From c93f52480fe7fc4dee7bfc48152d7e37d1e3f8e0 Mon Sep 17 00:00:00 2001 From: Zhang Huangbin Date: Tue, 7 Oct 2014 14:09:41 +0800 Subject: [PATCH] New doc: active.directory.html. --- README.md | 7 +- URLs.md | 4 - .../_title.md | 0 .../migrate.or.upgrade.iredadmin.md | 0 .../migrate.to.new.iredmail.server.md | 0 .../password.hashes.md | 0 convert.sh | 2 +- html/active.directory.html | 373 +++++++++++++++++ html/index.html | 1 + integrations/active.directory.md | 379 ++++++++++++++++++ 10 files changed, 758 insertions(+), 8 deletions(-) rename {backup-restore-migration => backup-restore}/_title.md (100%) rename {backup-restore-migration => backup-restore}/migrate.or.upgrade.iredadmin.md (100%) rename {backup-restore-migration => backup-restore}/migrate.to.new.iredmail.server.md (100%) rename {backup-restore-migration => backup-restore}/password.hashes.md (100%) create mode 100644 html/active.directory.html create mode 100644 integrations/active.directory.md diff --git a/README.md b/README.md index 0fd50bca..82e1320d 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,15 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to * [SQL: Create an mail alias account with SQL command line](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/sql.create.mail.alias.md) * [Store SpamAssassin bayes in SQL](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/store.spamassassin.bayes.in.sql.md) # Third-party integrations. +* [Integrate Microsoft Active Directory in iRedMail](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/active.directory.md) * [SOGo: How to install SOGo on CentOS 6 with iRedMail (MySQL backend)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/integrations/sogo-centos-6-mysql.md) * [Enabling Apache Solr 4.10 (using jetty) with Dovecot 2.2 for fulltext search results on Centos 6 (iRedMail compatible)](https://extremeshok.com/6622/enabling-apache-solr-4-10-using-jetty-with-dovecot-2-2-for-fulltext-search-results-on-centos-6-iredmail-compatible/) # Cluster solutions * [An Ultra-HA, full Mult-Master E-mail cluster with iRedMail, MariaDB, and IPVS ](https://bitbucket.org/zhb/docs.iredmail.org/src/default/cluster/full.mult-master.iredmail.cluster.with.mariadb.and.ipvs.md) # Backup, restore and migration -* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.or.upgrade.iredadmin.md) -* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/migrate.to.new.iredmail.server.md) -* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore-migration/password.hashes.md) +* [Migrate iRedAdmin open source edition to iRedAdmin-Pro](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.or.upgrade.iredadmin.md) +* [Migrate old iRedMail server to the latest stable release](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/migrate.to.new.iredmail.server.md) +* [Password hashes](https://bitbucket.org/zhb/docs.iredmail.org/src/default/backup-restore/password.hashes.md) # Troubleshooting and Debug * [Turn on debug mode in Amavisd](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.amavisd.md) * [Turn on debug mode in Cluebringer](https://bitbucket.org/zhb/docs.iredmail.org/src/default/troubleshooting/turn.on.debug.mode.in.cluebringer.md) diff --git a/URLs.md b/URLs.md index 0d77f434..267dd34a 100644 --- a/URLs.md +++ b/URLs.md @@ -11,10 +11,6 @@ * https://code.google.com/p/iredmail/wiki/DNS_DKIM * https://code.google.com/p/iredmail/wiki/DNS_SPF -# Misc - -* how to force users to change password in 90 days, with iRedAPD plugin. - # integrations * http://www.iredmail.org/wiki/index.php?title=Integration/Active.Directory.iRedMail diff --git a/backup-restore-migration/_title.md b/backup-restore/_title.md similarity index 100% rename from backup-restore-migration/_title.md rename to backup-restore/_title.md diff --git a/backup-restore-migration/migrate.or.upgrade.iredadmin.md b/backup-restore/migrate.or.upgrade.iredadmin.md similarity index 100% rename from backup-restore-migration/migrate.or.upgrade.iredadmin.md rename to backup-restore/migrate.or.upgrade.iredadmin.md diff --git a/backup-restore-migration/migrate.to.new.iredmail.server.md b/backup-restore/migrate.to.new.iredmail.server.md similarity index 100% rename from backup-restore-migration/migrate.to.new.iredmail.server.md rename to backup-restore/migrate.to.new.iredmail.server.md diff --git a/backup-restore-migration/password.hashes.md b/backup-restore/password.hashes.md similarity index 100% rename from backup-restore-migration/password.hashes.md rename to backup-restore/password.hashes.md diff --git a/convert.sh b/convert.sh index 78e721d9..30dc62cd 100644 --- a/convert.sh +++ b/convert.sh @@ -30,7 +30,7 @@ all_chapter_dirs="installation \ howto \ integrations \ cluster \ - backup-restore-migration \ + backup-restore \ troubleshooting \ faq" diff --git a/html/active.directory.html b/html/active.directory.html new file mode 100644 index 00000000..2bd805c4 --- /dev/null +++ b/html/active.directory.html @@ -0,0 +1,373 @@ + + + + Integrate Microsoft Active Directory in iRedMail + + + + +

