fpm/pool.d/www.conf</code></li>
|
||||
</ul>
|
||||
<pre><code>[inet]
|
||||
user = www-data
|
||||
group = www-data
|
||||
|
||||
listen = 127.0.0.1:9999
|
||||
listen.owner = www-data
|
||||
listen.group = www-data
|
||||
listen.mode = 0660
|
||||
|
||||
; IP addresses must be separated by comma, and no space between comma and ip.
|
||||
listen.allowed_clients = 127.0.0.1
|
||||
|
||||
pm = dynamic
|
||||
pm.max_children = 200
|
||||
pm.start_servers = 10
|
||||
pm.min_spare_servers = 5
|
||||
pm.max_spare_servers = 10
|
||||
pm.max_requests = 500
|
||||
|
||||
pm.status_path = /php-fpm-status
|
||||
ping.path = /php-fpm-ping
|
||||
|
||||
request_terminate_timeout = 60s
|
||||
|
||||
access.log = /var/log/php-fpm/access.log
|
||||
slowlog = /var/log/php-fpm/slow.log
|
||||
request_slowlog_timeout = 10s
|
||||
</code></pre><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
</div>
|
||||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||||
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
||||
<script>
|
||||
window.dataLayer = window.dataLayer || [];
|
||||
function gtag(){dataLayer.push(arguments);}
|
||||
gtag('js', new Date());
|
||||
|
||||
gtag('config', 'UA-3293801-21');
|
||||
</script>
|
||||
</body></html>
|
Loading…
Reference in New Issue