1 (edited by Pablo E. 2011-06-17 21:28:04)

Topic: iRedMail - AD Integration troubles

Hi.
I do the integration according to "Integration/Active.Directory.iRedMail" article in WIKI.
I've reached "Verify LDAP query with AD in Postfix" paragraph and tried to verify. But my "postmap -q ..." requests tell me nothing. Just blank line.
Please help me, I'm shure that te previous steps were done correctly, e.g. ldap queries working, all texts are correct.

Thanks in advance.

PS
Linux mail2 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
iRedMail-0.7.2

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedMail - AD Integration troubles

Pablo E. wrote:

I've reached "Verify LDAP query with AD in Postfix" paragraph and tried to verify. But my "postmap -q ..." requests tell me nothing. Just blank line.

Return blank line means LDAP query doesn't get expected result.

Try to set "debuglevel = 1" in AD query file, e.g. /etc/postfix/ad_sender_login_maps.cf, then query again, it now will print more debug message, If you're not familiar with this kind of output message, please post them here (HIDE/REPLACE password before posting please).

3

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

Try to set "debuglevel = 1" in AD query file, e.g. /etc/postfix/ad_sender_login_maps.cf, then query again, it now will print more debug message, If you're not familiar with this kind of output message, please post them here (HIDE/REPLACE password before posting please).

Thank You for response. Here is the log with debuglevel=1.

postmap -q pas@domain.com ldap:/etc/postfix/ad_sender_login_maps.cf
postmap: dict_ldap_debug: ldap_create
postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://sputnik-term.domain.com:389)
postmap: dict_ldap_debug: ldap_sasl_bind
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_new_connection 1 1 0
postmap: dict_ldap_debug: ldap_int_open_connection
postmap: dict_ldap_debug: ldap_connect_to_host: TCP sputnik-term.domain.com:389
postmap: dict_ldap_debug: ldap_new_socket: 4
postmap: dict_ldap_debug: ldap_prepare_socket: 4
postmap: dict_ldap_debug: ldap_connect_to_host: Trying 192.168.200.252:389
postmap: dict_ldap_debug: ldap_pvt_connect: fd: 4 tm: 10 async: 0
postmap: dict_ldap_debug: ldap_ndelay_on: 4
postmap: dict_ldap_debug: ldap_int_poll: fd: 4 tm: 10
postmap: dict_ldap_debug: ldap_is_sock_ready: 4
postmap: dict_ldap_debug: ldap_ndelay_off: 4
postmap: dict_ldap_debug: ldap_pvt_connect: 0
postmap: dict_ldap_debug: ldap_open_defconn: successful
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({i) ber:
postmap: dict_ldap_debug: ber_flush2: 27 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x7fa9bee0c9c0 msgid 1
postmap: dict_ldap_debug: wait4msg ld 0x7fa9bee0c9c0 msgid 1 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x7fa9bee0c9c0 msgid 1 all 1
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Connections:
postmap: dict_ldap_debug: * host: sputnik-term.domain.com  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Mon Jun 20 11:00:01 2011
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 1,  origid 1, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x7fa9bee0c9c0 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x7fa9bee0c9c0 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7fa9bee0c9c0 msgid 1 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7fa9bee0c9c0 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 msgid 1 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 16 contents:
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 msgid 1 message type bind
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x7fa9bee0c9c0 msgid 1
postmap: dict_ldap_debug: request done: ld 0x7fa9bee0c9c0 msgid 1
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 1, msgid 1)
postmap: dict_ldap_debug: ldap_parse_sasl_bind_result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_search_ext
postmap: dict_ldap_debug: put_filter: "(&(userPrincipalName=pas@domain.com)(objectClass=person)(!(userAccountControl=514)))"
postmap: dict_ldap_debug: put_filter: AND
postmap: dict_ldap_debug: put_filter_list "(userPrincipalName=pas@domain.com)(objectClass=person)(!(userAccountControl=514))"
postmap: dict_ldap_debug: put_filter: "(userPrincipalName=pas@domain.com)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "userPrincipalName=pas@domain.com"
postmap: dict_ldap_debug: put_filter: "(objectClass=person)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "objectClass=person"
postmap: dict_ldap_debug: put_filter: "(!(userAccountControl=514))"
postmap: dict_ldap_debug: put_filter: NOT
postmap: dict_ldap_debug: put_filter_list "(userAccountControl=514)"
postmap: dict_ldap_debug: put_filter: "(userAccountControl=514)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "userAccountControl=514"
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({) ber:
postmap: dict_ldap_debug: ber_flush2: 163 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x7fa9bee0c9c0 msgid 2
postmap: dict_ldap_debug: wait4msg ld 0x7fa9bee0c9c0 msgid 2 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x7fa9bee0c9c0 msgid 2 all 1
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Connections:
postmap: dict_ldap_debug: * host: sputnik-term.domain.com  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Mon Jun 20 11:00:01 2011
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x7fa9bee0c9c0 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x7fa9bee0c9c0 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7fa9bee0c9c0 msgid 2 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7fa9bee0c9c0 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 msgid 2 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 16 contents:
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 msgid 2 message type search-result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x7fa9bee0c9c0 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x7fa9bee0c9c0 msgid 2
postmap: dict_ldap_debug: request done: ld 0x7fa9bee0c9c0 msgid 2
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 2, msgid 2)
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_free_connection 1 1
postmap: dict_ldap_debug: ldap_send_unbind
postmap: dict_ldap_debug: ber_flush2: 7 bytes to sd 4
postmap: dict_ldap_debug: ldap_free_connection: actually freed

4

Re: iRedMail - AD Integration troubles

Pablo E. wrote:

postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Response Queue:
postmap: dict_ldap_debug:    Empty

Seems bind dn and password are correct, just not found expected result.

Could you please show us file content of /etc/postfix/ad_sender_login_maps.cf (REMOVE server address and password before posting)?

Also, exporting LDIF data of this account from AD will help a lot. Here's MS official doc about exporting LDIF data: http://technet.microsoft.com/en-us/libr … .aspx#ECAA

5 (edited by Pablo E. 2011-06-20 15:24:39)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:
Pablo E. wrote:

postmap: dict_ldap_debug: ** ld 0x7fa9bee0c9c0 Response Queue:
postmap: dict_ldap_debug:    Empty

Seems bind dn and password are correct, just not found expected result.

Could you please show us file content of /etc/postfix/ad_sender_login_maps.cf (REMOVE server address and password before posting)?

Also, exporting LDIF data of this account from AD will help a lot. Here's MS official doc about exporting LDIF data: http://technet.microsoft.com/en-us/libr … .aspx#ECAA

server_host     = sputnik-term.domain.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = pass
search_base     = cn=users,dc=domain,dc=com
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl=514)))
result_attribute= userPrincipalName
debuglevel      = 1

6

Re: iRedMail - AD Integration troubles

And LDIF data of this account please.

7

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

And LDIF data of this account please.

What is LDIF data?

8

Re: iRedMail - AD Integration troubles

You can just follow tutorial here to export LDIF data:
http://technet.microsoft.com/en-us/libr … .aspx#ECAA

9

Re: iRedMail - AD Integration troubles

Hi,
I have AD Windows 2003 domain as tarang.local and mail domain as tarang.com.
Where to make changes in this config  http://www.iredmail.org/wiki/index.php? … y.iRedMail
so that using AD I can able to create mail account as user@tarang.com instead of user@tarang.local

Thanks in Advance

10

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

And LDIF data of this account please.

cn: vmail
givenName: vmail
distinguishedName: CN=vmail,OU=System,OU=Accounts,OU=domain,DC=domain,DC=COM
instanceType: 4
whenCreated: 20110617120159.0Z
whenChanged: 20110617120419.0Z
displayName: vmail
uSNCreated: 13704477
uSNChanged: 13704488
name: vmail
objectGUID:: XrNgm1mR9EaiUuis2RpP7Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129527857196503737
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkuA8d01kSS5DFwoyiAoAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: vmail
sAMAccountType: 805306368
userPrincipalName: vmail@domain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=COM
lastLogonTimestamp: 129527858595356269

11

Re: iRedMail - AD Integration troubles

Try to add 'result_format' in Postfix query files like below:

result_attribute= userPrincipalName
result_format   = %u@tarang.com

It will replace domain name in userPrincipalName with tarang.com.

