elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

New doc: active.directory.html.

This commit is contained in:
Zhang Huangbin 2014-10-07 14:09:41 +08:00
parent 2b24a84ff7
commit c93f52480f
10 changed files with 758 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -23,14 +23,15 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to
* [SQL: Create an mail alias account with SQL command line](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/sql.create.mail.alias.md)
* [Store SpamAssassin bayes in SQL](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/store.spamassassin.bayes.in.sql.md)
# Third-party integrations.
* [Integrate Microsoft Active Directory in iRedMail](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/active.directory.md)
* [SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/sogo-centos-6-mysql.md)
* [Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)](https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/)
# Cluster solutions
* [An Ultra-HA, full Mult-Master E-mail cluster with iRedMail, MariaDB, and IPVS ](https://bitbucket.org/zhb/docs.iredmail.org/src/default/cluster/full.mult-master.iredmail.cluster.with.mariadb.and.ipvs.md)
# Backup, restore and migration
* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.or.upgrade.iredadmin.md)
* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.to.new.iredmail.server.md)
* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/password.hashes.md)
* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.or.upgrade.iredadmin.md)
* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.to.new.iredmail.server.md)
* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/password.hashes.md)
# Troubleshooting and Debug
* [Turn on debug mode in Amavisd](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.amavisd.md)
* [Turn on debug mode in Cluebringer](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.cluebringer.md)

4
URLs.md
View File

@ -11,10 +11,6 @@
* https://code.google.com/p/iredmail/wiki/DNS_DKIM
* https://code.google.com/p/iredmail/wiki/DNS_SPF
# Misc
* how to force users to change password in 90 days, with iRedAPD plugin.
# integrations
* http://www.iredmail.org/wiki/index.php?title=Integration/Active.Directory.iRedMail

0
backup-restore-migration/_title.md → backup-restore/_title.md
View File

0
backup-restore-migration/migrate.or.upgrade.iredadmin.md → backup-restore/migrate.or.upgrade.iredadmin.md
View File

0
backup-restore-migration/migrate.to.new.iredmail.server.md → backup-restore/migrate.to.new.iredmail.server.md
View File

0
backup-restore-migration/password.hashes.md → backup-restore/password.hashes.md
View File

2
convert.sh
View File

@ -30,7 +30,7 @@ all_chapter_dirs="installation \
howto \
integrations \
cluster \
backup-restore-migration \
backup-restore \
troubleshooting \
faq"

