1

Topic: iRedMail and Active Directory Integration Multiple OU

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====
iRedMail 0.8.7 using LDAP backend on CentOS 6.5 (Final)

I've integrated iRedMail with Microsoft Active Directory running on Windows 2008 R2. Everything works good but we have alot of different sites and a lot of user accounts. When integrating with AD as per the online tutorial one cannot perform a Directory wide search.

How do I need to tweak the dovecot and postfix to enable a domain wide lookup for user accounts existing in multiple sub OU (Organizational Units)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedMail and Active Directory Integration Multiple OU

Show us the LDAP tree/structure please.

3

Re: iRedMail and Active Directory Integration Multiple OU

Hi,

So our structure would look like this:

example.com
|
|-SITE 1
|    |
|    |
|    |- Container 1(users)
|
|-SITE 2
|    |
|    |-Container 1(Users)
|            |
|            |- Container 2(More Users)
|
|- Users(Built-In Users Container)

So basically our base search will be example.com with the user account used to query active directory in the Built-in container. So in other words if I try logging in with another account lets say i.e john@example.com which exists in Site 2 container 1 then it can't find the login

4

Re: iRedMail and Active Directory Integration Multiple OU

I don't understand your situation.

If you search top container 'example.com' with scope 'subtree', it should be able to find all users, including SITE 1 and SITE 2.
I'm afraid you have to show us output of command "postconf -n", and all LDAP/AD query files (remove password and replace sensitive info before pasting).

5

Re: iRedMail and Active Directory Integration Multiple OU

ovecot LDAP Conf

########################################################

hosts           = SomeADServer.example.com:389
ldap_version    = 3
auth_bind       = yes
dn              = username
dnpass          = password
base            = cn=Users,dc=example,dc=com (Tried with dc=example,dc=com only as well to try and search the entire domain structure)
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir

AD_Sender_login file

server_host     = SomeADServer.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = username
bind_pw         = password
search_base     = dc=example,dc=com
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel      = 0

AD_Virtual_Group_maps

server_host     = SomeADServer.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = username
bind_pw         = password
search_base     = dc=example,dc=com
scope           = sub
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

AD_Virtual_Mailbox_maps

server_host     = SomeADServer.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = username
bind_pw         = password
search_base     = dc=example,dc=com
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 0

6

Re: iRedMail and Active Directory Integration Multiple OU

so in the above output we would have had to replace the cn=Users in the Dovecot-ldap.conf file to another OU to find that users in that OU. i.e. If the user john@example.com exists in the Built-in "Users" container and Mike@example.com existed in SITE 1 then you would have to change the value of cn=Users to cn=SITE 1 as SITE 1 is not a subtree but rather a top level OU. I would like to search domain wide without having to put all users in a single OU


|
|-SITE 1
|    |
|    |
|    |- Container 1(users)
|
|-SITE 2
|    |
|    |-Container 1(Users)
|            |
|            |- Container 2(More Users)
|
|- Users(Built-In Users Container)

7

Re: iRedMail and Active Directory Integration Multiple OU

If you don't want to search the top ou, then you have to enable multiple LDAP userdb/passwdb in Dovecot, and multiple LDAP query files in Postfix too.

For example, you already have below setting in Postfix:

smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf

File ad_sender_login_maps.cf queries SITE 1.
Now add one more ldap query file to query Users like below:

smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf, proxy:ldap:/etc/postfix/ad_sender_login_cn_users.cf

You can copy ad_sender_login_maps.cf to ad_sender_login_cn_users.cf, then update ad_sender_login_cn_users.cf to query Users ou.
Just like that.

By the way, i don't understand why not search top ldap ou. Or, maybe place SITE 1/2 under Users ou? Anyway, it's up to you, just curious.

8

Re: iRedMail and Active Directory Integration Multiple OU

Thanks for the explanation, this should be fine however I am a little bit confused with the multiple LDAP userdb/passdb in Dovecot? i.e. Dovecot will be:

  passdb:

    driver: ldap

    args: /etc/dovecot/dovecot-ldap.conf

  userdb:

    driver: ldap

    args: /etc/dovecot/dovecot-ldap.conf

add the specified below to search in another site

  passdb:

    driver: ldap

    args: /etc/dovecot/dovecot-ldap_site1.conf

  userdb:

    driver: ldap

    args: /etc/dovecot/dovecot-ldap_site1.conf

Also then I have to double up on the files on the postfix side if I understand correctly each reflecting the same changes to the dovecot configuration?

The reason we don't have everything in a single OU is because we have multiple sites and to logically group them in different OU's brings makes for a better logical structure.

It would've been nice if it were possible to use a Wildcard search, in other words it would iterate through all of the OU's. So the way I see it working would be

1. Have another parameter in postfix and dovecot search base i.e. %AOU (All Origanisational Units)
2. The query agent will then because the above parameter is specified query the AD to return the # of organizational units and names and store it in an array of some sorts
3. The query agent will establish multiple connections to the AD each matching one of the identified OU's in the array
4. The query agent will search each connection simultaneously for the user

|
|- SITE 1 (Query Agent Connection 1 search user XYZ)
|   |- Engineering Department OU
|   |- Development Department OU
|
|- SITE 2 (Query Agent Connection 2 search user XYZ)
|   |- Marketing OU
|   |- Sales OU
|
|- Users (Built-In) AD Accounts

This would eliminate the need for stacking multiple files configured for each individual site and have 1 file for everything. You could potentially then just bind an authenticated user account or special account created in the built-in OU that has domain-wide privileges for authentication

9

Re: iRedMail and Active Directory Integration Multiple OU

Reference:
http://wiki2.dovecot.org/Authentication … eDatabases