Page 2 of 2

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 23 Mar 2017 23:51
by shawniverson
Hang tight, 3.0.1.9 is around the corner and will have substantial changes to MailWatch that could affect your script (hopefully in a good way). :D

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 21 Apr 2017 14:38
by stusmith
If anyone is interested, here is the script I've been using to sync to AD. It's far from perfect... but it is serviceable for now...

Code: Select all

#!/usr/bin/python3
#	Stuart.Smith@FosterFuels.com
#	v1.1	03/17/2017
#
#	TODO:
#		add publicDelegates property to user query, parse, and add results to filters
#	TODO:	
#		check for duplicate GUID before insterting into users, if guid is found, rename and update
#		attributes rather than insertin the user. Don't forget to add the "old" user address
#		as a filter once the user attributes have been updated
#	TODO:
#		delete users in mailscanner no longer in Active Directory
#
#	HISTORY:
#		v1.1 
#			added publicDelegates to search and filters
#			moved configuration to variables
#			began using 'is list' tests rather than len(value[0])
#	
ldap_URI = 'ldap://'
ldap_user = 'cn=,cn=Users,dc=,dc='
ldap_secret = ''
ldap_base_DN = 'DC=,DC='
ldap_user_DN = 'CN=Users'
ldap_user_filter = '(&(objectClass=user)(objectCategory=person)(proxyAddresses=*))'
ldap_group_DN = 'CN=Users'
ldap_group_filter = '(objectClass=group)'
mysql_host = "localhost"
mysql_user = ""
mysql_secret = ""
mysql_db = "mailscanner"

import ldap3
from ldap3 import Server, Connection, Tls
import ssl
import pymysql

class ADData(object):

    def __init__(self):
        self.groups = {}
        self.users = {}
        self.gUIDs = {}

class ADUser(object):

    def __init__(self):
        self.displayName = ''
        self.DN = ''
        self.filters = []
        self.sMTPAddress = ''
        self.objectGUID = ''
        self.delegates = []

class ADGroup(object):

    def __init__(self):
        self.displayName = ''
        self.DN = ''
        self.members = {}
        self.objectGUID = ''
        self.sMTPaddress = ''


#class to store stuff
aDdata = ADData()


tls_configuration = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server(
                ldap_URI,
                get_info='ALL', use_ssl=True, tls=tls_configuration)

#connect anonymously first
conn = Connection(server)
connUser = Connection(server)
conn.open()


#print(conn)

#make sure that tls is started
conn.bind()
conn.start_tls()
conn.rebind(user=ldap_user, password=ldap_secret)

#print(conn)

#print(server.info)


# search for users first

conn.search(

            ldap_user_DN + ',' + ldap_base_DN,
            ldap_user_filter,
            attributes=['cn','displayName','sAMAccountName','proxyAddresses','mail','objectGUID','publicDelegates'])

for entry in conn.entries:
    user = ADUser()
    user.DN = "CN=" + (str(entry['cn'].value) + (ldap_user_DN + ',' + ldap_base_DN))
    user.displayName = str(entry['displayName'].value)
    user.sAMAccountName = str(entry['sAMAccountName'].value)
    user.objectGUID = str(entry['objectGUID'].value)
    user.sMTPAddress = str(entry['mail'].value)

    #check to see if we havea string value of list value
    #   this is horrible, but can't use 'is list' on LDAP attributes
    if len(entry['proxyAddresses'].value[0]) == 1:
        if entry['proxyAddresses'].value.upper().startswith('SMTP:'):
            print ("SINGLE: mail: {0}	proxyAddress: {1}".format(user.sMTPAddress.upper(),(entry['proxyAddresses'].value[entry['proxyAddresses'].value.index(':')+1:]).upper()))
            #interested in this, strip off the SMTP: and add to list
            if ((entry['proxyAddresses'].value[entry['proxyAddresses'].value.index(':')+1:]).upper() == user.sMTPAddress.upper()):
                print ("\t\t\tfound a match! do NOT add a filter for self");
            else: 
                user.filters.append(entry['proxyAddresses'].value[entry['proxyAddresses'].value.index(':')+1:])
            #endif
        #endif
    else:
        values = entry['proxyAddresses'].value
        if (values):
            #print ("\tFound {0} addresses".format(len(values)))
            for i in range(0, len(values)):
                #check case insensitive for 'smtp'
                #   discard values that do not match, we
                #   aren't interested in X400 or X500
                #   addresses
                #print ("\tChecking {0} for SMTP: match".format(values[i].upper()))
                if values[i].upper().startswith('SMTP:'):
                    print ("LIST: mail: {0}	proxyAddress: {1}".format(user.sMTPAddress,values[i][values[i].index(':')+1:]))
                    if ((values[i][values[i].index(':')+1:]).upper() == user.sMTPAddress.upper()):
                        print ("\t\t\tfound a match! do NOT add a filter for self");
                    else:
                        #interested in this, strip off the SMTP: and add to list
                        user.filters.append(values[i][values[i].index(':')+1:])
                    #endif
                #endif
            #next
        #endif
    #endif

