New doc: active.directory.html.
This commit is contained in:
parent
2b24a84ff7
commit
c93f52480f
|
@ -23,14 +23,15 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to
|
|||
* [SQL: Create an mail alias account with SQL command line](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/sql.create.mail.alias.md)
|
||||
* [Store SpamAssassin bayes in SQL](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/store.spamassassin.bayes.in.sql.md)
|
||||
# Third-party integrations.
|
||||
* [Integrate Microsoft Active Directory in iRedMail](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/active.directory.md)
|
||||
* [SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/sogo-centos-6-mysql.md)
|
||||
* [Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)](https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/)
|
||||
# Cluster solutions
|
||||
* [An Ultra-HA, full Mult-Master E-mail cluster with iRedMail, MariaDB, and IPVS ](https://bitbucket.org/zhb/docs.iredmail.org/src/default/cluster/full.mult-master.iredmail.cluster.with.mariadb.and.ipvs.md)
|
||||
# Backup, restore and migration
|
||||
* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.or.upgrade.iredadmin.md)
|
||||
* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.to.new.iredmail.server.md)
|
||||
* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/password.hashes.md)
|
||||
* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.or.upgrade.iredadmin.md)
|
||||
* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.to.new.iredmail.server.md)
|
||||
* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/password.hashes.md)
|
||||
# Troubleshooting and Debug
|
||||
* [Turn on debug mode in Amavisd](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.amavisd.md)
|
||||
* [Turn on debug mode in Cluebringer](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.cluebringer.md)
|
||||
|
|
4
URLs.md
4
URLs.md
|
@ -11,10 +11,6 @@
|
|||
* https://code.google.com/p/iredmail/wiki/DNS_DKIM
|
||||
* https://code.google.com/p/iredmail/wiki/DNS_SPF
|
||||
|
||||
# Misc
|
||||
|
||||
* how to force users to change password in 90 days, with iRedAPD plugin.
|
||||
|
||||
# integrations
|
||||
|
||||
* http://www.iredmail.org/wiki/index.php?title=Integration/Active.Directory.iRedMail
|
||||
|
|
|
@ -30,7 +30,7 @@ all_chapter_dirs="installation \
|
|||
howto \
|
||||
integrations \
|
||||
cluster \
|
||||
backup-restore-migration \
|
||||
backup-restore \
|
||||
troubleshooting \
|
||||
faq"
|
||||
|
||||
|
|
|
@ -0,0 +1,373 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>Integrate Microsoft Active Directory in iRedMail</title>
|
||||
<link href="./css/markdown.css" rel="stylesheet"></head>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<div id="navigation">
|
||||
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
||||
|
||||
// <a href="./index.html">Document Index</a>
|
||||
</div><h1 id="integrate-microsoft-active-directory-in-iredmail">Integrate Microsoft Active Directory in iRedMail</h1>
|
||||
<div class="toc">
|
||||
<ul>
|
||||
<li><a href="#integrate-microsoft-active-directory-in-iredmail">Integrate Microsoft Active Directory in iRedMail</a><ul>
|
||||
<li><a href="#summary">Summary</a></li>
|
||||
<li><a href="#requirements">Requirements</a></li>
|
||||
<li><a href="#install-iredmail">Install iRedMail</a></li>
|
||||
<li><a href="#integrate-microsoft-active-directory-with-postfix">Integrate Microsoft Active Directory with Postfix</a><ul>
|
||||
<li><a href="#create-user-account-in-ad-used-for-ldap-query">Create user account in AD, used for LDAP query</a></li>
|
||||
<li><a href="#enable-ldap-query-with-ad-in-postfix">Enable LDAP query with AD in Postfix</a></li>
|
||||
<li><a href="#verify-ldap-query-with-ad-in-postfix">Verify LDAP query with AD in Postfix</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#enable-active-directory-integration-in-dovecot">Enable Active Directory integration in Dovecot</a></li>
|
||||
<li><a href="#enable-active-directory-integration-in-roundcube-webmail-for-global-ldap-address-book">Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book</a></li>
|
||||
<li><a href="#additions-documents">Additions documents</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<p><strong>NOTE</strong>: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if
|
||||
you tested it on other versions and works well, please let us know.
