diff --git a/README.md b/README.md index 0fd50bca..82e1320d 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,15 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to * [SQL: Create an mail alias account with SQL command line](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/sql.create.mail.alias.md) * [Store SpamAssassin bayes in SQL](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/store.spamassassin.bayes.in.sql.md) # Third-party integrations. +* [Integrate Microsoft Active Directory in iRedMail](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/active.directory.md) * [SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/sogo-centos-6-mysql.md) * [Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)](https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/) # Cluster solutions * [An Ultra-HA, full Mult-Master E-mail cluster with iRedMail, MariaDB, and IPVS ](https://bitbucket.org/zhb/docs.iredmail.org/src/default/cluster/full.mult-master.iredmail.cluster.with.mariadb.and.ipvs.md) # Backup, restore and migration -* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.or.upgrade.iredadmin.md) -* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.to.new.iredmail.server.md) -* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/password.hashes.md) +* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.or.upgrade.iredadmin.md) +* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.to.new.iredmail.server.md) +* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/password.hashes.md) # Troubleshooting and Debug * [Turn on debug mode in Amavisd](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.amavisd.md) * [Turn on debug mode in Cluebringer](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.cluebringer.md) diff --git a/URLs.md b/URLs.md index 0d77f434..267dd34a 100644 --- a/URLs.md +++ b/URLs.md @@ -11,10 +11,6 @@ * https://code.google.com/p/iredmail/wiki/DNS_DKIM * https://code.google.com/p/iredmail/wiki/DNS_SPF -# Misc - -* how to force users to change password in 90 days, with iRedAPD plugin. - # integrations * http://www.iredmail.org/wiki/index.php?title=Integration/Active.Directory.iRedMail diff --git a/backup-restore-migration/_title.md b/backup-restore/_title.md similarity index 100% rename from backup-restore-migration/_title.md rename to backup-restore/_title.md diff --git a/backup-restore-migration/migrate.or.upgrade.iredadmin.md b/backup-restore/migrate.or.upgrade.iredadmin.md similarity index 100% rename from backup-restore-migration/migrate.or.upgrade.iredadmin.md rename to backup-restore/migrate.or.upgrade.iredadmin.md diff --git a/backup-restore-migration/migrate.to.new.iredmail.server.md b/backup-restore/migrate.to.new.iredmail.server.md similarity index 100% rename from backup-restore-migration/migrate.to.new.iredmail.server.md rename to backup-restore/migrate.to.new.iredmail.server.md diff --git a/backup-restore-migration/password.hashes.md b/backup-restore/password.hashes.md similarity index 100% rename from backup-restore-migration/password.hashes.md rename to backup-restore/password.hashes.md diff --git a/convert.sh b/convert.sh index 78e721d9..30dc62cd 100644 --- a/convert.sh +++ b/convert.sh @@ -30,7 +30,7 @@ all_chapter_dirs="installation \ howto \ integrations \ cluster \ - backup-restore-migration \ + backup-restore \ troubleshooting \ faq" diff --git a/html/active.directory.html b/html/active.directory.html new file mode 100644 index 00000000..2bd805c4 --- /dev/null +++ b/html/active.directory.html @@ -0,0 +1,373 @@ + +
+ +NOTE: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if +you tested it on other versions and works well, please let us know. +Contact us
+With Active Directory (AD) integration, you can get below features:
+Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.
+To integrate Microsoft Active Directory with iRedMail, you should have:
+Please follow iRedMail installaion guides +to install iRedMail on Linux/BSD with OpenLDAP backend first, we will +achieve this AD integration by simply modifying some configure files.
+We assume:
+Hostname of your AD server is ad.example.com
, listen on port 389
. And it's
+ accessible from iRedMail server.
636
instead.Base dn in AD is dc=example,dc=com
, email addresses of all users end with
+ @example.com
(Your mail domain is example.com
).
cn=Users,dc=example,dc=com
. Note: LDAP dn is case-insensitive.3
is recommended.Store all mails on Linux/BSD servers, not on AD server.
