Integration with Active Directory

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Integration with Active Directory

Goutam Baul

Hello Everybody,

 

I am facing a scenario where the client needs a mailing solution while the user information will be kept in a Microsoft Active Directory server. I was trying to search for any material that talks about whether it is possible to make postfix and courier-imap talk to Microsoft ADS. I have done implementation with Open LDAP but not with ADS. Another work around might be to have LDAP for the mailing solution and create an application for user management that ensures that the LDAP and the MDS are always in sync. This would not be an elegant one and it would be great if the mailing solution (postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS. May I request for some pointer please?

 

With regards,

 

Goutam

 

Reply | Threaded
Open this post in threaded view
|

Re: Integration with Active Directory

lst_hoe02
Zitat von Goutam Baul <[hidden email]>:

> Hello Everybody,
>
> I am facing a scenario where the client needs a mailing solution while the
> user information will be kept in a Microsoft Active Directory server. I was
> trying to search for any material that talks about whether it is possible to
> make postfix and courier-imap talk to Microsoft ADS. I have done
> implementation with Open LDAP but not with ADS. Another work around might be
> to have LDAP for the mailing solution and create an application for user
> management that ensures that the LDAP and the MDS are always in sync. This
> would not be an elegant one and it would be great if the mailing solution
> (postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS.
> May I request for some pointer please?

For user authentication Postfix uses SASL which in turn can use PAM  
which is able to do NTLM (Windows authentication) against a windows  
domain.
For routing information you can query the DCs with LDAP if you have  
the necessary fields stored there (normaly the case if MS-Exchange is  
used as mailstore).

I have done it some time ago but the details are lost :-(

Regards

Andreas

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Integration with Active Directory

Stewart Walters
[hidden email] wrote:

> Zitat von Goutam Baul <[hidden email]>:
>
>> Hello Everybody,
>>
>> I am facing a scenario where the client needs a mailing solution
>> while the
>> user information will be kept in a Microsoft Active Directory server.
>> I was
>> trying to search for any material that talks about whether it is
>> possible to
>> make postfix and courier-imap talk to Microsoft ADS. I have done
>> implementation with Open LDAP but not with ADS. Another work around
>> might be
>> to have LDAP for the mailing solution and create an application for user
>> management that ensures that the LDAP and the MDS are always in sync.
>> This
>> would not be an elegant one and it would be great if the mailing
>> solution
>> (postfix,courier-imap,courier-authlib all in Linux] could talk to the
>> ADS.
>> May I request for some pointer please?
>
>
> For user authentication Postfix uses SASL which in turn can use PAM
> which is able to do NTLM (Windows authentication) against a windows
> domain.
> For routing information you can query the DCs with LDAP if you have
> the necessary fields stored there (normaly the case if MS-Exchange is
> used as mailstore).
>
> I have done it some time ago but the details are lost :-(
>
> Regards
>
> Andreas

There are several ways I know how you could do this on Linux:

   1. Use "389 Directory Server" (formerly Fedora Directory Server,
      which is formerly the Netscape Directory Server) to regularly sync
      the AD users and groups to a local replication store, and use
      ordinary pam_ldap/libnss_ldap to authenticate your postfix
      straight to the 389 directory server.
   2. Use Samba + Winbind + pam_winbind to extract and provide
      usernames/groups, UID/GIDs to postfix.
   3. Assuming your active directory is schema version 31 or above (the
      schema that comes in Windows Server 2003 R2), you can enable RFC
      2307 information directly in AD and use pam_krb5 and pam_ldap have
      your postfix box pull that information straight out of AD
      (instructions from Scott Lowe's blog at
      http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/)
   4. If your AD schema is not version 31 or above (Windows Server 2003,
      Windows SBS Server 2003 R2 and below) use Scott Lowe's
      instructions for getting the same thing happening, using Services
      For Unix
      (http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/)
   5. Purchase a proprietary product to authenticate Linux directly to
      AD (such as the Quest Authentication Services
      http://www.quest.com/active-directory/directory-consolidation.aspx;
      CA might also have one as a part of their Unicentre TNG suite,
      Centrify have toolsets as well)


I've deployed options 2, 3 & 4 in production environments before.  
Option 2 was a multitude of times easier to get working than options 3 &
4, but in some distributions winbindd has some severe bugs (RHEL 4.4,
4.5, 4.6).  If you can't move off these platforms because your vendor
wont support their application, your forced to go another route.

Although I've never deployed it before, Option 1 in theory is also a
sound way to go.

Of course, option 5 is another way to go, if you're willing to pay the
licensing fees.

Regards,

Stewart
Reply | Threaded
Open this post in threaded view
|

Re: Integration with Active Directory

Zhang Huangbin
In reply to this post by Goutam Baul

On Mar 12, 2010, at 2:59 PM, Goutam Baul wrote:

> Hello Everybody,
>  
> I am facing a scenario where the client needs a mailing solution while the user information will be kept in a Microsoft Active Directory server. I was trying to search for any material that talks about whether it is possible to make postfix and courier-imap talk to Microsoft ADS. I have done implementation with Open LDAP but not with ADS. Another work around might be to have LDAP for the mailing solution and create an application for user management that ensures that the LDAP and the MDS are always in sync. This would not be an elegant one and it would be great if the mailing solution (postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS. May I request for some pointer please?

You can try Postfix + Dovecot + Windows Active Directory 2003 + Roundcube webmail. I deployed one for customer based on iRedMail, works like a charm.

Postfix and Dovecot can auth user against AD directly, include normal user, mail list, and Roundcube can use AD as global LDAP address book too. :)

--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
  CentOS, Debian, Ubuntu, FreeBSD: http://www.iredmail.org/

Reply | Threaded
Open this post in threaded view
|

Re: Integration with Active Directory

Stan Hoeppner
Zhang Huangbin put forth on 3/12/2010 6:36 AM:

>
> On Mar 12, 2010, at 2:59 PM, Goutam Baul wrote:
>
>> Hello Everybody,
>>  
>> I am facing a scenario where the client needs a mailing solution while the user information will be kept in a Microsoft Active Directory server. I was trying to search for any material that talks about whether it is possible to make postfix and courier-imap talk to Microsoft ADS. I have done implementation with Open LDAP but not with ADS. Another work around might be to have LDAP for the mailing solution and create an application for user management that ensures that the LDAP and the MDS are always in sync. This would not be an elegant one and it would be great if the mailing solution (postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS. May I request for some pointer please?
>
> You can try Postfix + Dovecot + Windows Active Directory 2003 + Roundcube webmail. I deployed one for customer based on iRedMail, works like a charm.
>
> Postfix and Dovecot can auth user against AD directly, include normal user, mail list, and Roundcube can use AD as global LDAP address book too. :)
>

I concur.  Ditch courier and go with Dovecot.  If you're using Postfix, you
may as well use the IMAP server that integrates best with it:
http://www.dovecot.org

Nice AD setup directions for Postfix and Dovecot:
http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Integration with Active Directory

mouss-4
In reply to this post by Goutam Baul
Goutam Baul a écrit :

> Hello Everybody,
>
>  
>
> I am facing a scenario where the client needs a mailing solution while
> the user information will be kept in a Microsoft Active Directory
> server. I was trying to search for any material that talks about whether
> it is possible to make postfix and courier-imap talk to Microsoft ADS. I
> have done implementation with Open LDAP but not with ADS. Another work
> around might be to have LDAP for the mailing solution and create an
> application for user management that ensures that the LDAP and the MDS
> are always in sync. This would not be an elegant one and it would be
> great if the mailing solution (postfix,courier-imap,courier-authlib all
> in Linux] could talk to the ADS. May I request for some pointer please?
>
>  

use a script to dump AD data to a file. addresses do not change that
often, so why insist on a direct AD lookup?

otherwise, postfix supports LDAP. if AD isn't LDAP compliant, you know
what you should do...