|
||||
<a href="http://www.iredmail.org/contact.html">Contact us</a></p>
|
||||
<h2 id="summary">Summary</h2>
|
||||
<p>With Active Directory (AD) integration, you can get below features:</p>
|
||||
<ul>
|
||||
<li>User authentication against Windows Active Directory. You can now manage mail
|
||||
user accounts, mail lists with AD.</li>
|
||||
<li>Mail list support with group in AD.</li>
|
||||
<li>Global LDAP Address Book with AD in Roundcube Webmail.</li>
|
||||
<li>Account status support. Disable user in AD will cause this account disabled
|
||||
in iRedMail.</li>
|
||||
</ul>
|
||||
<p>Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.</p>
|
||||
<ul>
|
||||
<li>Per-user, per-domain service control with LDAP (e.g. enable/disable
|
||||
POP3/IMAP/SMTP services).</li>
|
||||
</ul>
|
||||
<h2 id="requirements">Requirements</h2>
|
||||
<p>To integrate Microsoft Active Directory with iRedMail, you should have:</p>
|
||||
<ul>
|
||||
<li>A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.</li>
|
||||
<li>A working Microsoft Windows (2000/2003) server, with Active Directory
|
||||
installed and working properly, listen on port 389 (ldap://) or 636
|
||||
(ldaps://), and allow LDAP connections from iRedMail server.</li>
|
||||
</ul>
|
||||
<h2 id="install-iredmail">Install iRedMail</h2>
|
||||
<p>Please follow <a href="http://iredmail.org/doc.html#installation_guide">iRedMail installaion guides</a>
|
||||
to install iRedMail on Linux/BSD with OpenLDAP backend first, we will
|
||||
achieve this AD integration by simply modifying some configure files.</p>
|
||||
<h2 id="integrate-microsoft-active-directory-with-postfix">Integrate Microsoft Active Directory with Postfix</h2>
|
||||
<p>We assume:</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>Hostname of your AD server is <code>ad.example.com</code>, listen on port <code>389</code>. And it's
|
||||
accessible from iRedMail server.</p>
|
||||
<ul>
|
||||
<li>We will use this hostname below, you can replace it by IP address of this
|
||||
AD server if you want.</li>
|
||||
<li>If you want to force LDAP connection with LDAPS, use port <code>636</code> instead.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>
|
||||
<p>Base dn in AD is <code>dc=example,dc=com</code>, email addresses of all users end with
|
||||
<code>@example.com</code> (Your mail domain is <code>example.com</code>).</p>
|
||||
</li>
|
||||
<li>All user accounts and mail list accounts are placed under dn
|
||||
<code>cn=Users,dc=example,dc=com</code>. <strong>Note:</strong> LDAP dn is case-insensitive.</li>
|
||||
<li>For ldap connection, protocol version <code>3</code> is recommended.</li>
|
||||
<li>
|
||||
<p>Store all mails on Linux/BSD servers, not on AD server.</p>
|
||||
<ul>
|
||||
<li>Storage directory is <code>/var/vmail/vmail1</code>, same as default in iRedMail.</li>
|
||||
<li>Mailbox of user <code>support@example.com</code> will be
|
||||
<code>/var/vmail/vmail1/example.com/support/Maildir/</code> (Maildir format).</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<h3 id="create-user-account-in-ad-used-for-ldap-query">Create user account in AD, used for LDAP query</h3>
|
||||
<p>With iRedMail (OpenLDAP backend), we have a low-privileged account
|
||||
<code>cn=vmail,dc=xxx,dc=xxx</code> with read-only privilege. And we suggest you create a
|
||||
same account <code>vmail</code> in AD, with strong and complex password.</p>
|
||||
<p><strong>NOTE</strong>: <a href="http://www.iredmail.org/forum/post8630.html#p8630">Dovecot will treat characters as comment after a inline <code>#</code>, so
|
||||
please just don't use <code>#</code> in password</a></p>
|
||||
<p>Please make sure this newly created user is able to connect to AD server with
|
||||
below command on iRedMail server:</p>
|
||||
<pre><code class="shell"># ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
|
||||
Enter password: password_of_vmail
|
||||
</code></pre>
|
||||
|
||||
<p>If it prints all users stored in AD server, then it's working as expected.</p>
|
||||
<h3 id="enable-ldap-query-with-ad-in-postfix">Enable LDAP query with AD in Postfix</h3>
|