Integrate Microsoft Active Directory in iRedMail

+
+ +
+

NOTE: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if +you tested it on other versions and works well, please let us know. +Contact us

+

Summary

+

With Active Directory (AD) integration, you can get below features:

+ +

Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.

+ +

Requirements

+

To integrate Microsoft Active Directory with iRedMail, you should have:

+ +

Install iRedMail

+

Please follow iRedMail installaion guides +to install iRedMail on Linux/BSD with OpenLDAP backend first, we will +achieve this AD integration by simply modifying some configure files.

+

Integrate Microsoft Active Directory with Postfix

+

We assume:

+ +

Create user account in AD, used for LDAP query

+

With iRedMail (OpenLDAP backend), we have a low-privileged account +cn=vmail,dc=xxx,dc=xxx with read-only privilege. And we suggest you create a +same account vmail in AD, with strong and complex password.

+

NOTE: Dovecot will treat characters as comment after a inline #, so +please just don't use # in password

+

Please make sure this newly created user is able to connect to AD server with +below command on iRedMail server:

+
# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
+Enter password: password_of_vmail
+
+ +

If it prints all users stored in AD server, then it's working as expected.

+

Enable LDAP query with AD in Postfix

+

Disable unused iRedMail special settings:

+
# postconf -e virtual_alias_maps=''
+# postconf -e sender_bcc_maps=''
+# postconf -e recipient_bcc_maps=''
+# postconf -e relay_domains=''
+# postconf -e relay_recipient_maps=''
+
+ +

Add your mail domain name in smtpd_sasl_local_domain and virtual_mailbox_domains:

+
# postconf -e smtpd_sasl_local_domain='example.com'
+# postconf -e virtual_mailbox_domains='example.com'
+
+ +

Change transport maps setting:

+
# postconf -e transport_maps='hash:/etc/postfix/transport'
+
+ +

Enable AD query. Note: We will create these 3 files later.

+ +
# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
+
+ + +
# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
+
+ + +
# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
+
+ + +
example.com dovecot
+
+ +

Note: dovecot used here is a Postfix transport defined in +/etc/postfix/master.cf, used to deliver received emails to local user mailboxes.

+

Run postmap so that postfix can read it:

+
# postmap hash:/etc/postfix/transport
+
+ + +
server_host     = ad.example.com
+server_port     = 389
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = vmail
+bind_pw         = password_of_vmail
+search_base     = cn=users,dc=example,dc=com
+scope           = sub
+query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+result_attribute= userPrincipalName
+debuglevel      = 0
+
+ + +
server_host     = ad.example.com
+server_port     = 389
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = vmail
+bind_pw         = passwd_of_vmail
+search_base     = cn=users,dc=example,dc=com
+scope           = sub
+query_filter    = (&(objectclass=person)(userPrincipalName=%s))
+result_attribute= userPrincipalName
+result_format   = %d/%u/Maildir/
+debuglevel      = 0
+
+ +

Note: Here, we hard-code user's mailbox path to be +[domain]/[username]/Maildir in result_format setting. for example: +example.com/postmaster/Maildir.

+ +
server_host     = ad.example.com
+server_port     = 389
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = vmail
+bind_pw         = password_of_vmail
+search_base     = cn=users,dc=example,dc=com
+scope           = sub
+query_filter    = (&(objectClass=group)(mail=%s))
+special_result_attribute = member
+leaf_result_attribute = mail
+result_attribute= userPrincipalName
+debuglevel      = 0
+
+ +

Note:

+ +

Also, we need to remove iRedAPD related settings in Postfix:

+
    +
  1. Open Postfix config file /etc/postfix/main.cf
    2. +
  2. Remove setting check_policy_service inet:127.0.0.1:7777.
    3. +
+

Verify LDAP query with AD in Postfix

+

We can now use command line tool postmap to verify AD integration in postfix. +Before testing, we have to create two testing mail accounts first:

+
    +
  1. Create a mail user in AD. e.g. user@example.com.
    2. +
  2. Create a mail group in AD. e.g. testgroup@example.com, then assign mail + user user@example.com as group member.
    3. +
  3. Query mail user account with below command:
    4. +
+
# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
+example.com/user/Maildir/
+
+ +

If nothing returned by the command, it means LDAP query doesn't get expected +result. Please set debuglevel = 1 file /etc/postfix/ad_virtual_mailbox_maps.cf, +then query again, it now will print detailed debug message. If you're not +familiar with LDAP related info, please post the debug message in our +online support forum to get help.

+

Verify sender login check:

+
# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
+user@example.com
+
+ +

Verify mail group

+
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
+user@example.com
+
+ +

NOTE: postmap return nothing if:

+
    +
  1. mail group doesn't exist
    2. +
  2. mail group doesn't have any members
    3. +
+

Enable Active Directory integration in Dovecot

+

To query AD instead of local LDAP server, we have to modify Dovecot config file +/etc/dovecot/dovecot-ldap.conf like below:

+
hosts           = ad.example.com:389
+ldap_version    = 3
+auth_bind       = yes
+dn              = vmail
+dnpass          = passwd_of_vmail
+base            = cn=users,dc=example,dc=com
+scope           = subtree
+deref           = never
+user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+pass_attrs      = userPassword=password
+default_pass_scheme = CRYPT
+user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
+
+ +

Restart dovecot service to make it work.

+

Note: we don't have per-user quota limit here, you can set a hard-coded +quota for all users in /etc/dovecot/dovecot.conf. For example:

+
plugin {
+    [... omit other settings here ...]
+
+    # Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
+    quota_rule = *:storage=1G
+}
+
+ +

Now use command telnet to verify AD query after restarted Dovecot service:

+
# telnet localhost 143                     # <- Type this
+* OK [...] Dovecot ready.
+
+. login user@example.com password_of_user  # <- Type this. Do not miss the dot in the beginning
+. OK [...] Logged in
+
+^]                                         # <- Quit telnet with "Ctrl+]", then type 'quit'.
+
+ +

Note: Do NOT miss the dot character before login command. if it returns +Logged in, then dovecot + AD works.

+

Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book

+

Edit roundcube config file config/config.inc.php, comment out the LDAP +address book setting added by iRedMail, and add new setting for AD like below:

+ +
#
+# "sql" is personal address book stored in roundcube database.
+# "example.com" is new LDAP address book with AD, we will create it below.
+#
+$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
+
+#
+# Global LDAP Address Book with AD.
+#
+$config['ldap_public']["global_ldap_abook"] = array(
+    'name'          => 'Global LDAP Address Book',
+    'hosts'         => array("ad.example.com"),      // <- Set AD hostname or IP address here.
+    'port'          => 389,
+    'use_tls'       => false,   // <- Set to true if you want to use LDAP over TLS.
+    'ldap_version'  => '3',
+    'network_timeout' => 10,
+    'user_specific' => false,
+
+    'base_dn'       => "cn=users,dc=example,dc=com", // <- Set base dn in AD
+    'bind_dn'       => "vmail",                      // <- bind dn
+    'bind_pass'     => "password_of_vmail",          // <- bind password
+    'writable'      => false,                        // <- Do not allow mail user write data back to AD.
+
+    'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
+
+    // mapping of contact fields to directory attributes
+    'fieldmap' => array(
+        'name'        => 'cn',
+        'surname'     => 'sn',
+        'firstname'   => 'givenName',
+        'title'       => 'title',
+        'email'       => 'mail:*',
+        'phone:work'  => 'telephoneNumber',
+        'phone:mobile' => 'mobile',
+        'street'      => 'street',
+        'zipcode'     => 'postalCode',
+        'locality'    => 'l',
+        'department'  => 'departmentNumber',
+        'notes'       => 'description',
+        'name'        => 'cn',
+        'surname'     => 'sn',
+        'firstname'   => 'givenName',
+        'title'       => 'title',
+        'email'       => 'mail:*',
+        'phone:work'  => 'telephoneNumber',
+        'phone:mobile' => 'mobile',
+        'phone:workfax' => 'facsimileTelephoneNumber',
+        'street'      => 'street',
+        'zipcode'     => 'postalCode',
+        'locality'    => 'l',
+        'department'  => 'departmentNumber',
+        'notes'       => 'description',
+        'photo'       => 'jpegPhoto',
+    ),
+    'sort'          => 'cn',
+    'scope'         => 'sub',
+    //'filter'        => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
+    'filter'        => "(mail=*@*)",
+    'fuzzy_search'  => true,
+    'vlv'           => false,   // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
+    'sizelimit'     => '0',     // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
+    'timelimit'     => '0',     // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
+    'referrals'     => false,  // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
+);
+
+ +

