1 (edited by gro555 2013-02-08 15:50:48)

Topic: Search base between 2 OU in iRedmail with AD integration

Hi Zhang,

First of all thank you for your hardwork.
iRedmail is a really good product.

I have question.
I'm following this tutorial: http://www.iredmail.org/wiki/index.php? … y.iRedMail
to make the iredmail works with our company AD.

My experience is limited about Active Directory design.
But I think our AD is a little bit different.

All of the users are reside inside OU instead of CN=users, for example, I'm trying to make postfix and dovecot to authenticate users reside between either one of the 2 OU, which are:
ou=Employees and ou=Parttime

I have tried to make the search base to be :
dc=example,dc=com

and it didn't work.

But, if I make it like this:
ou=Employees,dc=example,dc=com

or if I make it like this:
ou=Parttime,dc=example,dc=com

It will work.

I'm wondering if it is possible to make postfix and dovecot to authenticate users reside between either one of the 2 OU.


Sincerely,

Greg R O


==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): AD
- Linux/BSD distribution name and version: Red Hat 6
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Search base between 2 OU in iRedmail with AD integration

Hello,

I've notice this before, and the only thing I found, is to put your 2 OUs (Employees and Partitime) in another OU (called "Companyusers" for example).

After this, you set the search base to this new OU.

Nicolas

3

Re: Search base between 2 OU in iRedmail with AD integration

As far as i know, AD doesn't allow to use dc=example,dc=com as search base dn by default, but you can change this setting. Unfortunately, i forgot how to change it, or maybe i'm wrong. sad

4

Re: Search base between 2 OU in iRedmail with AD integration

Oh, here's another way if you cannot config AD to allow search from root dn (dc=example,dc=com): Uses LDAP query files in Postfix instead of one, and use different base dn (ou=Employees, ou=Parttime) in them. For example:

Original one:

smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf

We now use two query files instead:

smtpd_sender_login_maps =
    proxy:ldap:/etc/postfix/ad_sender_login_maps_employees.cf,
    proxy:ldap:/etc/postfix/ad_sender_login_maps_partime.cf

Update ad_sender_login_maps_employees.cf to use ou=Employees as search base dn:

search_base     = ou=Employees,dc=example,dc=com

Update ad_sender_login_maps_partime.cf to use ou=Parttime as search base dn:

search_base     = ou=Parttime,dc=example,dc=com

That's all. And replace other LDAP queries the same way.

Again, please try to configure AD to allow searching from root dn (dc=example,dc=com) first.

5

Re: Search base between 2 OU in iRedmail with AD integration

Hello All,

Thank you for all of the replies.
I tried Zhang recommendation to allow AD to do root search base, but can't find any solution for that.
Then, as recommended by Nicholas, I tried to move the OU into another OU, but somehow, the AD won't allow me to do that.

I also tried to use two queries files, but then I faced new problem, because it worked for postfix configuration, but not for dovecot.

Then, I googled around, and I stumbled Nicholas's topics about the same problem:

http://www.iredmail.org/forum/topic3143 … on-p2.html

And I read, you have to name the OU to be the same like the root name, so I rename it to be the same like root name and AD let me move those 2 OU under the new OU.

And now, roundcube work beautifully.
And also, I thought, I have to changed the configuration of others systems that use AD, apparently not.
All other system work perfectly too, at least for now.

I will let you guys know if I found any other solution or problems about this.

Thank you,

Greg RO

6

Re: Search base between 2 OU in iRedmail with AD integration

gro555 wrote:

I also tried to use two queries files, but then I faced new problem, because it worked for postfix configuration, but not for dovecot.

You can use this style in Dovecot too. For example:

#
# Original settings
#
userdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = ldap
}

passdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = ldap
}

Just add more userdb and passdb for another OU like below:

# For users under ou=Employees
userdb {
    args = /etc/dovecot/dovecot-mysql-employees.conf
    driver = ldap
}

passdb {
    args = /etc/dovecot/dovecot-mysql-employees.conf
    driver = ldap
}

# For users under ou=Parttime
userdb {
    args = /etc/dovecot/dovecot-mysql-parttime.conf
    driver = ldap
}

passdb {
    args = /etc/dovecot/dovecot-mysql-parttime.conf
    driver = ldap
}

7

Re: Search base between 2 OU in iRedmail with AD integration

To unlock moving/deleting OU, you have to : (sorry if it's not the same than you, my Windows is in french...)
- Display
- Advanced functionalities
- Right click on your OU
- Object
- Uncheck the tickbox "protect the object against detetes (?)"
Then you can move/delete your OU as you want

Don't forget to check the box after you made your job, it's made for that smile

I don't understand what you did when you renamed your OUs...

8

Re: Search base between 2 OU in iRedmail with AD integration

nicolasfo wrote:

I don't understand what you did when you renamed your OUs...

I'm sure I already uncheck the box(protect object from accidental deletion). But somehow it won't allow me to move the OU into the new OU, until I rename the New OU into the same name like root.

Anyway, it has been several days, everything work fine, so I'm gonna leave it as it is.
Not going to make any other changes.
You guys are awesome!!

I'm stumbling another problem though,
The new iredmail server is using the same mail domain as the old server (run on solaris system).
I asked my boss if it's okay to change the mx  so it will point to new iredmail server, and he said no.
He would like to try it first before using iredmail completely.

So I'm wondering, if it is possible to make the mx pointed to New Iredmail server, then from there it will receive the email which recipient have logon at least once to iredmail (means their directory already created in /var/vmail/vmail1) then if it's not there, it will pass the emails to the old email server.

Zhang, should I open up new topic for this?

thanks in advance!

9

Re: Search base between 2 OU in iRedmail with AD integration

gro555 wrote:

So I'm wondering, if it is possible to make the mx pointed to New Iredmail server, then from there it will receive the email which recipient have logon at least once to iredmail (means their directory already created in /var/vmail/vmail1) then if it's not there, it will pass the emails to the old email server.

You can set a per-domain relay on NEW iredmail server, so that it can relay all RECEIVED emails to old server. For example:

smtp:[IP_OF_OLD_SERVER]:25
gro555 wrote:

Zhang, should I open up new topic for this?

Sure, if it's not related to your question/issue in first post.

10

Re: Search base between 2 OU in iRedmail with AD integration

Hello! Got the same problem. Found the decision:
1. change dovecot.conf like this :
userdb {
    args = home=/var/vmail/vmail1/%Ld/%Ln/Maildir/ mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/ allow_all_users=yes
    driver = static
}
passdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
2. change dovecot-ldap.cong like this :
hosts           = ad.example.com:389
ldap_version    = 3
auth_bind       = yes
auth_bind_userdn= %u
dn              = vmail
dnpass          = passwd_of_vmail
base            = dc=example,dc=com
scope           = subtree
deref           = never
default_pass_scheme = CRYPT