373
html/active.directory.html Normal file
View File

@ -0,0 +1,373 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Integrate Microsoft Active Directory in iRedMail</title>
<link href="./css/markdown.css" rel="stylesheet"></head>
</head>
<body>
<div id="navigation">
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
// <a href="./index.html">Document Index</a>
</div><h1 id="integrate-microsoft-active-directory-in-iredmail">Integrate Microsoft Active Directory in iRedMail</h1>
<div class="toc">
<ul>
<li><a href="#integrate-microsoft-active-directory-in-iredmail">Integrate Microsoft Active Directory in iRedMail</a><ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#requirements">Requirements</a></li>
<li><a href="#install-iredmail">Install iRedMail</a></li>
<li><a href="#integrate-microsoft-active-directory-with-postfix">Integrate Microsoft Active Directory with Postfix</a><ul>
<li><a href="#create-user-account-in-ad-used-for-ldap-query">Create user account in AD, used for LDAP query</a></li>
<li><a href="#enable-ldap-query-with-ad-in-postfix">Enable LDAP query with AD in Postfix</a></li>
<li><a href="#verify-ldap-query-with-ad-in-postfix">Verify LDAP query with AD in Postfix</a></li>
</ul>
</li>
<li><a href="#enable-active-directory-integration-in-dovecot">Enable Active Directory integration in Dovecot</a></li>
<li><a href="#enable-active-directory-integration-in-roundcube-webmail-for-global-ldap-address-book">Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book</a></li>
<li><a href="#additions-documents">Additions documents</a></li>
</ul>
</li>
</ul>
</div>
<p><strong>NOTE</strong>: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if
you tested it on other versions and works well, please let us know.
<a href="http://www.iredmail.org/contact.html">Contact us</a></p>
<h2 id="summary">Summary</h2>
<p>With Active Directory (AD) integration, you can get below features:</p>
<ul>
<li>User authentication against Windows Active Directory. You can now manage mail
user accounts, mail lists with AD.</li>
<li>Mail list support with group in AD.</li>
<li>Global LDAP Address Book with AD in Roundcube Webmail.</li>
<li>Account status support. Disable user in AD will cause this account disabled
in iRedMail.</li>
</ul>
<p>Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.</p>
<ul>
<li>Per-user, per-domain service control with LDAP (e.g. enable/disable
POP3/IMAP/SMTP services).</li>
</ul>
<h2 id="requirements">Requirements</h2>
<p>To integrate Microsoft Active Directory with iRedMail, you should have:</p>
<ul>
<li>A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.</li>
<li>A working Microsoft Windows (2000/2003) server, with Active Directory
installed and working properly, listen on port 389 (ldap://) or 636
(ldaps://), and allow LDAP connections from iRedMail server.</li>
</ul>
<h2 id="install-iredmail">Install iRedMail</h2>
<p>Please follow <a href="http://iredmail.org/doc.html#installation_guide">iRedMail installaion guides</a>
to install iRedMail on Linux/BSD with OpenLDAP backend first, we will
achieve this AD integration by simply modifying some configure files.</p>
<h2 id="integrate-microsoft-active-directory-with-postfix">Integrate Microsoft Active Directory with Postfix</h2>
<p>We assume:</p>
<ul>
<li>
<p>Hostname of your AD server is <code>ad.example.com</code>, listen on port <code>389</code>. And it's
accessible from iRedMail server.</p>
<ul>
<li>We will use this hostname below, you can replace it by IP address of this
AD server if you want.</li>
<li>If you want to force LDAP connection with LDAPS, use port <code>636</code> instead.</li>
</ul>
</li>
<li>
<p>Base dn in AD is <code>dc=example,dc=com</code>, email addresses of all users end with
<code>@example.com</code> (Your mail domain is <code>example.com</code>).</p>