Additions documents

+

If you found something wrong in this document, please do contact us to fix it.

\ No newline at end of file diff --git a/html/index.html b/html/index.html index e8d6178d..fb4d66d1 100644 --- a/html/index.html +++ b/html/index.html @@ -38,6 +38,7 @@

Third-party integrations.

diff --git a/integrations/active.directory.md b/integrations/active.directory.md new file mode 100644 index 00000000..210ee0bd --- /dev/null +++ b/integrations/active.directory.md @@ -0,0 +1,379 @@ +# Integrate Microsoft Active Directory in iRedMail + +[TOC] + +__NOTE__: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if +you tested it on other versions and works well, please let us know. +[Contact us](http://www.iredmail.org/contact.html) + +## Summary + +With Active Directory (AD) integration, you can get below features: + +* User authentication against Windows Active Directory. You can now manage mail + user accounts, mail lists with AD. +* Mail list support with group in AD. +* Global LDAP Address Book with AD in Roundcube Webmail. +* Account status support. Disable user in AD will cause this account disabled + in iRedMail. + +Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g. + +* Per-user, per-domain service control with LDAP (e.g. enable/disable + POP3/IMAP/SMTP services). + +## Requirements + +To integrate Microsoft Active Directory with iRedMail, you should have: + +* A working Linux/BSD server with iRedMail (OpenLDAP backend) installed. +* A working Microsoft Windows (2000/2003) server, with Active Directory + installed and working properly, listen on port 389 (ldap://) or 636 + (ldaps://), and allow LDAP connections from iRedMail server. + +## Install iRedMail + +Please follow [iRedMail installaion guides](http://iredmail.org/doc.html#installation_guide) +to install iRedMail on Linux/BSD with OpenLDAP backend first, we will +achieve this AD integration by simply modifying some configure files. + +## Integrate Microsoft Active Directory with Postfix + +We assume: + +* Hostname of your AD server is `ad.example.com`, listen on port `389`. And it's + accessible from iRedMail server. + + * We will use this hostname below, you can replace it by IP address of this + AD server if you want. + * If you want to force LDAP connection with LDAPS, use port `636` instead. + +* Base dn in AD is `dc=example,dc=com`, email addresses of all users end with + `@example.com` (Your mail domain is `example.com`). +* All user accounts and mail list accounts are placed under dn + `cn=Users,dc=example,dc=com`. __Note:__ LDAP dn is case-insensitive. +* For ldap connection, protocol version `3` is recommended. +* Store all mails on Linux/BSD servers, not on AD server. + + * Storage directory is `/var/vmail/vmail1`, same as default in iRedMail. + * Mailbox of user `support@example.com` will be + `/var/vmail/vmail1/example.com/support/Maildir/` (Maildir format). + +### Create user account in AD, used for LDAP query + +With iRedMail (OpenLDAP backend), we have a low-privileged account +`cn=vmail,dc=xxx,dc=xxx` with read-only privilege. And we suggest you create a +same account `vmail` in AD, with strong and complex password. + +__NOTE__: [Dovecot will treat characters as comment after a inline `#`, so +please just don't use `#` in password](http://www.iredmail.org/forum/post8630.html#p8630) + +Please make sure this newly created user is able to connect to AD server with +below command on iRedMail server: + +```shell +# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com' +Enter password: password_of_vmail +``` + +If it prints all users stored in AD server, then it's working as expected. + +### Enable LDAP query with AD in Postfix + +Disable unused iRedMail special settings: + +```shell +# postconf -e virtual_alias_maps='' +# postconf -e sender_bcc_maps='' +# postconf -e recipient_bcc_maps='' +# postconf -e relay_domains='' +# postconf -e relay_recipient_maps='' +``` + +Add your mail domain name in `smtpd_sasl_local_domain` and `virtual_mailbox_domains`: + +```shell +# postconf -e smtpd_sasl_local_domain='example.com' +# postconf -e virtual_mailbox_domains='example.com' +``` + +Change transport maps setting: + +``` +# postconf -e transport_maps='hash:/etc/postfix/transport' +``` + +Enable AD query. __Note__: We will create these 3 files later. + +* Verify SMTP senders + +```shell +# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf' +``` + +* Verify local mail users + +```shell +# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf' +``` + +* Verify local mail lists/groups. + +``` +# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf' +``` + +* Create/edit file: `/etc/postfix/transport`. + +``` +example.com dovecot +``` + +__Note__: `dovecot` used here is a Postfix transport defined in +`/etc/postfix/master.cf`, used to deliver received emails to local user mailboxes. + +Run `postmap` so that postfix can read it: + +``` +# postmap hash:/etc/postfix/transport +``` + +* Create file: `/etc/postfix/ad_sender_login_maps.cf`: + +``` +server_host = ad.example.com +server_port = 389 +version = 3 +bind = yes +start_tls = no +bind_dn = vmail +bind_pw = password_of_vmail +search_base = cn=users,dc=example,dc=com +scope = sub +query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) +result_attribute= userPrincipalName +debuglevel = 0 +``` + +* Create file: `/etc/postfix/ad_virtual_mailbox_maps.cf`: + +``` +server_host = ad.example.com +server_port = 389 +version = 3 +bind = yes +start_tls = no +bind_dn = vmail +bind_pw = passwd_of_vmail +search_base = cn=users,dc=example,dc=com +scope = sub +query_filter = (&(objectclass=person)(userPrincipalName=%s)) +result_attribute= userPrincipalName +result_format = %d/%u/Maildir/ +debuglevel = 0 +``` + +__Note__: Here, we hard-code user's mailbox path to be +`[domain]/[username]/Maildir` in `result_format` setting. for example: +`example.com/postmaster/Maildir`. + +* Create file: `/etc/postfix/ad_virtual_group_maps.cf`: + +``` +server_host = ad.example.com +server_port = 389 +version = 3 +bind = yes +start_tls = no +bind_dn = vmail +bind_pw = password_of_vmail +search_base = cn=users,dc=example,dc=com +scope = sub +query_filter = (&(objectClass=group)(mail=%s)) +special_result_attribute = member +leaf_result_attribute = mail +result_attribute= userPrincipalName +debuglevel = 0 +``` + +__Note__: + +* If your user have email address in both `mail` and `userPrincipalName`, you + will get duplicate result. Comment out `leaf_result_attribute` line will fix it. +* If your mail group account doesn't contain attribute `mail` and + `userPrincipalName`, please try `query_filter = (&(objectClass=group)(sAMAccountName=%u))` instead. + +Also, we need to remove iRedAPD related settings in Postfix: + +1. Open Postfix config file `/etc/postfix/main.cf` +1. Remove setting `check_policy_service inet:127.0.0.1:7777`. + +### Verify LDAP query with AD in Postfix + +We can now use command line tool `postmap` to verify AD integration in postfix. +Before testing, we have to create two testing mail accounts first: + +1. Create a mail user in AD. e.g. `user@example.com`. +1. Create a mail group in AD. e.g. `testgroup@example.com`, then assign mail + user `user@example.com` as group member. +1. Query mail user account with below command: + +```shell +# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf +example.com/user/Maildir/ +``` + +If nothing returned by the command, it means LDAP query doesn't get expected +result. Please set `debuglevel = 1` file `/etc/postfix/ad_virtual_mailbox_maps.cf`, +then query again, it now will print detailed debug message. If you're not +familiar with LDAP related info, please post the debug message in our +[online support forum](http://www.iredmail.org/forum/) to get help. + +Verify sender login check: + +``` +# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf +user@example.com +``` + +Verify mail group + +``` +# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf +user@example.com +``` + +__NOTE__: `postmap` return nothing if: + +1. mail group doesn't exist +1. mail group doesn't have any members + +## Enable Active Directory integration in Dovecot + +To