||||
<p>Disable unused iRedMail special settings:</p>
|
||||
<pre><code class="shell"># postconf -e virtual_alias_maps=''
|
||||
# postconf -e sender_bcc_maps=''
|
||||
# postconf -e recipient_bcc_maps=''
|
||||
# postconf -e relay_domains=''
|
||||
# postconf -e relay_recipient_maps=''
|
||||
</code></pre>
|
||||
|
||||
<p>Add your mail domain name in <code>smtpd_sasl_local_domain</code> and <code>virtual_mailbox_domains</code>:</p>
|
||||
<pre><code class="shell"># postconf -e smtpd_sasl_local_domain='example.com'
|
||||
# postconf -e virtual_mailbox_domains='example.com'
|
||||
</code></pre>
|
||||
|
||||
<p>Change transport maps setting:</p>
|
||||
<pre><code># postconf -e transport_maps='hash:/etc/postfix/transport'
|
||||
</code></pre>
|
||||
|
||||
<p>Enable AD query. <strong>Note</strong>: We will create these 3 files later.</p>
|
||||
<ul>
|
||||
<li>Verify SMTP senders</li>
|
||||
</ul>
|
||||
<pre><code class="shell"># postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Verify local mail users</li>
|
||||
</ul>
|
||||
<pre><code class="shell"># postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Verify local mail lists/groups.</li>
|
||||
</ul>
|
||||
<pre><code># postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Create/edit file: <code>/etc/postfix/transport</code>.</li>
|
||||
</ul>
|
||||
<pre><code>example.com dovecot
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>: <code>dovecot</code> used here is a Postfix transport defined in
|
||||
<code>/etc/postfix/master.cf</code>, used to deliver received emails to local user mailboxes.</p>
|
||||
<p>Run <code>postmap</code> so that postfix can read it:</p>
|
||||
<pre><code># postmap hash:/etc/postfix/transport
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Create file: <code>/etc/postfix/ad_sender_login_maps.cf</code>:</li>
|
||||
</ul>
|
||||
<pre><code>server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = password_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
result_attribute= userPrincipalName
|
||||
debuglevel = 0
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Create file: <code>/etc/postfix/ad_virtual_mailbox_maps.cf</code>:</li>
|
||||
</ul>
|
||||
<pre><code>server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = passwd_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(objectclass=person)(userPrincipalName=%s))
|
||||
result_attribute= userPrincipalName
|
||||
result_format = %d/%u/Maildir/
|
||||
debuglevel = 0
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>: Here, we hard-code user's mailbox path to be
|
||||
<code>[domain]/[username]/Maildir</code> in <code>result_format</code> setting. for example:
|
||||
<code>example.com/postmaster/Maildir</code>.</p>
|
||||
<ul>
|
||||
<li>Create file: <code>/etc/postfix/ad_virtual_group_maps.cf</code>:</li>
|
||||
</ul>
|
||||
<pre><code>server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = password_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(objectClass=group)(mail=%s))
|
||||
special_result_attribute = member
|
||||
leaf_result_attribute = mail
|
||||
result_attribute= userPrincipalName
|
||||
debuglevel = 0
|
||||
</code></pre>
|
||||
|
||||
<p><strong>Note</strong>:</p>
|
||||
<ul>
|
||||
<li>If your user have email address in both <code>mail</code> and <code>userPrincipalName</code>, you
|
||||
will get duplicate result. Comment out <code>leaf_result_attribute</code> line will fix it.</li>
|
||||
<li>If your mail group account doesn't contain attribute <code>mail</code> and
|
||||
<code>userPrincipalName</code>, please try <code>query_filter = (&(objectClass=group)(sAMAccountName=%u))</code> instead.</li>
|
||||
</ul>
|
||||
<p>Also, we need to remove iRedAPD related settings in Postfix:</p>
|
||||
<ol>
|
||||
<li>Open Postfix config file <code>/etc/postfix/main.cf</code></li>
|
||||
<li>Remove setting <code>check_policy_service inet:127.0.0.1:7777</code>.</li>
|
||||
</ol>
|
||||
<h3 id="verify-ldap-query-with-ad-in-postfix">Verify LDAP query with AD in Postfix</h3>
|
||||
<p>We can now use command line tool <code>postmap</code> to verify AD integration in postfix.
|
||||
Before testing, we have to create two testing mail accounts first:</p>
|
||||
<ol>
|
||||
<li>Create a mail user in AD. e.g. <code>user@example.com</code>.</li>
|
||||
<li>Create a mail group in AD. e.g. <code>testgroup@example.com</code>, then assign mail
|
||||
user <code>user@example.com</code> as group member.</li>
|
||||
<li>Query mail user account with below command:</li>
|
||||
</ol>
|
||||
<pre><code class="shell"># postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
|
||||
example.com/user/Maildir/
|
||||
</code></pre>
|
||||
|
||||
<p>If nothing returned by the command, it means LDAP query doesn't get expected
|
||||
result. Please set <code>debuglevel = 1</code> file <code>/etc/postfix/ad_virtual_mailbox_maps.cf</code>,
|
||||
then query again, it now will print detailed debug message. If you're not
|
||||
familiar with LDAP related info, please post the debug message in our
|
||||
<a href="http://www.iredmail.org/forum/">online support forum</a> to get help.</p>
|
||||
<p>Verify sender login check:</p>
|
||||
<pre><code># postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
|
||||
user@example.com
|
||||
</code></pre>
|
||||
|
||||
<p>Verify mail group</p>
|
||||
<pre><code># postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
|
||||
user@example.com
|
||||
</code></pre>
|
||||
|
||||
<p><strong>NOTE</strong>: <code>postmap</code> return nothing if:</p>
|
||||
<ol>
|
||||
<li>mail group doesn't exist</li>
|
||||
<li>mail group doesn't have any members</li>
|
||||
</ol>
|
||||
<h2 id="enable-active-directory-integration-in-dovecot">Enable Active Directory integration in Dovecot</h2>
|
||||
<p>To query AD instead of local LDAP server, we have to modify Dovecot config file
|
||||
<code>/etc/dovecot/dovecot-ldap.conf</code> like below:</p>
|
||||
<pre><code>hosts = ad.example.com:389
|
||||
ldap_version = 3
|
||||
auth_bind = yes
|
||||
dn = vmail
|
||||
dnpass = passwd_of_vmail
|
||||
base = cn=users,dc=example,dc=com
|
||||
scope = subtree
|
||||
deref = never
|
||||
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_attrs = userPassword=password
|
||||
default_pass_scheme = CRYPT
|
||||
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
|
||||
</code></pre>
|
||||
|
||||
<p>Restart dovecot service to make it work.</p>
|
||||
<p><strong>Note</strong>: we don't have per-user quota limit here, you can set a hard-coded
|
||||
quota for all users in <code>/etc/dovecot/dovecot.conf</code>. For example:</p>
|
||||
<pre><code>plugin {
|
||||
[... omit other settings here ...]
|
||||
|
||||
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
}
|
||||
</code></pre>
|
||||
|
||||
<p>Now use command <code>telnet</code> to verify AD query after restarted Dovecot service:</p>
|
||||
<pre><code># telnet localhost 143 # <- Type this
|
||||
* OK [...] Dovecot ready.
|
||||
|
||||
. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning
|
||||
. OK [...] Logged in
|
||||
|
||||
^] # <- Quit telnet with "Ctrl+]", then type 'quit'.