Reference: http://www.postfix.org/ldap_table.5.html

12

Re: iRedMail - AD Integration troubles

Would You kindly provide us with full example of such query please.

Thank You for patience.

13

Re: iRedMail - AD Integration troubles

Pablo E. wrote:

cn: vmail
givenName: vmail
distinguishedName: CN=vmail,OU=System,OU=Accounts,OU=domain,DC=domain,DC=COM

Hi Pablo,

You should give us LDIF data of the mail user you want to query, not account "vmail".

14 (edited by Pablo E. 2011-06-22 15:13:27)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

Hi Pablo,

You should give us LDIF data of the mail user you want to query, not account "vmail".

Hello.
This one, for example:

dn: CN=BUHTEST1,OU=IT,OU=Accounts,OU=DOMAIN,DC=DOMAIN,DC=COM
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: BUHTEST1
description:: 0J/QvtC70YzQt9C+0LLQsNGC0LXQu9C4IC0gISEhIElUICEhIQ==
givenName: BUHTEST1
distinguishedName: CN=BUHTEST1,OU=IT,OU=Accounts,OU=DOMAIN,DC=DOMAIN,DC=COM
instanceType: 4
whenCreated: 20101025093329.0Z
whenChanged: 20110526092541.0Z
displayName: BUHTEST1
uSNCreated: 10020308
memberOf: CN=User_VPN_ACCESS,CN=Users,DC=DOMAIN,DC=COM
memberOf: CN=User_KONSULTANT,CN=Users,DC=DOMAIN,DC=COM
memberOf: CN=User_BUH,CN=Users,DC=DOMAIN,DC=COM
memberOf: CN=User_BAST,CN=Users,DC=DOMAIN,DC=COM
memberOf: CN=User_TSC,CN=Users,DC=DOMAIN,DC=COM
memberOf: CN=Print Operators,CN=Builtin,DC=DOMAIN,DC=COM
uSNChanged: 13637237
name: BUHTEST1
objectGUID:: eOWHegpGO0qM8wpZ5Z81KA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129508755321875575
lastLogoff: 0
lastLogon: 129508912959815769
pwdLastSet: 129325701077920197
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkuA8d01kSS5DFwoyMggAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 714
sAMAccountName: BUHTEST1
sAMAccountType: 805306368
userPrincipalName: BUHTEST1@DOMAIN.COM
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
dSCorePropagationData: 20110121080451.0Z
dSCorePropagationData: 20110121080451.0Z
dSCorePropagationData: 20110121080451.0Z
dSCorePropagationData: 20101217084546.0Z
dSCorePropagationData: 16010108151056.0Z
lastLogonTimestamp: 129508755419528700

15

Re: iRedMail - AD Integration troubles

You have LDAP search base in /etc/postfix/ad_sender_login_maps.cf:

search_base     = cn=users,dc=domain,dc=com

And your mail user "BUHTEST1@DOMAIN.COM" is under different LDAP tree:

dn: CN=BUHTEST1,OU=IT,OU=Accounts,OU=DOMAIN,DC=DOMAIN,DC=COM

That means you cannot get expected result at all. I think what you need in /etc/postfix/ad_sender_login_maps.cf is something like below:

search_base     = OU=Accounts,OU=DOMAIN,dc=domain,dc=com

16 (edited by Pablo E. 2011-06-22 17:52:38)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

OU=Accounts,OU=DOMAIN,

Thanks a lot, mr. ZhangHuangbin.
My test search results are in upper case, is it a problem?

UPD.
And now I can't Verify LDAP query with AD in Dovecot:
. login stark@domain.com pass
. NO [AUTHENTICATIONFAILED] Authentication failed.


