5 KiB
iRedMail Easy: Preparations for using Microsoft Active Directory as iRedMail backend
[TOC]
Summary
To query mail accounts against Microsoft Active Directory, we need a LDAP user account which can query the Active Directory.
In this tutorial, we will show you how to
- create account
vmail
with read-only privilege used to query mail accounts - create account
vmailadmin
with read-write privileges used to query and manage mail accounts.
This tutorial has been tested on Windows Server 2012, but it should work for all Windows Server versions.
Create read-only account: vmail
- Click
Start
on bottom-left corner of your Windows OS, clickServer Manager
.
- Click
Tools
on top-right corner, clickActive Directory Domains and Trusts
.
- Right click your AD domain, then click
Manage
. It will show you a new window. In this example, it's domainiredmail.org
.
- In the new windows, right click on item
Users
, selectNew -> User
.
- Input
vmail
inUser logon name
field, and fill other fields, then clickNext
.
- Input a strong password for
vmail
user, make sure optionPassword never expires
is checked, and uncheck other 3 options. Then clickNext
.
- Click
Finish
to finish account creation.
Grant privileges
We need to grant vmail
user required privileges.
In the Active Directory Users and Computers
window, right click your AD
domian name (in our example it's iredmail.org
), and select Delegate Control...
.
- Click
Next
.
- Click
Add
.
- Input read-only account
vmail
, and clickOK
.
- Click
Next
.
- Select
"Read all user information"
, clickNext
.
- Click
Finish
to confirm.
Create read-write account: vmailadmin
This account is used to manage mail accounts.
- Click
Start
on bottom-left corner of your Windows OS, clickServer Manager
.
- Click
Tools
on top-right corner, clickActive Directory Domains and Trusts
.
- Right click your AD domain, then click
Manage
. In this example, it's domainiredmail.org
.
- At the new windows, right click
Users
-->New
-->User
.
- Input
vmailadmin
inUser logon name
field, and fill other fields, then click Next.
- Input a strong password for user
vmailadmin
, make sure optionPassword never expires
is checked, clickNext
.
- Click
Finish
to finish account creation.
Grant privileges
Account vmailadmin
has been created, we need to grant it more privileges than vmail
user.
In the Active Directory Users and Computers window, right click your AD domian
and select Delegate Control...
. In this example, it's domain iredmail.org
,
- Click
Next
.
- Click
Add
.
- Input account name
vmailadmin
, and clickOK
.
- Click
Next
.
- Select tasks listed below, then click
Next
:Create,delete, and manage user accounts
Reset user passowords and force password change at next logon
Read all user information
Modify the membership of a group
- Click
Finish
.
Store passwords on your iRedMail server
iRedMail Cloud Deployment Platform does not store any password on its servers,
instead, it reads passwords from different files which are stored under
/root/.iredmail/kv/
on YOUR server. So you need to create few files to store
vmail
and vmailadmin
account passwords on the iRedMail server you're going
to integrate with Active Directory.
Please login to your iRedMail server first, then:
-
Create directory
/root/.iredmail/kv/
with command below (NOTE: You may needsudo
privilege if you're not root user):mkdir -p /root/.iredmail/kv
-
Create file
/root/.iredmail/kv/ad_ldap_vmail_password
, input password ofvmail
user in the file. Do not leave any comment lines or other characters in the file. -
Create file
/root/.iredmail/kv/ad_ldap_vmailadmin_password
, input password ofvmailadmin
user in the file. Do not leave any comment lines or other characters in the file.