[hidden email] wrote:
> Zitat von Goutam Baul <
[hidden email]>:
>
>> Hello Everybody,
>>
>> I am facing a scenario where the client needs a mailing solution
>> while the
>> user information will be kept in a Microsoft Active Directory server.
>> I was
>> trying to search for any material that talks about whether it is
>> possible to
>> make postfix and courier-imap talk to Microsoft ADS. I have done
>> implementation with Open LDAP but not with ADS. Another work around
>> might be
>> to have LDAP for the mailing solution and create an application for user
>> management that ensures that the LDAP and the MDS are always in sync.
>> This
>> would not be an elegant one and it would be great if the mailing
>> solution
>> (postfix,courier-imap,courier-authlib all in Linux] could talk to the
>> ADS.
>> May I request for some pointer please?
>
>
> For user authentication Postfix uses SASL which in turn can use PAM
> which is able to do NTLM (Windows authentication) against a windows
> domain.
> For routing information you can query the DCs with LDAP if you have
> the necessary fields stored there (normaly the case if MS-Exchange is
> used as mailstore).
>
> I have done it some time ago but the details are lost :-(
>
> Regards
>
> Andreas
There are several ways I know how you could do this on Linux:
1. Use "389 Directory Server" (formerly Fedora Directory Server,
which is formerly the Netscape Directory Server) to regularly sync
the AD users and groups to a local replication store, and use
ordinary pam_ldap/libnss_ldap to authenticate your postfix
straight to the 389 directory server.
2. Use Samba + Winbind + pam_winbind to extract and provide
usernames/groups, UID/GIDs to postfix.
3. Assuming your active directory is schema version 31 or above (the
schema that comes in Windows Server 2003 R2), you can enable RFC
2307 information directly in AD and use pam_krb5 and pam_ldap have
your postfix box pull that information straight out of AD
(instructions from Scott Lowe's blog at
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/)
4. If your AD schema is not version 31 or above (Windows Server 2003,
Windows SBS Server 2003 R2 and below) use Scott Lowe's
instructions for getting the same thing happening, using Services
For Unix
(
http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/)
5. Purchase a proprietary product to authenticate Linux directly to
AD (such as the Quest Authentication Services
http://www.quest.com/active-directory/directory-consolidation.aspx; CA might also have one as a part of their Unicentre TNG suite,
Centrify have toolsets as well)
I've deployed options 2, 3 & 4 in production environments before.
Option 2 was a multitude of times easier to get working than options 3 &
4, but in some distributions winbindd has some severe bugs (RHEL 4.4,
4.5, 4.6). If you can't move off these platforms because your vendor
wont support their application, your forced to go another route.
Although I've never deployed it before, Option 1 in theory is also a
sound way to go.
Of course, option 5 is another way to go, if you're willing to pay the
licensing fees.
Regards,
Stewart
Locked
smime.p7s (8K)