+/var/vmail/vmail1
, same as default in iRedMail.support@example.com
will be
+ /var/vmail/vmail1/example.com/support/Maildir/
(Maildir format).With iRedMail (OpenLDAP backend), we have a low-privileged account
+cn=vmail,dc=xxx,dc=xxx
with read-only privilege. And we suggest you create a
+same account vmail
in AD, with strong and complex password.
NOTE: Dovecot will treat characters as comment after a inline #
, so
+please just don't use #
in password
Please make sure this newly created user is able to connect to AD server with +below command on iRedMail server:
+# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
+Enter password: password_of_vmail
+
+
+If it prints all users stored in AD server, then it's working as expected.
+Disable unused iRedMail special settings:
+# postconf -e virtual_alias_maps=''
+# postconf -e sender_bcc_maps=''
+# postconf -e recipient_bcc_maps=''
+# postconf -e relay_domains=''
+# postconf -e relay_recipient_maps=''
+
+
+Add your mail domain name in smtpd_sasl_local_domain
and virtual_mailbox_domains
:
# postconf -e smtpd_sasl_local_domain='example.com'
+# postconf -e virtual_mailbox_domains='example.com'
+
+
+Change transport maps setting:
+# postconf -e transport_maps='hash:/etc/postfix/transport'
+
+
+Enable AD query. Note: We will create these 3 files later.
+# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
+
+
+# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
+
+
+# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
+
+
+/etc/postfix/transport
.example.com dovecot
+
+
+Note: dovecot
used here is a Postfix transport defined in
+/etc/postfix/master.cf
, used to deliver received emails to local user mailboxes.
Run postmap
so that postfix can read it:
# postmap hash:/etc/postfix/transport
+
+
+/etc/postfix/ad_sender_login_maps.cf
:server_host = ad.example.com
+server_port = 389
+version = 3
+bind = yes
+start_tls = no
+bind_dn = vmail
+bind_pw = password_of_vmail
+search_base = cn=users,dc=example,dc=com
+scope = sub
+query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+result_attribute= userPrincipalName
+debuglevel = 0
+
+
+/etc/postfix/ad_virtual_mailbox_maps.cf
:server_host = ad.example.com
+server_port = 389
+version = 3
+bind = yes
+start_tls = no
+bind_dn = vmail
+bind_pw = passwd_of_vmail
+search_base = cn=users,dc=example,dc=com
+scope = sub
+query_filter = (&(objectclass=person)(userPrincipalName=%s))
+result_attribute= userPrincipalName
+result_format = %d/%u/Maildir/
+debuglevel = 0
+
+
+Note: Here, we hard-code user's mailbox path to be
+[domain]/[username]/Maildir
in result_format
setting. for example:
+example.com/postmaster/Maildir
.
/etc/postfix/ad_virtual_group_maps.cf
:server_host = ad.example.com
+server_port = 389
+version = 3
+bind = yes
+start_tls = no
+bind_dn = vmail
+bind_pw = password_of_vmail
+search_base = cn=users,dc=example,dc=com
+scope = sub
+query_filter = (&(objectClass=group)(mail=%s))
+special_result_attribute = member
+leaf_result_attribute = mail
+result_attribute= userPrincipalName
+debuglevel = 0
+
+
+Note:
+mail
and userPrincipalName
, you
+ will get duplicate result. Comment out leaf_result_attribute
line will fix it.mail
and
+ userPrincipalName
, please try query_filter = (&(objectClass=group)(sAMAccountName=%u))
instead.Also, we need to remove iRedAPD related settings in Postfix:
+/etc/postfix/main.cf
check_policy_service inet:127.0.0.1:7777
.We can now use command line tool postmap
to verify AD integration in postfix.
+Before testing, we have to create two testing mail accounts first:
user@example.com
.testgroup@example.com
, then assign mail
+ user user@example.com
as group member.# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
+example.com/user/Maildir/
+
+
+If nothing returned by the command, it means LDAP query doesn't get expected
+result. Please set debuglevel = 1
file /etc/postfix/ad_virtual_mailbox_maps.cf
,
+then query again, it now will print detailed debug message. If you're not
+familiar with LDAP related info, please post the debug message in our
+online support forum to get help.