|
||||
</code></pre>
|
||||
|
||||
<p>Note: Do NOT miss the dot character before <code>login</code> command. if it returns
|
||||
<code>Logged in</code>, then dovecot + AD works.</p>
|
||||
<h2 id="enable-active-directory-integration-in-roundcube-webmail-for-global-ldap-address-book">Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book</h2>
|
||||
<p>Edit roundcube config file <code>config/config.inc.php</code>, comment out the LDAP
|
||||
address book setting added by iRedMail, and add new setting for AD like below:</p>
|
||||
<ul>
|
||||
<li>on RHEL/CentOS and OpenBSD: it's <code>/var/www/roundcubemail/config/config.inc.php</code></li>
|
||||
<li>on Debian/Ubuntu: it's <code>/usr/share/apache2/roundcubemail/config/config.inc.php</code></li>
|
||||
<li>on FreeBSD: it's <code>/usr/local/www/roundcubemail/config/config.inc.php</code></li>
|
||||
</ul>
|
||||
<pre><code class="php">#
|
||||
# "sql" is personal address book stored in roundcube database.
|
||||
# "example.com" is new LDAP address book with AD, we will create it below.
|
||||
#
|
||||
$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
|
||||
|
||||
#
|
||||
# Global LDAP Address Book with AD.
|
||||
#
|
||||
$config['ldap_public']["global_ldap_abook"] = array(
|
||||
'name' => 'Global LDAP Address Book',
|
||||
'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here.
|
||||
'port' => 389,
|
||||
'use_tls' => false, // <- Set to true if you want to use LDAP over TLS.
|
||||
'ldap_version' => '3',
|
||||
'network_timeout' => 10,
|
||||
'user_specific' => false,
|
||||
|
||||
'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD
|
||||
'bind_dn' => "vmail", // <- bind dn
|
||||
'bind_pass' => "password_of_vmail", // <- bind password
|
||||
'writable' => false, // <- Do not allow mail user write data back to AD.
|
||||
|
||||
'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
|
||||
|
||||
// mapping of contact fields to directory attributes
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'phone:workfax' => 'facsimileTelephoneNumber',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto',
|
||||
),
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
//'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
|
||||
'filter' => "(mail=*@*)",
|
||||
'fuzzy_search' => true,
|
||||
'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
|
||||
'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
|
||||
'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
|
||||
'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
|
||||
);
|
||||
</code></pre>
|
||||
|
||||
<h2 id="additions-documents">Additions documents</h2>
|
||||
<ul>
|
||||
<li>If your mail domain name is different than Windows Active Directory domain: <a href="http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html">http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html</a></li>
|
||||
</ul><br /><p>If you found something wrong in this document, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p></body></html>
|
|
@ -38,6 +38,7 @@
|
|||
</ul>
|
||||
<h1 id="third-party-integrations">Third-party integrations.</h1>
|
||||
<ul>
|
||||
<li><a href="active.directory.html">Integrate Microsoft Active Directory in iRedMail</a></li>
|
||||
<li><a href="sogo-centos-6-mysql.html">SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)</a></li>
|
||||
<li><a href="https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/">Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)</a></li>
|
||||
</ul>
|
||||
|
|
|
@ -0,0 +1,379 @@
|
|||
# Integrate Microsoft Active Directory in iRedMail
|
||||
|
||||
[TOC]
|
||||
|
||||
__NOTE__: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if
|
||||
you tested it on other versions and works well, please let us know.
|
||||
[Contact us](http://www.iredmail.org/contact.html)
|
||||
|
||||
## Summary
|
||||
|
||||
With Active Directory (AD) integration, you can get below features:
|
||||
|
||||
* User authentication against Windows Active Directory. You can now manage mail
|
||||
user accounts, mail lists with AD.
|
||||
* Mail list support with group in AD.
|
||||
* Global LDAP Address Book with AD in Roundcube Webmail.
|
||||
* Account status support. Disable user in AD will cause this account disabled
|
||||
in iRedMail.
|
||||
|
||||
Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.
|
||||
|
||||
* Per-user, per-domain service control with LDAP (e.g. enable/disable
|
||||
POP3/IMAP/SMTP services).
|
||||
|
||||
## Requirements
|
||||
|
||||
To integrate Microsoft Active Directory with iRedMail, you should have:
|
||||
|
||||
* A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.
|
||||
* A working Microsoft Windows (2000/2003) server, with Active Directory
|
||||
installed and working properly, listen on port 389 (ldap://) or 636
|
||||
(ldaps://), and allow LDAP connections from iRedMail server.