    #print(type(entry['publicDelegates'].value))
    if not entry['publicDelegates'].value is None: 
        if not type(entry['publicDelegates'].value) is list:
            user.delegates.append(str(entry['publicDelegates']))
        else:
            delegates = entry['publicDelegates'].value
            for i in range(0, len(delegates)):
                user.delegates.append(str(delegates[i]))
    #end if

    #user.sMTPAddress = user.filters[0]
    aDdata.users[user.DN] = user
    aDdata.gUIDs[user.objectGUID] = user

#endfor

##print(aDdata.users.keys())


conn.search(
            ldap_group_DN + ',' + ldap_base_DN,
            ldap_group_filter,
            attributes=['displayName','mail','member','objectGUID'])

for entry in conn.entries:
    #print(entry)

    group = ADGroup()

    #dump attributes
##    print(entry["displayName"].value)
##    print(entry['mail'].value)

    if (entry["displayName"].value == None):
        continue

    group.displayName = str(entry['displayName'].value)
    group.sMTPAddress = str(entry['mail'].value)
    
    #print(entry['member'])
    #retrieve all the CNs of group members
    values = entry['member'].value

    #if the group is not empty, iterate all members
    if (values):
        #check to see if this is a list of string value
        if (len(values[0]) == 1):
            #single entry
            group.members[(str(values[0].value))] = aDdata.users[(str(values[i]))]
        else:
            for i in range(0,len(values)):
                if (values[0] == None):
                    continue

                if str(values[i]) in aDdata.users.keys():                        
##                    print (aDdata.users[(str(values[i]))].DN)
                    group.members[(str(values[i]))] = aDdata.users[(str(values[i]))]
                    group.members[(str(values[i]))].filters.append(group.sMTPAddress)
        #endif
    #endif

    aDdata.groups[group.displayName] = group
    aDdata.gUIDs[group.objectGUID] = group

#endfor

conn.unbind()


db = pymysql.connect(mysql_host,mysql_user,mysql_secret,mysql_db)
cursor = db.cursor()

for k in aDdata.users.keys():
    user = aDdata.users[k]
    print (user.displayName)
    print (user.objectGUID)
    print (user.filters)

    #post-processing to add delegates to filters now that all the users are in the list
    #    added here so we only loop through users once
    if (not user.delegates is None) and (len(user.delegates) != 0):
        print(type(user.delegates))
        if not type(user.delegates) is list:
            print("{0} has delegate {1}\n".format(user.displayName, user.delegates))
            if user.delegates in aDdata.users.keys():
                print("\t{0} found for delegate {1}\n".format(aDdata.users[user.delegates].sMTPAddress, user.delegates))
                aDdata.users[user.delegates].filters.append(user.sMTPAddress)
            else:
                print("\tNo address found for delegate {0}\n".format(user.delegates))
            #end if
        else:
            for delegate in user.delegates:
                print("{0} has delegate {1}\n".format(user.displayName, delegate))
                if delegate in aDdata.users.keys():
                    print("\t{0} found for delegate {1}\n".format(aDdata.users[delegate].sMTPAddress, delegate))
                    aDdata.users[delegate].filters.append(user.sMTPAddress)
                else:
                    print("\tNo address found for delegate {0}\n".format(delegate))
                #end if
            #end for
        #end fi
    #end if