</li>
<li>All user accounts and mail list accounts are placed under dn
<code>cn=Users,dc=example,dc=com</code>. <strong>Note:</strong> LDAP dn is case-insensitive.</li>
<li>For ldap connection, protocol version <code>3</code> is recommended.</li>
<li>
<p>Store all mails on Linux/BSD servers, not on AD server.</p>
<ul>
<li>Storage directory is <code>/var/vmail/vmail1</code>, same as default in iRedMail.</li>
<li>Mailbox of user <code>support@example.com</code> will be
<code>/var/vmail/vmail1/example.com/support/Maildir/</code> (Maildir format).</li>
</ul>
</li>
</ul>
<h3 id="create-user-account-in-ad-used-for-ldap-query">Create user account in AD, used for LDAP query</h3>
<p>With iRedMail (OpenLDAP backend), we have a low-privileged account
<code>cn=vmail,dc=xxx,dc=xxx</code> with read-only privilege. And we suggest you create a
same account <code>vmail</code> in AD, with strong and complex password.</p>
<p><strong>NOTE</strong>: <a href="http://www.iredmail.org/forum/post8630.html#p8630">Dovecot will treat characters as comment after a inline <code>#</code>, so
please just don't use <code>#</code> in password</a></p>
<p>Please make sure this newly created user is able to connect to AD server with
below command on iRedMail server:</p>
<pre><code class="shell"># ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
Enter password: password_of_vmail
</code></pre>
<p>If it prints all users stored in AD server, then it's working as expected.</p>
<h3 id="enable-ldap-query-with-ad-in-postfix">Enable LDAP query with AD in Postfix</h3>
<p>Disable unused iRedMail special settings:</p>
<pre><code class="shell"># postconf -e virtual_alias_maps=''
# postconf -e sender_bcc_maps=''
# postconf -e recipient_bcc_maps=''
# postconf -e relay_domains=''
# postconf -e relay_recipient_maps=''
</code></pre>
<p>Add your mail domain name in <code>smtpd_sasl_local_domain</code> and <code>virtual_mailbox_domains</code>:</p>
<pre><code class="shell"># postconf -e smtpd_sasl_local_domain='example.com'
# postconf -e virtual_mailbox_domains='example.com'
</code></pre>
<p>Change transport maps setting:</p>
<pre><code># postconf -e transport_maps='hash:/etc/postfix/transport'
</code></pre>
<p>Enable AD query. <strong>Note</strong>: We will create these 3 files later.</p>
<ul>
<li>Verify SMTP senders</li>
</ul>
<pre><code class="shell"># postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
</code></pre>
<ul>
<li>Verify local mail users</li>
</ul>
<pre><code class="shell"># postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
</code></pre>
<ul>
<li>Verify local mail lists/groups.</li>
</ul>
<pre><code># postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
</code></pre>
<ul>
<li>Create/edit file: <code>/etc/postfix/transport</code>.</li>
</ul>
<pre><code>example.com dovecot
</code></pre>
<p><strong>Note</strong>: <code>dovecot</code> used here is a Postfix transport defined in
<code>/etc/postfix/master.cf</code>, used to deliver received emails to local user mailboxes.</p>
<p>Run <code>postmap</code> so that postfix can read it:</p>
<pre><code># postmap hash:/etc/postfix/transport
</code></pre>
<ul>
<li>Create file: <code>/etc/postfix/ad_sender_login_maps.cf</code>:</li>
</ul>
<pre><code>server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&amp;(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel = 0
</code></pre>
<ul>
<li>Create file: <code>/etc/postfix/ad_virtual_mailbox_maps.cf</code>:</li>
</ul>
<pre><code>server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = passwd_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&amp;(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format = %d/%u/Maildir/
debuglevel = 0
</code></pre>
<p><strong>Note</strong>: Here, we hard-code user's mailbox path to be
