elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/en_US/iredmail-easy/0-iredmail-easy.ad.preparat...

174 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# iRedMail Easy: Preparations for using Microsoft Active Directory as iRedMail backend
[TOC]
## Summary
To query mail accounts against Microsoft Active Directory, we need a LDAP
user account which can query the Active Directory.
In this tutorial, we will show you how to
* create account `vmail` with read-only privilege used to query mail accounts
* create account `vmailadmin` with read-write privileges used to query and
manage mail accounts.
This tutorial has been tested on Windows Server 2012, but it should work for
all Windows Server versions.
## Create read-only account: vmail
- Click `Start` on bottom-left corner of your Windows OS, click `Server Manager`.
![](./images/ad/start-server-manager.png)
- Click `Tools` on top-right corner, click `Active Directory Domains and Trusts`.
![](./images/ad/create_ad_account_1.png)
- Right click your AD domain, then click `Manage`. It will show you a new window.
In this example, it's domain `iredmail.org`.
![](./images/ad/create_ad_account_2.png)
- In the new windows, right click on item `Users`, select `New -> User`.
![](./images/ad/create_ad_account_3.png)
- Input `vmail` in `User logon name` field, and fill other fields, then click `Next`.
![](./images/ad/read_only_account_1.png)
- Input a strong password for `vmail` user, make sure option `Password never
expires` is checked, and uncheck other 3 options. Then click `Next`.
![](./images/ad/read_only_account_2.png)
- Click `Finish` to finish account creation.
![](./images/ad/read_only_account_3.png)
### Grant privileges
We need to grant `vmail` user required privileges.
In the `Active Directory Users and Computers` window, right click your AD
domian name (in our example it's `iredmail.org`), and select `Delegate Control...`.
![](./images/ad/create_ad_account_4.png)
- Click `Next`.
![](./images/ad/create_ad_account_5.png)
- Click `Add`.
![](./images/ad/create_ad_account_6.png)
- Input read-only account `vmail`, and click `OK`.
![](./images/ad/read_only_account_4.png)
- Click `Next`.
![](./images/ad/read_only_account_5.png)
- Select `"Read all user information"`, click `Next`.
![](./images/ad/read_only_account_6.png)
- Click `Finish` to confirm.
![](./images/ad/read_only_account_7.png)
## Create read-write account: vmailadmin
This account is used to manage mail accounts.
- Click `Start` on bottom-left corner of your Windows OS, click `Server Manager`.
![](./images/ad/start-server-manager.png)
- Click `Tools` on top-right corner, click `Active Directory Domains and Trusts`.
![](./images/ad/create_ad_account_1.png)
- Right click your AD domain, then click `Manage`. In this example, it's domain `iredmail.org`.
![](./images/ad/create_ad_account_2.png)
- At the new windows, right click `Users` --> `New` --> `User`.
![](./images/ad/create_ad_account_3.png)
- Input `vmailadmin` in `User logon name` field, and fill other fields, then click Next.
![](./images/ad/admin_account_1.png)
- Input a strong password for user `vmailadmin`, make sure option `Password never expires` is checked, click `Next`.
![](./images/ad/admin_account_2.png)
- Click `Finish` to finish account creation.
![](./images/ad/admin_account_3.png)
### Grant privileges
Account `vmailadmin` has been created, we need to grant it more privileges than `vmail` user.
In the Active Directory Users and Computers window, right click your AD domian
and select `Delegate Control...`. In this example, it's domain `iredmail.org`,
![](./images/ad/create_ad_account_4.png)
- Click `Next`.
![](./images/ad/create_ad_account_5.png)
- Click `Add`.
![](./images/ad/create_ad_account_6.png)
- Input account name `vmailadmin`, and click `OK`.
![](./images/ad/admin_account_4.png)
- Click `Next`.
![](./images/ad/admin_account_5.png)
- Select tasks listed below, then click `Next`:
* `Createdelete, and manage user accounts`
* `Reset user passowords and force password change at next logon`
* `Read all user information`
* `Modify the membership of a group`
![](./images/ad/admin_account_6.png)
- Click `Finish`.
![](./images/ad/admin_account_7.png)
## Store passwords on your iRedMail server
iRedMail Cloud Deployment Platform does not store any password on its servers,
instead, it reads passwords from different files which are stored under
`/root/.iredmail/kv/` on YOUR server. So you need to create few files to store
`vmail` and `vmailadmin` account passwords on the iRedMail server you're going
to integrate with Active Directory.
Please login to your iRedMail server first, then:
* Create directory `/root/.iredmail/kv/` with command below (NOTE: You may need
`sudo` privilege if you're not root user):
```mkdir -p /root/.iredmail/kv```
* Create file `/root/.iredmail/kv/ad_ldap_vmail_password`, input password of
`vmail` user in the file. Do not leave any comment lines or other characters
in the file.
* Create file `/root/.iredmail/kv/ad_ldap_vmailadmin_password`, input password
of `vmailadmin` user in the file. Do not leave any comment lines or other characters
in the file.
Reference in New Issue View Git Blame Copy Permalink