    cursor.execute("BEGIN;")
    try:
        cursor.execute("""
                        INSERT INTO users
                                ( username, fullname, type )
                        VALUES
                                ( '{0}', '{1}', 'U' )
                        ON DUPLICATE KEY UPDATE
			        guid = '{2}';
                       """.format(user.sMTPAddress, user.displayName, user.objectGUID))
        #cursor.execute("COMMIT;")
    except:
        cursor.execute("ROLLBACK;")
        raise
    else:
        cursor.execute("COMMIT;")

    cursor.execute("BEGIN;")
    try:
        cursor.execute("DELETE FROM user_filters WHERE username = '{0}' AND manual = 'N';".format(user.sMTPAddress))
        for mailFilter in user.filters:
            cursor.execute("INSERT INTO user_filters ( username, filter, active, manual ) VALUES ( '{0}', '{1}', 'Y', 'N' );".format(user.sMTPAddress, mailFilter))
	#endfor
        cursor.execute("COMMIT;")
    except:
        cursor.execute("ROLLBACK;")
        raise
    else:
        cursor.execute('COMMIT;')


Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 24 Apr 2017 22:43
by shawniverson

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 09 May 2017 03:23
by r31griffo
I'd like to give the script a go but I'm a bit of a noob when it comes to Python and Centos' package manager...
About the closest I came was copying the script to my VM and installing python 3.4, but when I ran it I received the following error:

ImportError: No module named 'ldap3'

I've rolled back the snapshot for now but would someone mind letting me know how to install the dependencies?

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 09 May 2017 03:39
by r31griffo
That'll teach me for not fully reading the thread...the prerequisites were on the first page but there was a missing step with installing them. It would seem that pip3.4 isn't included with the Python34 package...just to flesh it out a bit for those like me:

Code: Select all

yum install python34
yum install python34-setuptools
easy_install-3.4 pip
pip3.4 install ldap3
/usr/bin/pip3.4 install PyMySQL 


mysql mailscanner -u root -p

ALTER TABLE users ADD COLUMN guid varchar(36);
ALTER TABLE user_filters ADD COLUMN manual enum('N','Y') default 'Y';
MySQL root password is defined in /etc/EFA-Config, it's the MYSQLROOTPWD variable

Additionally I commented out line 84 as I don't have LDAPS available:
#conn.start_tls()

...was there a better way to disable SSL?

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 09 May 2017 05:50
by r31griffo
Very nice script!

I'd like to request a couple of feature changes though (if possible), I'd have a go myself but I'm totally lost with Python.
I have a few distribution lists that would be nice to automatically import, I tried modifying the filter to include all members of a group but the script errored out (I'd imagine groups would have to be handled separately (ie if object is a group):

Code: Select all

Traceback (most recent call last):
  File "/usr/bin/ldap-userimport-mailscanner-manit", line 99, in <module>
    attributes=['cn','displayName','sAMAccountName','proxyAddresses','mail','objectGUID','publicDelegates'])
  File "/usr/lib/python3.4/site-packages/ldap3/core/connection.py", line 763, in search
    self.server.schema if self.server else None)
  File "/usr/lib/python3.4/site-packages/ldap3/operation/search.py", line 363, in search_operation
    request['filter'] = compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode).elements[0])  # parse the searchFilter string and compile it starting from the root node
  File "/usr/lib/python3.4/site-packages/ldap3/operation/search.py", line 213, in parse_filter
    raise LDAPInvalidFilterError('invalid filter')
ldap3.core.exceptions.LDAPInvalidFilterError: invalid filter
The other thing that comes to mind would be a variable to toggle LDAP vs LDAPS and port.

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 12 May 2017 14:57
by stusmith
Yikes! Sorry for the delay in response! I've been pulling cable in a new office and lots of construction going on so I've been negligent in checking the forums.

I can do a configuration variable for ldap vs. ldaps pretty easily. I thought that I had distribution groups already supported in my filter... It should have automagically added group memberships to filters for each user... I'll update and add the variable you asked for.

Again, my apologies for not checking in more often!

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 12 May 2017 15:04
by stusmith
r31griffo wrote: 09 May 2017 05:50 Very nice script!

