[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: Integration with Active Directory
From: Mark Hellman <markhellman () techie ! com>
Date: 2006-05-04 14:22:55
Message-ID: e3d2o5$ll2$1 () sea ! gmane ! org
[Download RAW message or body]
Technomancer wrote:
> What I want is to authenticate the imap and the smtp services in the
> Linux mail server against Active Directory.
I have done that, and I will try to describe the main steps (it was several
months ago so I may not recall everything).
Postfix just needs to make a simple LDAP query to Active Directory: send the
email address, and receive the account name for that email address.
To achieve this, you need to make sure that Active Directory stores the user
email addresses in the 'proxyAddresses' field. This field is multi-value so
that an user can have multiple email aliases. The sintax of proxyAddresses
value is:
smtp:name@domain.com
In Postfix main.cf you need to add:
virtual_alias_maps = ldap:ldapalias
ldapalias_server_host = ldapserver_address
ldapalias_search_base = ou=People,dc=mycompany,dc=com
ldapalias_bind_dn = cn=ldap,cn=users,dc=mycompany,dc=com
ldapalias_bind_pw = somepassword
ldapalias_query_filter = (proxyAddresses=smtp:%s)
ldapalias_result_attribute = sAMAccountName
In order to make queries, you need to create the 'ldap' user in Active
Directory.
An IMAP server needs to authenticate the user in Active Directory. This can
be done using LDAP or Kerberos. I have done it using Kerberos:
- First configure /etc/krb5.conf like the following
[libdefaults]
default_realm = MYDOMAIN.MYCOMPANY.COM
clockskew = 300
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
MYDOMAIN.MYCOMPANY.COM = {
kdc = ldapserver_address
default_domain = MYDOMAIN.MYCOMPANY.COM
admin_server = ldapserver_address
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.MYDOMAIN.MYCOMPANY.COM = MYDOMAIN.MYCOMPANY.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
- Check if you can authenticate using Kerberos by running:
kinit someuser
- If the IMAP server supports SASL (it should), then configure saslauthd to
use PAM as authentication mechanism (in SuSE this is simple as editing
the /etc/sysconfig/saslauthd).
- Then you need to configure the 'imap' and 'pop' PAM services in
/etc/pam.d/
This may vary between distros. An example /etc/pam.d/imap:
auth required pam_krb5.so no_ccache
account required pam_krb5.so
password required pam_deny.so
session required pam_deny.so
> The ADS domain (e.g. lan.example.com) is not the same of the mail
> domain (example.com).
It doesn't matter. You just need to put the right DN in the configuration
files.
Feel free to ask if you have questions.
Mark
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic