iredmail-doc/en_US/iredmail-easy/0-iredmail-easy.ad.preparations.md

iRedMail Easy: Preparations for using Microsoft Active Directory as iRedMail backend

[TOC]

Summary

To query mail accounts against Microsoft Active Directory, we need a LDAP user account which can query the Active Directory.

In this tutorial, we will show you how to

• create account vmail with read-only privilege used to query mail accounts
• create account vmailadmin with read-write privileges used to query and manage mail accounts.

This tutorial has been tested on Windows Server 2012, but it should work for all Windows Server versions.

Create read-only account: vmail

• Click Start on bottom-left corner of your Windows OS, click Server Manager.

• Click Tools on top-right corner, click Active Directory Domains and Trusts.

• Right click your AD domain, then click Manage. It will show you a new window. In this example, it's domain iredmail.org.

• In the new windows, right click on item Users, select New -> User.

• Input vmail in User logon name field, and fill other fields, then click Next.

• Input a strong password for vmail user, make sure option Password never expires is checked, and uncheck other 3 options. Then click Next.

• Click Finish to finish account creation.

Grant privileges

We need to grant vmail user required privileges.

In the Active Directory Users and Computers window, right click your AD domian name (in our example it's iredmail.org), and select Delegate Control....

• Click Next.

• Click Add.

• Input read-only account vmail, and click OK.

• Click Next.

• Select "Read all user information", click Next.

• Click Finish to confirm.

Create read-write account: vmailadmin

This account is used to manage mail accounts.

• Click Start on bottom-left corner of your Windows OS, click Server Manager.

• Click Tools on top-right corner, click Active Directory Domains and Trusts.

• Right click your AD domain, then click Manage. In this example, it's domain iredmail.org.

• At the new windows, right click Users --> New --> User.

• Input vmailadmin in User logon name field, and fill other fields, then click Next.

• Input a strong password for user vmailadmin, make sure option Password never expires is checked, click Next.

• Click Finish to finish account creation.

Grant privileges

Account vmailadmin has been created, we need to grant it more privileges than vmail user.

In the Active Directory Users and Computers window, right click your AD domian and select Delegate Control.... In this example, it's domain iredmail.org,

• Click Next.

• Click Add.

• Input account name vmailadmin, and click OK.

• Click Next.

• Select tasks listed below, then click Next:
  • Create，delete, and manage user accounts
  • Reset user passowords and force password change at next logon
  • Read all user information
  • Modify the membership of a group

• Click Finish.

Store passwords on your iRedMail server

iRedMail Cloud Deployment Platform does not store any password on its servers, instead, it reads passwords from different files which are stored under /root/.iredmail/kv/ on YOUR server. So you need to create few files to store vmail and vmailadmin account passwords on the iRedMail server you're going to integrate with Active Directory.

Please login to your iRedMail server first, then:

• Create directory /root/.iredmail/kv/ with command below (NOTE: You may need sudo privilege if you're not root user):

  mkdir -p /root/.iredmail/kv

• Create file /root/.iredmail/kv/ad_ldap_vmail_password, input password of vmail user in the file. Do not leave any comment lines or other characters in the file.

• Create file /root/.iredmail/kv/ad_ldap_vmailadmin_password, input password of vmailadmin user in the file. Do not leave any comment lines or other characters in the file.