'Re: Integration with Active Directory'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Integration with Active Directory
From:       Mark Hellman <markhellman () techie ! com>
Date:       2006-05-04 14:22:55
Message-ID: e3d2o5$ll2$1 () sea ! gmane ! org
[Download RAW message or body]

Technomancer wrote:

> What I want is to authenticate the imap and the smtp services in the
> Linux mail server against Active Directory.

I have done that, and I will try to describe the main steps (it was several
months ago so I may not recall everything).

Postfix just needs to make a simple LDAP query to Active Directory: send the
email address, and receive the account name for that email address.
To achieve this, you need to make sure that Active Directory stores the user
email addresses in the 'proxyAddresses' field. This field is multi-value so
that an user can have multiple email aliases. The sintax of proxyAddresses
value is:
       smtp:name@domain.com

In Postfix main.cf you need to add:

    virtual_alias_maps = ldap:ldapalias
    ldapalias_server_host = ldapserver_address
    ldapalias_search_base = ou=People,dc=mycompany,dc=com
    ldapalias_bind_dn = cn=ldap,cn=users,dc=mycompany,dc=com
    ldapalias_bind_pw = somepassword
    ldapalias_query_filter = (proxyAddresses=smtp:%s)
    ldapalias_result_attribute = sAMAccountName

In order to make queries, you need to create the 'ldap' user in Active
Directory.

An IMAP server needs to authenticate the user in Active Directory. This can
be done using LDAP or Kerberos. I have done it using Kerberos:

- First configure /etc/krb5.conf like the following

[libdefaults]
default_realm = MYDOMAIN.MYCOMPANY.COM
clockskew = 300
dns_lookup_kdc = false
dns_lookup_realm = false

[realms]
MYDOMAIN.MYCOMPANY.COM = {
     kdc = ldapserver_address
     default_domain = MYDOMAIN.MYCOMPANY.COM
     admin_server = ldapserver_address
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.MYDOMAIN.MYCOMPANY.COM = MYDOMAIN.MYCOMPANY.COM

[appdefaults]
pam = {
     ticket_lifetime = 1d
     renew_lifetime = 1d
     forwardable = true
     proxiable = false
     retain_after_close = false
     minimum_uid = 0
}

- Check if you can authenticate using Kerberos by running:
          kinit someuser

- If the IMAP server supports SASL (it should), then configure saslauthd to
use PAM as authentication mechanism (in SuSE this is simple as editing
the /etc/sysconfig/saslauthd).

- Then you need to configure the 'imap' and 'pop' PAM services in
          /etc/pam.d/
  This may vary between distros. An example /etc/pam.d/imap:
    auth            required        pam_krb5.so             no_ccache
    account         required        pam_krb5.so
    password        required        pam_deny.so
    session         required        pam_deny.so


> The ADS domain (e.g. lan.example.com) is not the same of the mail
> domain (example.com).

It doesn't matter. You just need to put the right DN in the configuration
files.

Feel free to ask if you have questions.


Mark

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic