Authenticating aginst ActiveDirectory?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating aginst ActiveDirectory?

Ville Walveranta
There is very little on the topic on the web and on the Postfix Users
archives. The little I find seems to imply it's very difficult to
extract password information from AD (say, to sync to OpenLDAP).

Since the last thread about this topic in this group is from last
year, I'm asking whether a solution exists at this point. There is a
product called PowerADvantage that would seem to do the job, but the
fact that they don't post their prices on their website probably
suggests that the cost is likely in four figures which exceeds the
available budget (I'm checking with them anyway). The environment
where I'd need this solution is small, with a dozen or so AD logins,
and so I may just have to maintain the domain passwords separately
from the mail passwords. AD will be kept around to facilitate resource
sharing on the Windows LAN but the mail is moving from Exchange 2003
to Postfix as soon as possible.

An OpenSource solution would be preferable, though on Windows/AD side
a utility worth few hundred dollars might skirt the budget.

Many thanks again for any advice!
Reply | Threaded
Open this post in threaded view
|

RE: Authenticating aginst ActiveDirectory?

MacShane, Tracy
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Ville Walveranta
> Sent: Friday, 14 November 2008 3:27 PM
> To: Postfix users
> Subject: Authenticating aginst ActiveDirectory?
>
> There is very little on the topic on the web and on the
> Postfix Users archives. The little I find seems to imply it's
> very difficult to extract password information from AD (say,
> to sync to OpenLDAP).
>
> Since the last thread about this topic in this group is from
> last year, I'm asking whether a solution exists at this
> point. There is a product called PowerADvantage that would
> seem to do the job, but the fact that they don't post their
> prices on their website probably suggests that the cost is
> likely in four figures which exceeds the available budget
> (I'm checking with them anyway). The environment where I'd
> need this solution is small, with a dozen or so AD logins,
> and so I may just have to maintain the domain passwords
> separately from the mail passwords. AD will be kept around to
> facilitate resource sharing on the Windows LAN but the mail
> is moving from Exchange 2003 to Postfix as soon as possible.
>
> An OpenSource solution would be preferable, though on
> Windows/AD side a utility worth few hundred dollars might
> skirt the budget.
>
> Many thanks again for any advice!
>

I'm sorry, why do you need to sync passwords to relay mail to your
Exchange servers? To do relay recipient validation, you just need to do
a simple LDAP lookup to the AD to verify valid email addresses. Since
you only have a single Exchange server, you don't even need to do
anything out of the ordinary with LDAP queries to specify the
destination relay server for your recipients.

If you want AD users to logon to *nix boxes (which is nothing to do with
mail services), enable Services for Unix on the AD, and setup LDAP
authentication for the specified users in PAM.
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating aginst ActiveDirectory?

Ville Walveranta
On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy
<[hidden email]> wrote:
> I'm sorry, why do you need to sync passwords to relay mail to your
> Exchange servers? To do relay recipient validation, you just need to do
> a simple LDAP lookup to the AD to verify valid email addresses. Since
> you only have a single Exchange server, you don't even need to do
> anything out of the ordinary with LDAP queries to specify the
> destination relay server for your recipients.

Actually there won't be an Exchange server any more; I'm replacing it
with Postfix. It's a small environment and there isn't a dedicated
server for Exchange available; it's been sharing a server with AD
which is a bad idea in the first place. Since the users aren't using
any of Exchange's extra features such as calendaring, there is no
reason for why they couldn't access mail via IMAP on Postfix/Dovecot.
I was aware of the possibility of exporting the user names (without
authentication information) from AD to the front end, but it's not
sufficient for login if the mail access takes also place on the
Postfix server.

> If you want AD users to logon to *nix boxes (which is nothing to do with
> mail services), enable Services for Unix on the AD, and setup LDAP
> authentication for the specified users in PAM.

Perhaps this mechanism could be used for the mail authentication as
well in the above scenario. Postfix/Dovecot should be able to do LDAP
authentication via PAM
(http://www.dovecot.org/list/dovecot/2006-April/012454.html,
http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam).

Ville
Reply | Threaded
Open this post in threaded view
|

RE: Authenticating aginst ActiveDirectory?

MacShane, Tracy
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Ville Walveranta
> Sent: Friday, 14 November 2008 4:29 PM
> To: Postfix users
> Subject: Re: Authenticating aginst ActiveDirectory?
>
> On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy
> <[hidden email]> wrote:
> > I'm sorry, why do you need to sync passwords to relay mail to your
> > Exchange servers?
>
> Actually there won't be an Exchange server any more; I'm
> replacing it with Postfix. It's a small environment and there
> isn't a dedicated server for Exchange available; it's been
> sharing a server with AD which is a bad idea in the first
> place. ...

Ahah, light dawns.

>
> > If you want AD users to logon to *nix boxes (which is nothing to do
> > with mail services), enable Services for Unix on the AD, and setup
> > LDAP authentication for the specified users in PAM.
>
> Perhaps this mechanism could be used for the mail
> authentication as well in the above scenario. Postfix/Dovecot
> should be able to do LDAP authentication via PAM
> (http://www.dovecot.org/list/dovecot/2006-April/012454.html,
> http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam).
>
> Ville
>

Yes, I certainly haven't had any problem with Unix services when
enabling regular logons to a *nix server via AD authentication (I
haven't tried Postfix/Dovecot authentication myself, but there's plenty
of info for that, as you have found). It should certainly make your
solution a lot simpler to implement.
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating aginst ActiveDirectory?

stroller-6
In reply to this post by Ville Walveranta

On 14 Nov 2008, at 05:29, Ville Walveranta wrote:
> ...
> Actually there won't be an Exchange server any more; I'm replacing it
> with Postfix. It's a small environment and there isn't a dedicated
> server for Exchange available; it's been sharing a server with AD
> which is a bad idea in the first place. Since the users aren't using
> any of Exchange's extra features such as calendaring, there is no
> reason for why they couldn't access mail via IMAP on Postfix/Dovecot.
> ...

I run a small network in which Dovecot authenticates against the  
domain using Winbind.

$ sudo cat /etc/pam.d/imap
auth       required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel  
umask=0022
$

Once the user has logged in to their email, their homedir is created &  
Postfix can deliver mail to them. I have not yet attempted to address  
authenticating SMTP users as currently they all reside within the LAN.

I think the original reason for using Winbind was simply that it came  
higher in Google searches for "authenticate user linux windows  
domain", and it appeared simpler than learning what the heck an Active  
Directory was. Nevertheless it works pretty well here.

I hope you find this helpful,

Stroller.