|
||||
|
||||
## Install iRedMail
|
||||
|
||||
Please follow [iRedMail installaion guides](http://iredmail.org/doc.html#installation_guide)
|
||||
to install iRedMail on Linux/BSD with OpenLDAP backend first, we will
|
||||
achieve this AD integration by simply modifying some configure files.
|
||||
|
||||
## Integrate Microsoft Active Directory with Postfix
|
||||
|
||||
We assume:
|
||||
|
||||
* Hostname of your AD server is `ad.example.com`, listen on port `389`. And it's
|
||||
accessible from iRedMail server.
|
||||
|
||||
* We will use this hostname below, you can replace it by IP address of this
|
||||
AD server if you want.
|
||||
* If you want to force LDAP connection with LDAPS, use port `636` instead.
|
||||
|
||||
* Base dn in AD is `dc=example,dc=com`, email addresses of all users end with
|
||||
`@example.com` (Your mail domain is `example.com`).
|
||||
* All user accounts and mail list accounts are placed under dn
|
||||
`cn=Users,dc=example,dc=com`. __Note:__ LDAP dn is case-insensitive.
|
||||
* For ldap connection, protocol version `3` is recommended.
|
||||
* Store all mails on Linux/BSD servers, not on AD server.
|
||||
|
||||
* Storage directory is `/var/vmail/vmail1`, same as default in iRedMail.
|
||||
* Mailbox of user `support@example.com` will be
|
||||
`/var/vmail/vmail1/example.com/support/Maildir/` (Maildir format).
|
||||
|
||||
### Create user account in AD, used for LDAP query
|
||||
|
||||
With iRedMail (OpenLDAP backend), we have a low-privileged account
|
||||
`cn=vmail,dc=xxx,dc=xxx` with read-only privilege. And we suggest you create a
|
||||
same account `vmail` in AD, with strong and complex password.
|
||||
|
||||
__NOTE__: [Dovecot will treat characters as comment after a inline `#`, so
|
||||
please just don't use `#` in password](http://www.iredmail.org/forum/post8630.html#p8630)
|
||||
|
||||
Please make sure this newly created user is able to connect to AD server with
|
||||
below command on iRedMail server:
|
||||
|
||||
```shell
|
||||
# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
|
||||
Enter password: password_of_vmail
|
||||
```
|
||||
|
||||
If it prints all users stored in AD server, then it's working as expected.
|
||||
|
||||
### Enable LDAP query with AD in Postfix
|
||||
|
||||
Disable unused iRedMail special settings:
|
||||
|
||||
```shell
|
||||
# postconf -e virtual_alias_maps=''
|
||||
# postconf -e sender_bcc_maps=''
|
||||
# postconf -e recipient_bcc_maps=''
|
||||
# postconf -e relay_domains=''
|
||||
# postconf -e relay_recipient_maps=''
|
||||
```
|
||||
|
||||
Add your mail domain name in `smtpd_sasl_local_domain` and `virtual_mailbox_domains`:
|
||||
|
||||
```shell
|
||||
# postconf -e smtpd_sasl_local_domain='example.com'
|
||||
# postconf -e virtual_mailbox_domains='example.com'
|
||||
```
|
||||
|
||||
Change transport maps setting:
|
||||
|
||||
```
|
||||
# postconf -e transport_maps='hash:/etc/postfix/transport'
|
||||
```
|
||||
|
||||
Enable AD query. __Note__: We will create these 3 files later.
|
||||
|
||||
* Verify SMTP senders
|
||||
|
||||
```shell
|
||||
# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
|
||||
```
|
||||
|
||||
* Verify local mail users
|
||||
|
||||
```shell
|
||||
# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
|
||||
```
|
||||
|
||||
* Verify local mail lists/groups.
|
||||
|
||||
```
|
||||
# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
|
||||
```
|
||||
|
||||
* Create/edit file: `/etc/postfix/transport`.
|
||||
|
||||
```
|
||||
example.com dovecot
|
||||
```
|
||||
|
||||
__Note__: `dovecot` used here is a Postfix transport defined in
|
||||
`/etc/postfix/master.cf`, used to deliver received emails to local user mailboxes.
|
||||
|
||||
Run `postmap` so that postfix can read it:
|
||||
|
||||
```
|
||||
# postmap hash:/etc/postfix/transport
|
||||
```
|
||||
|
||||
* Create file: `/etc/postfix/ad_sender_login_maps.cf`:
|
||||
|
||||
```
|
||||
server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = password_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
result_attribute= userPrincipalName
|
||||
debuglevel = 0
|
||||
```
|
||||
|
||||
* Create file: `/etc/postfix/ad_virtual_mailbox_maps.cf`:
|
||||
|
||||
```
|
||||
server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = passwd_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(objectclass=person)(userPrincipalName=%s))
|
||||
result_attribute= userPrincipalName
|
||||
result_format = %d/%u/Maildir/
|
||||
debuglevel = 0
|
||||
```
|
||||
|
||||
__Note__: Here, we hard-code user's mailbox path to be
|
||||
`[domain]/[username]/Maildir` in `result_format` setting. for example:
|
||||
`example.com/postmaster/Maildir`.
|
||||
|
||||
* Create file: `/etc/postfix/ad_virtual_group_maps.cf`:
|
||||
|
||||
```
|
||||
server_host = ad.example.com
|
||||
server_port = 389
|
||||
version = 3
|
||||
bind = yes
|
||||
start_tls = no
|
||||
bind_dn = vmail
|
||||
bind_pw = password_of_vmail
|
||||
search_base = cn=users,dc=example,dc=com
|
||||
scope = sub
|
||||
query_filter = (&(objectClass=group)(mail=%s))
|
||||
special_result_attribute = member
|
||||
leaf_result_attribute = mail
|
||||
result_attribute= userPrincipalName
|
||||
debuglevel = 0
|
||||
```
|
||||
|
||||
__Note__:
|
||||
|
||||
* If your user have email address in both `mail` and `userPrincipalName`, you
|
||||
will get duplicate result. Comment out `leaf_result_attribute` line will fix it.
|
||||
* If your mail group account doesn't contain attribute `mail` and
|
||||
`userPrincipalName`, please try `query_filter = (&(objectClass=group)(sAMAccountName=%u))` instead.
|
||||
|
||||
Also, we need to remove iRedAPD related settings in Postfix:
|
||||
|
||||
1. Open Postfix config file `/etc/postfix/main.cf`
|
||||
1. Remove setting `check_policy_service inet:127.0.0.1:7777`.
|
||||
|
||||
### Verify LDAP query with AD in Postfix
|
||||
|
||||
We can now use command line tool `postmap` to verify AD integration in postfix.
|
||||
Before testing, we have to create two testing mail accounts first:
|
||||
|
||||
1. Create a mail user in AD. e.g. `user@example.com`.
|
||||
1. Create a mail group in AD. e.g. `testgroup@example.com`, then assign mail
|
||||
user `user@example.com` as group member.
|
||||
1. Query mail user account with below command:
|
||||
|
||||
```shell
|
||||
# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
|
||||
example.com/user/Maildir/
|
||||
```
|
||||
|
||||
If nothing returned by the command, it means LDAP query doesn't get expected
|
||||
result. Please set `debuglevel = 1` file `/etc/postfix/ad_virtual_mailbox_maps.cf`,
|
||||
then query again, it now will print detailed debug message. If you're not
|
||||
familiar with LDAP related info, please post the debug message in our
|
||||
[online support forum](http://www.iredmail.org/forum/) to get help.
|
||||
|
||||
Verify sender login check:
|
||||
|
||||
```
|
||||
# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
|
||||
user@example.com
|
||||
```
|
||||
|
||||
Verify mail group
|
||||
|
||||
```
|
||||
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
|
||||
user@example.com
|
||||
```
|
||||
|
||||
__NOTE__: `postmap` return nothing if:
|
||||
|
||||
1. mail group doesn't exist
|
||||
1. mail group doesn't have any members
|
||||
|
||||
## Enable Active Directory integration in Dovecot
|
||||
|
||||
To query AD instead of local LDAP server, we have to modify Dovecot config file
|
||||
`/etc/dovecot/dovecot-ldap.conf` like below:
|
||||
|
||||
```
|
||||
hosts = ad.example.com:389
|
||||
ldap_version = 3
|
||||
auth_bind = yes
|
||||
dn = vmail
|
||||
dnpass = passwd_of_vmail
|
||||
base = cn=users,dc=example,dc=com
|
||||
scope = subtree
|
||||
deref = never
|
||||
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
|
||||
pass_attrs = userPassword=password
|
||||
default_pass_scheme = CRYPT
|
||||
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
|
||||
```
|
||||
|
||||
Restart dovecot service to make it work.