<code>[domain]/[username]/Maildir</code> in <code>result_format</code> setting. for example:
<code>example.com/postmaster/Maildir</code>.</p>
<ul>
<li>Create file: <code>/etc/postfix/ad_virtual_group_maps.cf</code>:</li>
</ul>
<pre><code>server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&amp;(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel = 0
</code></pre>
<p><strong>Note</strong>:</p>
<ul>
<li>If your user have email address in both <code>mail</code> and <code>userPrincipalName</code>, you
will get duplicate result. Comment out <code>leaf_result_attribute</code> line will fix it.</li>
<li>If your mail group account doesn't contain attribute <code>mail</code> and
<code>userPrincipalName</code>, please try <code>query_filter = (&amp;(objectClass=group)(sAMAccountName=%u))</code> instead.</li>
</ul>
<p>Also, we need to remove iRedAPD related settings in Postfix:</p>
<ol>
<li>Open Postfix config file <code>/etc/postfix/main.cf</code></li>
<li>Remove setting <code>check_policy_service inet:127.0.0.1:7777</code>.</li>
</ol>
<h3 id="verify-ldap-query-with-ad-in-postfix">Verify LDAP query with AD in Postfix</h3>
<p>We can now use command line tool <code>postmap</code> to verify AD integration in postfix.
Before testing, we have to create two testing mail accounts first:</p>
<ol>
<li>Create a mail user in AD. e.g. <code>user@example.com</code>.</li>
<li>Create a mail group in AD. e.g. <code>testgroup@example.com</code>, then assign mail
user <code>user@example.com</code> as group member.</li>
<li>Query mail user account with below command:</li>
</ol>
<pre><code class="shell"># postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/user/Maildir/
</code></pre>
<p>If nothing returned by the command, it means LDAP query doesn't get expected
result. Please set <code>debuglevel = 1</code> file <code>/etc/postfix/ad_virtual_mailbox_maps.cf</code>,
then query again, it now will print detailed debug message. If you're not
familiar with LDAP related info, please post the debug message in our
<a href="http://www.iredmail.org/forum/">online support forum</a> to get help.</p>
<p>Verify sender login check:</p>
<pre><code># postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
user@example.com
</code></pre>
<p>Verify mail group</p>
<pre><code># postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
user@example.com
</code></pre>
<p><strong>NOTE</strong>: <code>postmap</code> return nothing if:</p>
<ol>
<li>mail group doesn't exist</li>
<li>mail group doesn't have any members</li>
</ol>
<h2 id="enable-active-directory-integration-in-dovecot">Enable Active Directory integration in Dovecot</h2>
<p>To query AD instead of local LDAP server, we have to modify Dovecot config file
<code>/etc/dovecot/dovecot-ldap.conf</code> like below:</p>
<pre><code>hosts = ad.example.com:389
ldap_version = 3
auth_bind = yes
dn = vmail
dnpass = passwd_of_vmail
base = cn=users,dc=example,dc=com
scope = subtree
deref = never
user_filter = (&amp;(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter = (&amp;(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = userPassword=password
default_pass_scheme = CRYPT
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
</code></pre>
<p>Restart dovecot service to make it work.</p>
<p><strong>Note</strong>: we don't have per-user quota limit here, you can set a hard-coded
quota for all users in <code>/etc/dovecot/dovecot.conf</code>. For example:</p>
<pre><code>plugin {
[... omit other settings here ...]
# Format: integer number + M/G/T (M -&gt; MB, G -&gt; GB, T -&gt; TB).
quota_rule = *:storage=1G
}
</code></pre>
<p>Now use command <code>telnet</code> to verify AD query after restarted Dovecot service:</p>
<pre><code># telnet localhost 143 # &lt;- Type this
* OK [...] Dovecot ready.