My /etc/dovecot/dovecot-ldap.conf:
hosts           = 192.168.200.252:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail
dnpass          = pass
base            = OU=Accounts,OU=DOMAIN,dc=DOMAIN,dc=COM
scope           = subtree
deref           = never
user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$
pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = homeDirectory=home,mailMessageStore=mail=maildir:/var/vmail/%$/Maildir/,mailQuota=quota_rule=*:bytes=$

17

Re: iRedMail - AD Integration troubles

Pablo E. wrote:

My test search results are in upper case, is it a problem?

Honestly, i didn't test this before, and it's not mentioned in Postfix manual page:
http://www.postfix.org/ldap_table.5.html

You can try it yourself, then share with our community. smile

Pablo E. wrote:

UPD.
And now I can't Verify LDAP query with AD in Dovecot:
. login stark@domain.com pass
. NO [AUTHENTICATIONFAILED] Authentication failed.

You didn't follow our tutorial:
http://www.iredmail.org/wiki/index.php? … in_Dovecot

Please enable LDAP query with AD in dovecot first, then verify it.

18 (edited by Pablo E. 2011-06-22 18:22:28)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:
Pablo E. wrote:

UPD.
And now I can't Verify LDAP query with AD in Dovecot:
. login stark@domain.com pass
. NO [AUTHENTICATIONFAILED] Authentication failed.

You didn't follow our tutorial:
http://www.iredmail.org/wiki/index.php? … in_Dovecot

Please enable LDAP query with AD in dovecot first, then verify it.

my /etc/dovecot/dovecot-ldap.conf looks exactly like the code there.

19

Re: iRedMail - AD Integration troubles

bump.
I edited my /etc/dovecot/dovecot-ldap.conf as described in the manual (Enable LDAP query with AD in Dovecot).
But still receive error messages (. NO [AUTHENTICATIONFAILED] Authentication failed.)
Please advice me what steps have to be done to correct it.

Thanks in advance.

20

Re: iRedMail - AD Integration troubles

Could you please paste /etc/dovecot/dovecot-ldap.conf here?
The one you pasted in above post is incorrect: incorrect attribute names, incorrect values. They're used in OpenLDAP with iredmail ldap schema file.

user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$
pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$

21 (edited by Pablo E. 2011-06-23 14:58:30)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

Could you please paste /etc/dovecot/dovecot-ldap.conf here?
The one you pasted in above post is incorrect: incorrect attribute names, incorrect values. They're used in OpenLDAP with iredmail ldap schema file.

user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$
pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)$

Wow. I was really inattentive, now I corrected dovecot-ldap.conf file as You said, login was successful.
Please forgive me for my careless, I'm keeping on integration.
Thank You.

UPD.
Please, help me with paragraph "Enable Global LDAP Address Book wih AD in Roundcube webmail".
I can't understand, should I replace next between

// Global LDAP address book.

and

// end of config file

with the code provided by that paragraph?
It's not very simple to understand what I have to change.

Thank You.

22

Re: iRedMail - AD Integration troubles

Please read the whole paragraph first, it's self-documented.

23 (edited by Pablo E. 2011-06-23 19:27:15)

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:

Please read the whole paragraph first, it's self-documented.

OK, and one more question.
Is it possible to add to Roundcube web interface such info from AD as "Office", "Title", "Telephone Number" and "Mobile"?

Really thank You very much.

UPD.
And I can't send email when login name and email prefix are different, e.g. email: 111@dom.com (login: test.
Only equal parameters are accepted.

(Recipient address rejected: User unknown in virtual mailbox table)

24

Re: iRedMail - AD Integration troubles

Pablo E. wrote:

Is it possible to add to Roundcube web interface such info from AD as "Office", "Title", "Telephone Number" and "Mobile"?

No idea yet. It's better to ask in Roundcube support forum:
http://trac.roundcube.net/wiki/MailingLists

25

Re: iRedMail - AD Integration troubles

ZhangHuangbin wrote:
Pablo E. wrote:

Is it possible to add to Roundcube web interface such info from AD as "Office", "Title", "Telephone Number" and "Mobile"?

No idea yet. It's better to ask in Roundcube support forum:
http://trac.roundcube.net/wiki/MailingLists

Can You comment Update of above message pls.