13 KiB
Integrate Microsoft Active Directory in iRedMail
[TOC]
NOTE: We tested this tutorial on Windows 2000, 2003, 2008 R2 server, if you tested it on other versions and works well, please let us know. Contact us
Summary
With Active Directory (AD) integration, you can get below features:
- User authentication against Windows Active Directory. You can now manage mail user accounts, mail lists with AD.
- Mail list support with group in AD.
- Global LDAP Address Book with AD in Roundcube Webmail.
- Account status support. Disable user in AD will cause this account disabled in iRedMail.
Since AD uses different LDAP schema, you will lose some iRedMail special features. e.g.
- Per-user, per-domain service control with LDAP (e.g. enable/disable POP3/IMAP/SMTP services).
Requirements
To integrate Microsoft Active Directory with iRedMail, you should have:
- A working Linux/BSD server with iRedMail (OpenLDAP backend) installed.
- A working Microsoft Windows (2000/2003) server, with Active Directory installed and working properly, listen on port 389 (ldap://) or 636 (ldaps://), and allow LDAP connections from iRedMail server.
Install iRedMail
Please follow iRedMail installaion guides to install iRedMail on Linux/BSD with OpenLDAP backend first, we will achieve this AD integration by simply modifying some configure files.
Integrate Microsoft Active Directory with Postfix
We assume:
-
Hostname of your AD server is
ad.example.com, listen on port389. And it's accessible from iRedMail server.- We will use this hostname below, you can replace it by IP address of this AD server if you want.
- If you want to force LDAP connection with LDAPS, use port
636instead.
-
Base dn in AD is
dc=example,dc=com, email addresses of all users end with@example.com(Your mail domain isexample.com). -
All user accounts and mail list accounts are placed under dn
cn=Users,dc=example,dc=com. Note: LDAP dn is case-insensitive. -
For ldap connection, protocol version
3is recommended. -
Store all mails on Linux/BSD servers, not on AD server.
- Storage directory is
/var/vmail/vmail1, same as default in iRedMail. - Mailbox of user
support@example.comwill be/var/vmail/vmail1/example.com/support/Maildir/(Maildir format).
- Storage directory is
Create user account in AD, used for LDAP query
With iRedMail (OpenLDAP backend), we have a low-privileged account
cn=vmail,dc=xxx,dc=xxx with read-only privilege. And we suggest you create a
same account vmail in AD, with strong and complex password.
NOTE: Dovecot will treat characters as comment after a inline #, so
please just don't use # in password
Please make sure this newly created user is able to connect to AD server with below command on iRedMail server:
# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
Enter password: password_of_vmail
If it prints all users stored in AD server, then it's working as expected.
Enable LDAP query with AD in Postfix
Disable unused iRedMail special settings:
# postconf -e virtual_alias_maps=''
# postconf -e sender_bcc_maps=''
# postconf -e recipient_bcc_maps=''
# postconf -e relay_domains=''
# postconf -e relay_recipient_maps=''
Add your mail domain name in smtpd_sasl_local_domain and virtual_mailbox_domains:
# postconf -e smtpd_sasl_local_domain='example.com'
# postconf -e virtual_mailbox_domains='example.com'
Change transport maps setting:
# postconf -e transport_maps='hash:/etc/postfix/transport'
Enable AD query. Note: We will create these 3 files later.
- Verify SMTP senders
# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'
- Verify local mail users
# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'
- Verify local mail lists/groups.
# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'
- Create/edit file:
/etc/postfix/transport.
example.com dovecot
Note: dovecot used here is a Postfix transport defined in
/etc/postfix/master.cf, used to deliver received emails to local user mailboxes.
Run postmap so that postfix can read it:
# postmap hash:/etc/postfix/transport
- Create file:
/etc/postfix/ad_sender_login_maps.cf:
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel = 0
- Create file:
/etc/postfix/ad_virtual_mailbox_maps.cf:
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = passwd_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format = %d/%u/Maildir/
debuglevel = 0
Note: Here, we hard-code user's mailbox path to be
[domain]/[username]/Maildir in result_format setting. for example:
example.com/postmaster/Maildir.
- Create file:
/etc/postfix/ad_virtual_group_maps.cf:
server_host = ad.example.com
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = vmail
bind_pw = password_of_vmail
search_base = cn=users,dc=example,dc=com
scope = sub
query_filter = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel = 0
Note:
- If your user have email address in both
mailanduserPrincipalName, you will get duplicate result. Comment outleaf_result_attributeline will fix it. - If your mail group account doesn't contain attribute
mailanduserPrincipalName, please tryquery_filter = (&(objectClass=group)(sAMAccountName=%u))instead.
Also, we need to remove iRedAPD related settings in Postfix:
- Open Postfix config file
/etc/postfix/main.cf - Remove setting
check_policy_service inet:127.0.0.1:7777.
Verify LDAP query with AD in Postfix
We can now use command line tool postmap to verify AD integration in postfix.
Before testing, we have to create two testing mail accounts first:
- Create a mail user in AD. e.g.
user@example.com. - Create a mail group in AD. e.g.
testgroup@example.com, then assign mail useruser@example.comas group member. - Query mail user account with below command:
# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/user/Maildir/
If nothing returned by the command, it means LDAP query doesn't get expected
result. Please set debuglevel = 1 file /etc/postfix/ad_virtual_mailbox_maps.cf,
then query again, it now will print detailed debug message. If you're not
familiar with LDAP related info, please post the debug message in our
online support forum to get help.
Verify sender login check:
# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
user@example.com
Verify mail group
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
user@example.com
NOTE: postmap return nothing if:
- mail group doesn't exist
- mail group doesn't have any members
Enable Active Directory integration in Dovecot
To query AD instead of local LDAP server, we have to modify Dovecot config file
/etc/dovecot/dovecot-ldap.conf like below:
hosts = ad.example.com:389
ldap_version = 3
auth_bind = yes
dn = vmail
dnpass = passwd_of_vmail
base = cn=users,dc=example,dc=com
scope = subtree
deref = never
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = userPassword=password
default_pass_scheme = CRYPT
user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
Restart dovecot service to make it work.
Note: we don't have per-user quota limit here, you can set a hard-coded
quota for all users in /etc/dovecot/dovecot.conf. For example:
plugin {
[... omit other settings here ...]
# Format: integer number + M/G/T (M -> MB, G -> GB, T -> TB).
quota_rule = *:storage=1G
}
Now use command telnet to verify AD query after restarted Dovecot service:
# telnet localhost 143 # <- Type this
* OK [...] Dovecot ready.
. login user@example.com password_of_user # <- Type this. Do not miss the dot in the beginning
. OK [...] Logged in
^] # <- Quit telnet with "Ctrl+]", then type 'quit'.
Note: Do NOT miss the dot character before login command. if it returns
Logged in, then dovecot + AD works.
Enable Active Directory integration in Roundcube webmail for Global LDAP Address Book
Edit roundcube config file config/config.inc.php, comment out the LDAP
address book setting added by iRedMail, and add new setting for AD like below:
- on RHEL/CentOS and OpenBSD: it's
/var/www/roundcubemail/config/config.inc.php - on Debian/Ubuntu: it's
/usr/share/apache2/roundcubemail/config/config.inc.php - on FreeBSD: it's
/usr/local/www/roundcubemail/config/config.inc.php
#
# "sql" is personal address book stored in roundcube database.
# "example.com" is new LDAP address book with AD, we will create it below.
#
$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");
#
# Global LDAP Address Book with AD.
#
$config['ldap_public']["global_ldap_abook"] = array(
'name' => 'Global LDAP Address Book',
'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here.
'port' => 389,
'use_tls' => false, // <- Set to true if you want to use LDAP over TLS.
'ldap_version' => '3',
'network_timeout' => 10,
'user_specific' => false,
'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD
'bind_dn' => "vmail", // <- bind dn
'bind_pass' => "password_of_vmail", // <- bind password
'writable' => false, // <- Do not allow mail user write data back to AD.
'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
// mapping of contact fields to directory attributes
'fieldmap' => array(
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'title' => 'title',
'email' => 'mail:*',
'phone:work' => 'telephoneNumber',
'phone:mobile' => 'mobile',
'street' => 'street',
'zipcode' => 'postalCode',
'locality' => 'l',
'department' => 'departmentNumber',
'notes' => 'description',
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'title' => 'title',
'email' => 'mail:*',
'phone:work' => 'telephoneNumber',
'phone:mobile' => 'mobile',
'phone:workfax' => 'facsimileTelephoneNumber',
'street' => 'street',
'zipcode' => 'postalCode',
'locality' => 'l',
'department' => 'departmentNumber',
'notes' => 'description',
'photo' => 'jpegPhoto',
),
'sort' => 'cn',
'scope' => 'sub',
//'filter' => "(&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
'filter' => "(mail=*@*)",
'fuzzy_search' => true,
'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
'referrals' => false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
);
Additions documents
- If your mail domain name is different than Windows Active Directory domain: http://www.iredmail.org/forum/topic3165-integration-with-windows-domain.html