. login user@example.com password_of_user # &lt;- Type this. Do not miss the dot in the beginning
. OK [...] Logged in
^] # &lt;- Quit telnet with &quot;Ctrl+]&quot;, then type 'quit'.
</code></pre>
<p>Note: Do NOT miss the dot character before <code>login</code> command. if it returns
<code>Logged in</code>, then dovecot + AD works.</p>
<h2 id="enable-active-directory-integration-in-roundcube-webmail-for-global-ldap-address-book">Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book</h2>
<p>Edit roundcube config file <code>config/config.inc.php</code>, comment out the LDAP
address book setting added by iRedMail, and add new setting for AD like below:</p>
<ul>
<li>on RHEL/CentOS and OpenBSD: it's <code>/var/www/roundcubemail/config/config.inc.php</code></li>
<li>on Debian/Ubuntu: it's <code>/usr/share/apache2/roundcubemail/config/config.inc.php</code></li>
<li>on FreeBSD: it's <code>/usr/local/www/roundcubemail/config/config.inc.php</code></li>
</ul>
<pre><code class="php">#
# &quot;sql&quot; is personal address book stored in roundcube database.
# &quot;example.com&quot; is new LDAP address book with AD, we will create it below.
#
$rcmail_config['autocomplete_addressbooks'] = array(&quot;sql&quot;, &quot;example.com&quot;);
#
# Global LDAP Address Book with AD.
#
$config['ldap_public'][&quot;global_ldap_abook&quot;] = array(
'name' =&gt; 'Global LDAP Address Book',
'hosts' =&gt; array(&quot;ad.example.com&quot;), // &lt;- Set AD hostname or IP address here.
'port' =&gt; 389,
'use_tls' =&gt; false, // &lt;- Set to true if you want to use LDAP over TLS.
'ldap_version' =&gt; '3',
'network_timeout' =&gt; 10,
'user_specific' =&gt; false,
'base_dn' =&gt; &quot;cn=users,dc=example,dc=com&quot;, // &lt;- Set base dn in AD
'bind_dn' =&gt; &quot;vmail&quot;, // &lt;- bind dn
'bind_pass' =&gt; &quot;password_of_vmail&quot;, // &lt;- bind password
'writable' =&gt; false, // &lt;- Do not allow mail user write data back to AD.
'search_fields' =&gt; array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
// mapping of contact fields to directory attributes
'fieldmap' =&gt; array(
'name' =&gt; 'cn',
'surname' =&gt; 'sn',
'firstname' =&gt; 'givenName',
'title' =&gt; 'title',
'email' =&gt; 'mail:*',
'phone:work' =&gt; 'telephoneNumber',
'phone:mobile' =&gt; 'mobile',
'street' =&gt; 'street',
'zipcode' =&gt; 'postalCode',
'locality' =&gt; 'l',
'department' =&gt; 'departmentNumber',
'notes' =&gt; 'description',
'name' =&gt; 'cn',
'surname' =&gt; 'sn',
'firstname' =&gt; 'givenName',
'title' =&gt; 'title',
'email' =&gt; 'mail:*',
'phone:work' =&gt; 'telephoneNumber',
'phone:mobile' =&gt; 'mobile',
'phone:workfax' =&gt; 'facsimileTelephoneNumber',
'street' =&gt; 'street',
'zipcode' =&gt; 'postalCode',
'locality' =&gt; 'l',
'department' =&gt; 'departmentNumber',
'notes' =&gt; 'description',
'photo' =&gt; 'jpegPhoto',
),
'sort' =&gt; 'cn',
'scope' =&gt; 'sub',
//'filter' =&gt; &quot;(&amp;(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))&quot;,
'filter' =&gt; &quot;(mail=*@*)&quot;,
'fuzzy_search' =&gt; true,
'vlv' =&gt; false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
'sizelimit' =&gt; '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
'timelimit' =&gt; '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
'referrals' =&gt; false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
);
</code></pre>
<h2 id="additions-documents">Additions documents</h2>
<ul>
<li>If your mail domain name is different than Windows Active Directory domain: <a href="http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html">http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html</a></li>
</ul><br /><p>If you found something wrong in this document, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p></body></html>