I'd like to request a couple of feature changes though (if possible), I'd have a go myself but I'm totally lost with Python.
I have a few distribution lists that would be nice to automatically import, I tried modifying the filter to include all members of a group but the script errored out (I'd imagine groups would have to be handled separately (ie if object is a group):

Code: Select all

Traceback (most recent call last):
  File "/usr/bin/ldap-userimport-mailscanner-manit", line 99, in <module>
    attributes=['cn','displayName','sAMAccountName','proxyAddresses','mail','objectGUID','publicDelegates'])
  File "/usr/lib/python3.4/site-packages/ldap3/core/connection.py", line 763, in search
    self.server.schema if self.server else None)
  File "/usr/lib/python3.4/site-packages/ldap3/operation/search.py", line 363, in search_operation
    request['filter'] = compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode).elements[0])  # parse the searchFilter string and compile it starting from the root node
  File "/usr/lib/python3.4/site-packages/ldap3/operation/search.py", line 213, in parse_filter
    raise LDAPInvalidFilterError('invalid filter')
ldap3.core.exceptions.LDAPInvalidFilterError: invalid filter
The other thing that comes to mind would be a variable to toggle LDAP vs LDAPS and port.
Yikes! Sorry for the delay in response! I've been pulling cable in a new office and lots of construction going on so I've been negligent in checking the forums.

I can do a configuration variable for ldap vs. ldaps pretty easily. I thought that I had distribution groups already supported in my filter... It should have automagically added group memberships to filters for each user... I'll update and add the variable you asked for.

# Groups are handled at line 162 - 210. Basically, I have another query for groups ( look at the variables at the top ). They're handled separately and added while setting up the user_filters. The same thing is true for exchange public delegates. Since I moved my distributionGroups into a separate container in ID, I have a different baseDN for the groups. You can change your group filter to something like:

(&(objectClass=group)(mail=*))

which should get all of your distribution groups from AD as opposed to just pulling all the groups.

Again, my apologies for not checking in more often!

... I think that if you use the URI format ldaps://server.myfqdn.com:686 or ldap://server.myfqdn:389 you can disable tls. Start TLS should do nothing if TLS is not available. My idea was to just have the server URI handle the port and whether or not it used LDAP or LDAPS. I'll do some more tests to make sure, but I thought that conn.startTLS() just fails quietly if the server doesn't support it.

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 27 Jun 2017 11:07
by wilbourne
I have found this script on a blog and is work well with efa & AD

juste change the value for
$dc1="ip_AD"
$dc2="ip_AD"
$hqbase="dc=Contoso,dc=com";
$user="userad\@contoso.com";
$passwd="passwordad";

usr/local/bin/ADextract.pl

Code: Select all

#!/usr/bin/perl -T -w

 

# This script will pull all users' SMTP addresses from your Active Directory

# (including primary and secondary email addresses) and list them in the

# format "user@example.com OK" which Postfix uses with relay_recipient_maps.

# Be sure to double-check the path to perl above.

 

# This requires Net::LDAP to be installed.  To install Net::LDAP, at a shell

# type "perl -MCPAN -e shell" and then "install Net::LDAP"

 

use Net::LDAP;

use Net::LDAP::Control::Paged;

use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" );

 

# Enter the path/file for the output

$VALID = "/etc/postfix/ldap_recipients";

open VALID, ">$VALID" or die "CANNOT OPEN $VALID $!";

 

# Enter the FQDN of your Active Directory domain controllers below

$dc1="ip_ad or fqdn";

$dc2="ip_ad or fqdn";

 

# Enter the LDAP container for your userbase.

# The syntax is CN=Users,dc=example,dc=com

# This can be found by installing the Windows 2000 Support Tools

# then running ADSI Edit.

# In ADSI Edit, expand the "Domain NC [domaincontroller1.example.com]" &

# you will see, for example, DC=example,DC=com (this is your base).

# The Users Container will be specified in the right pane as

# CN=Users depending on your schema (this is your container).

# You can double-check this by clicking "Properties" of your user

# folder in ADSI Edit and examining the "Path" value, such as:

# LDAP://domaincontroller1.example.com/CN=Users,DC=example,DC=com

# which would be $hqbase="cn=Users,dc=example,dc=com"

# Note:  You can also use just $hqbase="dc=example,dc=com"

$hqbase="dc=contoso,dc=com";