|
||||
|
||||
__Note__: we don't have per-user quota limit here, you can set a hard-coded
|
||||
quota for all users in `/etc/dovecot/dovecot.conf`. For example:
|
||||
|
||||
```
|
||||
plugin {
|
||||
[... omit other settings here ...]
|
||||
|
||||
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
|
||||
quota_rule = *:storage=1G
|
||||
}
|
||||
```
|
||||
|
||||
Now use command `telnet` to verify AD query after restarted Dovecot service:
|
||||
|
||||
```
|
||||
# telnet localhost 143 # <- Type this
|
||||
* OK [...] Dovecot ready.
|
||||
|
||||
. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning
|
||||
. OK [...] Logged in
|
||||
|
||||
^] # <- Quit telnet with "Ctrl+]", then type 'quit'.
|
||||
```
|
||||
|
||||
Note: Do NOT miss the dot character before `login` command. if it returns
|
||||
`Logged in`, then dovecot + AD works.
|
||||
|
||||
## Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book
|
||||
|
||||
Edit roundcube config file `config/config.inc.php`, comment out the LDAP
|
||||
address book setting added by iRedMail, and add new setting for AD like below:
|
||||
|
||||
* on RHEL/CentOS and OpenBSD: it's `/var/www/roundcubemail/config/config.inc.php`
|
||||
* on Debian/Ubuntu: it's `/usr/share/apache2/roundcubemail/config/config.inc.php`
|
||||
* on FreeBSD: it's `/usr/local/www/roundcubemail/config/config.inc.php`
|
||||
|
||||
```php
|
||||
#
|
||||
# "sql" is personal address book stored in roundcube database.
|
||||
# "example.com" is new LDAP address book with AD, we will create it below.
|
||||
#
|
||||
$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
|
||||
|
||||
#
|
||||
# Global LDAP Address Book with AD.
|
||||
#
|
||||
$config['ldap_public']["global_ldap_abook"] = array(
|
||||
'name' => 'Global LDAP Address Book',
|
||||
'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here.
|
||||
'port' => 389,
|
||||
'use_tls' => false, // <- Set to true if you want to use LDAP over TLS.
|
||||
'ldap_version' => '3',
|
||||
'network_timeout' => 10,
|
||||
'user_specific' => false,
|
||||
|
||||
'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD
|
||||
'bind_dn' => "vmail", // <- bind dn
|
||||
'bind_pass' => "password_of_vmail", // <- bind password
|
||||
'writable' => false, // <- Do not allow mail user write data back to AD.
|
||||
|
||||
'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
|
||||
|
||||
// mapping of contact fields to directory attributes
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'title' => 'title',
|
||||
'email' => 'mail:*',
|
||||
'phone:work' => 'telephoneNumber',
|
||||
'phone:mobile' => 'mobile',
|
||||
'phone:workfax' => 'facsimileTelephoneNumber',
|
||||
'street' => 'street',
|
||||
'zipcode' => 'postalCode',
|
||||
'locality' => 'l',
|
||||
'department' => 'departmentNumber',
|
||||
'notes' => 'description',
|
||||
'photo' => 'jpegPhoto',
|
||||
),
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
//'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
|
||||
'filter' => "(mail=*@*)",
|
||||
'fuzzy_search' => true,
|
||||
'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
|
||||
'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
|
||||
'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
|
||||
'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
|
||||
);
|
||||
```
|
||||
|
||||
## Additions documents
|
||||
|
||||
* If your mail domain name is different than Windows Active Directory domain: [http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html](http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html)
|
Loading…
Reference in New Issue