1
html/index.html
View File

@ -38,6 +38,7 @@
</ul>
<h1 id="third-party-integrations">Third-party integrations.</h1>
<ul>
<li><a href="active.directory.html">Integrate Microsoft Active Directory in iRedMail</a></li>
<li><a href="sogo-centos-6-mysql.html">SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)</a></li>
<li><a href="https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/">Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)</a></li>
</ul>

379
integrations/active.directory.md Normal file
View File

@ -0,0 +1,379 @@
# Integrate Microsoft Active Directory in iRedMail
[TOC]
__NOTE__: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if
you tested it on other versions and works well, please let us know.
[Contact us](http://www.iredmail.org/contact.html)
## Summary
With Active Directory (AD) integration, you can get below features:
* User authentication against Windows Active Directory. You can now manage mail
user accounts, mail lists with AD.
* Mail list support with group in AD.
* Global LDAP Address Book with AD in Roundcube Webmail.
* Account status support. Disable user in AD will cause this account disabled
in iRedMail.
Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.
* Per-user, per-domain service control with LDAP (e.g. enable/disable
POP3/IMAP/SMTP services).
## Requirements
To integrate Microsoft Active Directory with iRedMail, you should have:
* A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.
* A working Microsoft Windows (2000/2003) server, with Active Directory
installed and working properly, listen on port 389 (ldap://) or 636
(ldaps://), and allow LDAP connections from iRedMail server.
## Install iRedMail
Please follow [iRedMail installaion guides](http://iredmail.org/doc.html#installation_guide)
to install iRedMail on Linux/BSD with OpenLDAP backend first, we will
achieve this AD integration by simply modifying some configure files.
## Integrate Microsoft Active Directory with Postfix
We assume:
* Hostname of your AD server is `ad.example.com`, listen on port `389`. And it's
accessible from iRedMail server.
* We will use this hostname below, you can replace it by IP address of this
AD server if you want.
* If you want to force LDAP connection with LDAPS, use port `636` instead.
* Base dn in AD is `dc=example,dc=com`, email addresses of all users end with
`@example.com` (Your mail domain is `example.com`).
* All user accounts and mail list accounts are placed under dn
`cn=Users,dc=example,dc=com`. __Note:__ LDAP dn is case-insensitive.
* For ldap connection, protocol version `3` is recommended.
* Store all mails on Linux/BSD servers, not on AD server.
* Storage directory is `/var/vmail/vmail1`, same as default in iRedMail.
* Mailbox of user `support@example.com` will be
`/var/vmail/vmail1/example.com/support/Maildir/` (Maildir format).
### Create user account in AD, used for LDAP query
With iRedMail (OpenLDAP backend), we have a low-privileged account
`cn=vmail,dc=xxx,dc=xxx` with read-only privilege. And we suggest you create a
same account `vmail` in AD, with strong and complex password.
__NOTE__: [Dovecot will treat characters as comment after a inline `#`, so
please just don't use `#` in password](http://www.iredmail.org/forum/post8630.html#p8630)
Please make sure this newly created user is able to connect to AD server with
below command on iRedMail server:
```shell
# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
Enter password: password_of_vmail
```
If it prints all users stored in AD server, then it's working as expected.
### Enable LDAP query with AD in Postfix
Disable unused iRedMail special settings:
```shell
# postconf -e virtual_alias_maps=''
# postconf -e sender_bcc_maps=''
# postconf -e recipient_bcc_maps=''
# postconf -e relay_domains=''
# postconf -e relay_recipient_maps=''
```
Add your mail domain name in `smtpd_sasl_local_domain` and `virtual_mailbox_domains`:
```shell
# postconf -e smtpd_sasl_local_domain='example.com'
# postconf -e virtual_mailbox_domains='example.com'
```
Change transport maps setting:
```
# postconf -e transport_maps='hash:/etc/postfix/transport'
```
Enable AD query. __Note__: We will create these 3 files later.
* Verify SMTP senders
```shell
# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
```
* Verify local mail users
```shell
# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
```
* Verify local mail lists/groups.
```
# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
```
* Create/edit file: `/etc/postfix/transport`.
```
example.com dovecot
```
__Note__: `dovecot` used here is a Postfix transport defined in
`/etc/postfix/master.cf`, used to deliver received emails to local user mailboxes.
Run `postmap` so that postfix can read it:
```
# postmap hash:/etc/postfix/transport
```
* Create file: `/etc/postfix/ad_sender_login_maps.cf`:
```
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel = 0
```
* Create file: `/etc/postfix/ad_virtual_mailbox_maps.cf`:
```
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = passwd_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format = %d/%u/Maildir/
debuglevel = 0
```
__Note__: Here, we hard-code user's mailbox path to be
`[domain]/[username]/Maildir` in `result_format` setting. for example:
`example.com/postmaster/Maildir`.
* Create file: `/etc/postfix/ad_virtual_group_maps.cf`:
```