query AD instead of local LDAP server, we have to modify Dovecot config file +`/etc/dovecot/dovecot-ldap.conf` like below: + +``` +hosts = ad.example.com:389 +ldap_version = 3 +auth_bind = yes +dn = vmail +dnpass = passwd_of_vmail +base = cn=users,dc=example,dc=com +scope = subtree +deref = never +user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) +pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) +pass_attrs = userPassword=password +default_pass_scheme = CRYPT +user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/ +``` + +Restart dovecot service to make it work. + +__Note__: we don't have per-user quota limit here, you can set a hard-coded +quota for all users in `/etc/dovecot/dovecot.conf`. For example: + +``` +plugin { + [... omit other settings here ...] + + # Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB). + quota_rule = *:storage=1G +} +``` + +Now use command `telnet` to verify AD query after restarted Dovecot service: + +``` +# telnet localhost 143 # <- Type this +* OK [...] Dovecot ready. + +. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning +. OK [...] Logged in + +^] # <- Quit telnet with "Ctrl+]", then type 'quit'. +``` + +Note: Do NOT miss the dot character before `login` command. if it returns +`Logged in`, then dovecot + AD works. + +## Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book + +Edit roundcube config file `config/config.inc.php`, comment out the LDAP +address book setting added by iRedMail, and add new setting for AD like below: + +* on RHEL/CentOS and OpenBSD: it's `/var/www/roundcubemail/config/config.inc.php` +* on Debian/Ubuntu: it's `/usr/share/apache2/roundcubemail/config/config.inc.php` +* on FreeBSD: it's `/usr/local/www/roundcubemail/config/config.inc.php` + +```php +# +# "sql" is personal address book stored in roundcube database. +# "example.com" is new LDAP address book with AD, we will create it below. +# +$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com"); + +# +# Global LDAP Address Book with AD. +# +$config['ldap_public']["global_ldap_abook"] = array( + 'name' => 'Global LDAP Address Book', + 'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here. + 'port' => 389, + 'use_tls' => false, // <- Set to true if you want to use LDAP over TLS. + 'ldap_version' => '3', + 'network_timeout' => 10, + 'user_specific' => false, + + 'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD + 'bind_dn' => "vmail", // <- bind dn + 'bind_pass' => "password_of_vmail", // <- bind password + 'writable' => false, // <- Do not allow mail user write data back to AD. + + 'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'), + + // mapping of contact fields to directory attributes + 'fieldmap' => array( + 'name' => 'cn', + 'surname' => 'sn', + 'firstname' => 'givenName', + 'title' => 'title', + 'email' => 'mail:*', + 'phone:work' => 'telephoneNumber', + 'phone:mobile' => 'mobile', + 'street' => 'street', + 'zipcode' => 'postalCode', + 'locality' => 'l', + 'department' => 'departmentNumber', + 'notes' => 'description', + 'name' => 'cn', + 'surname' => 'sn', + 'firstname' => 'givenName', + 'title' => 'title', + 'email' => 'mail:*', + 'phone:work' => 'telephoneNumber', + 'phone:mobile' => 'mobile', + 'phone:workfax' => 'facsimileTelephoneNumber', + 'street' => 'street', + 'zipcode' => 'postalCode', + 'locality' => 'l', + 'department' => 'departmentNumber', + 'notes' => 'description', + 'photo' => 'jpegPhoto', + ), + 'sort' => 'cn', + 'scope' => 'sub', + //'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", + 'filter' => "(mail=*@*)", + 'fuzzy_search' => true, + 'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it) + 'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit. + 'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit. + 'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups +); +``` + +## Additions documents + +* If your mail domain name is different than Windows Active Directory domain: [http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html](http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html)