Verify sender login check:
+# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
+user@example.com
+
+
+Verify mail group
+# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
+user@example.com
+
+
+NOTE: postmap
return nothing if:
To query AD instead of local LDAP server, we have to modify Dovecot config file
+/etc/dovecot/dovecot-ldap.conf
like below:
hosts = ad.example.com:389
+ldap_version = 3
+auth_bind = yes
+dn = vmail
+dnpass = passwd_of_vmail
+base = cn=users,dc=example,dc=com
+scope = subtree
+deref = never
+user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+pass_attrs = userPassword=password
+default_pass_scheme = CRYPT
+user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
+
+
+Restart dovecot service to make it work.
+Note: we don't have per-user quota limit here, you can set a hard-coded
+quota for all users in /etc/dovecot/dovecot.conf
. For example:
plugin {
+ [... omit other settings here ...]
+
+ # Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
+ quota_rule = *:storage=1G
+}
+
+
+Now use command telnet
to verify AD query after restarted Dovecot service:
# telnet localhost 143 # <- Type this
+* OK [...] Dovecot ready.
+
+. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning
+. OK [...] Logged in
+
+^] # <- Quit telnet with "Ctrl+]", then type 'quit'.
+
+
+Note: Do NOT miss the dot character before login
command. if it returns
+Logged in
, then dovecot + AD works.
Edit roundcube config file config/config.inc.php
, comment out the LDAP
+address book setting added by iRedMail, and add new setting for AD like below:
/var/www/roundcubemail/config/config.inc.php
/usr/share/apache2/roundcubemail/config/config.inc.php
/usr/local/www/roundcubemail/config/config.inc.php
#
+# "sql" is personal address book stored in roundcube database.
+# "example.com" is new LDAP address book with AD, we will create it below.
+#
+$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
+
+#
+# Global LDAP Address Book with AD.
+#
+$config['ldap_public']["global_ldap_abook"] = array(
+ 'name' => 'Global LDAP Address Book',
+ 'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here.
+ 'port' => 389,
+ 'use_tls' => false, // <- Set to true if you want to use LDAP over TLS.
+ 'ldap_version' => '3',
+ 'network_timeout' => 10,
+ 'user_specific' => false,
+
+ 'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD
+ 'bind_dn' => "vmail", // <- bind dn
+ 'bind_pass' => "password_of_vmail", // <- bind password
+ 'writable' => false, // <- Do not allow mail user write data back to AD.
+
+ 'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
+
+ // mapping of contact fields to directory attributes
+ 'fieldmap' => array(
+ 'name' => 'cn',
+ 'surname' => 'sn',
+ 'firstname' => 'givenName',
+ 'title' => 'title',
+ 'email' => 'mail:*',
+ 'phone:work' => 'telephoneNumber',
+ 'phone:mobile' => 'mobile',
+ 'street' => 'street',
+ 'zipcode' => 'postalCode',
+ 'locality' => 'l',
+ 'department' => 'departmentNumber',
+ 'notes' => 'description',
+ 'name' => 'cn',
+ 'surname' => 'sn',
+ 'firstname' => 'givenName',
+ 'title' => 'title',
+ 'email' => 'mail:*',
+ 'phone:work' => 'telephoneNumber',
+ 'phone:mobile' => 'mobile',
+ 'phone:workfax' => 'facsimileTelephoneNumber',
+ 'street' => 'street',
+ 'zipcode' => 'postalCode',
+ 'locality' => 'l',
+ 'department' => 'departmentNumber',
+ 'notes' => 'description',
+ 'photo' => 'jpegPhoto',
+ ),
+ 'sort' => 'cn',
+ 'scope' => 'sub',
+ //'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
+ 'filter' => "(mail=*@*)",
+ 'fuzzy_search' => true,
+ 'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
+ 'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
+ 'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
+ 'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
+);
+
+
+If you found something wrong in this document, please do contact us to fix it.