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel = 0
```
__Note__:
* If your user have email address in both `mail` and `userPrincipalName`, you
will get duplicate result. Comment out `leaf_result_attribute` line will fix it.
* If your mail group account doesn't contain attribute `mail` and
`userPrincipalName`, please try `query_filter = (&(objectClass=group)(sAMAccountName=%u))` instead.
Also, we need to remove iRedAPD related settings in Postfix:
1. Open Postfix config file `/etc/postfix/main.cf`
1. Remove setting `check_policy_service inet:127.0.0.1:7777`.
### Verify LDAP query with AD in Postfix
We can now use command line tool `postmap` to verify AD integration in postfix.
Before testing, we have to create two testing mail accounts first:
1. Create a mail user in AD. e.g. `user@example.com`.
1. Create a mail group in AD. e.g. `testgroup@example.com`, then assign mail
user `user@example.com` as group member.
1. Query mail user account with below command:
```shell
# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/user/Maildir/
```
If nothing returned by the command, it means LDAP query doesn't get expected
result. Please set `debuglevel = 1` file `/etc/postfix/ad_virtual_mailbox_maps.cf`,
then query again, it now will print detailed debug message. If you're not
familiar with LDAP related info, please post the debug message in our
[online support forum](http://www.iredmail.org/forum/) to get help.
Verify sender login check:
```
# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
user@example.com
```
Verify mail group
```
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
user@example.com
```
__NOTE__: `postmap` return nothing if:
1. mail group doesn't exist
1. mail group doesn't have any members
## Enable Active Directory integration in Dovecot
To query AD instead of local LDAP server, we have to modify Dovecot config file
`/etc/dovecot/dovecot-ldap.conf` like below:
```
hosts = ad.example.com:389
ldap_version = 3
auth_bind = yes
dn = vmail
dnpass = passwd_of_vmail
base = cn=users,dc=example,dc=com
scope = subtree
deref = never
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = userPassword=password
default_pass_scheme = CRYPT
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
```
Restart dovecot service to make it work.
__Note__: we don't have per-user quota limit here, you can set a hard-coded
quota for all users in `/etc/dovecot/dovecot.conf`. For example:
```
plugin {
[... omit other settings here ...]
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
quota_rule = *:storage=1G
}
```
Now use command `telnet` to verify AD query after restarted Dovecot service:
```
# telnet localhost 143 # <- Type this
* OK [...] Dovecot ready.
. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning
. OK [...] Logged in
^] # <- Quit telnet with "Ctrl+]", then type 'quit'.
```
Note: Do NOT miss the dot character before `login` command. if it returns
`Logged in`, then dovecot + AD works.
## Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book
Edit roundcube config file `config/config.inc.php`, comment out the LDAP
address book setting added by iRedMail, and add new setting for AD like below:
* on RHEL/CentOS and OpenBSD: it's `/var/www/roundcubemail/config/config.inc.php`
* on Debian/Ubuntu: it's `/usr/share/apache2/roundcubemail/config/config.inc.php`
* on FreeBSD: it's `/usr/local/www/roundcubemail/config/config.inc.php`
```php
#
# "sql" is personal address book stored in roundcube database.
# "example.com" is new LDAP address book with AD, we will create it below.
#
$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
#
# Global LDAP Address Book with AD.
#
$config['ldap_public']["global_ldap_abook"] = array(
'name' => 'Global LDAP Address Book',
'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here.
'port' => 389,
'use_tls' => false, // <- Set to true if you want to use LDAP over TLS.
'ldap_version' => '3',
'network_timeout' => 10,
'user_specific' => false,
'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD
'bind_dn' => "vmail", // <- bind dn
'bind_pass' => "password_of_vmail", // <- bind password
'writable' => false, // <- Do not allow mail user write data back to AD.
'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
// mapping of contact fields to directory attributes
'fieldmap' => array(
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'title' => 'title',
'email' => 'mail:*',
'phone:work' => 'telephoneNumber',
'phone:mobile' => 'mobile',
'street' => 'street',
'zipcode' => 'postalCode',
'locality' => 'l',
'department' => 'departmentNumber',
'notes' => 'description',
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'title' => 'title',
'email' => 'mail:*',
'phone:work' => 'telephoneNumber',
'phone:mobile' => 'mobile',
'phone:workfax' => 'facsimileTelephoneNumber',
'street' => 'street',
'zipcode' => 'postalCode',
'locality' => 'l',
'department' => 'departmentNumber',
'notes' => 'description',
'photo' => 'jpegPhoto',
),
'sort' => 'cn',
'scope' => 'sub',
//'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
'filter' => "(mail=*@*)",
'fuzzy_search' => true,
'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
);
```
## Additions documents
* If your mail domain name is different than Windows Active Directory domain: [http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html](http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html)