 

# Enter the username & password for a valid user in your Active Directory

# with username in the form cn=username,cn=Users,dc=example,dc=com

# Make sure the user's password does not expire.  Note that this user

# does not require any special privileges.

# You can double-check this by clicking "Properties" of your user in

# ADSI Edit and examining the "Path" value, such as:

# LDAP://domaincontroller1.example.com/CN=user,CN=Users,DC=example,DC=com

# which would be $user="cn=user,cn=Users,dc=example,dc=com"

# Note: You can also use the UPN login: "user\@example.com"

$user="userad\@contoso.com";

$passwd="password";

 

# Connecting to Active Directory domain controllers

$noldapserver=0;

$ldap = Net::LDAP->new($dc1) or

   $noldapserver=1;

if ($noldapserver == 1)  {

   $ldap = Net::LDAP->new($dc2) or

      die "Error connecting to specified domain controllers $@ \n";

}

 

$mesg = $ldap->bind ( dn => $user,

                      password =>$passwd);

if ( $mesg->code()) {

    die ("error:", $mesg->error_text((),"\n"));

}

 

# How many LDAP query results to grab for each paged round

# Set to under 1000 for Active Directory

$page = Net::LDAP::Control::Paged->new( size => 990 );

 

@args = ( base     => $hqbase,

# Play around with this to grab objects such as Contacts, Public Folders, etc.

# A minimal filter for just users with email would be:

# filter => "(&(sAMAccountName=*)(mail=*))"

         filter => "(& (mailnickname=*) (| (&(objectCategory=person)

                    (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))

                    (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)

                    (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))

                    (objectCategory=group)(objectCategory=publicFolder) ))",

          control  => [ $page ],

          attrs  => "proxyAddresses",

);

 

my $cookie;

while(1) {

  # Perform search

  my $mesg = $ldap->search( @args );

 

# Filtering results for proxyAddresses attributes  

  foreach my $entry ( $mesg->entries ) {

    my $name = $entry->get_value( "cn" );

    # LDAP Attributes are multi-valued, so we have to print each one.

    foreach my $mail ( $entry->get_value( "proxyAddresses" ) ) {

     # Test if the Line starts with one of the following lines:

     # proxyAddresses: [smtp|SMTP]:

     # and also discard this starting string, so that $mail is only the

     # address without any other characters...

     if ( $mail =~ s/^smtp://igs ) {

       print VALID lc($mail)." OK\n"; 

     }

    }

  }

 

  # Only continue on LDAP_SUCCESS

  $mesg->code and last;

 

  # Get cookie from paged control

  my($resp)  = $mesg->control( LDAP_CONTROL_PAGED ) or last;

  $cookie    = $resp->cookie or last;

 

  # Set cookie in paged control

  $page->cookie($cookie);

}

 

if ($cookie) {

  # We had an abnormal exit, so let the server know we do not want any more

  $page->cookie($cookie);

  $page->size(0);

  $ldap->search( @args );

  # Also would be a good idea to die unhappily and inform OP at this point

     die("LDAP query unsuccessful");

}

 

$ldap->unbind;

 

# Add additional restrictions, users, etc. to the output file below.

#print VALID "user\@domain1.com OK\n";

#print VALID "user\@domain2.com 550 User unknown.\n";

#print VALID "domain3.com 550 User does not exist.\n";

 

close VALID;

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 21 Aug 2017 20:24
by quinting
I'm trying to get E.F.A (postfix) to reject email addresses that don't exist on our Exchange server. So far it is not rejecting unknown addresses. Here is my config:

#/etc/postfix/ldap_relay_recipient_maps.cf
server_host = xxx.xxx.xxx.xxx
search_base = DC=name,DC=local
bind = yes
bind_dn = snjlaw\proxyuser
bind_pw = TOTALLYSECRET
query_filter = (|(proxyAddresses=smtp:%s) (proxyAddresses=SMTP:%s))
result_attribute = proxyAddresses
result_format = %S OK
version = 3


And then I call that file in /etc/postfix/main.cf
relay_recipient_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf

If I run a test for a valid user: postmap -q 'enduser@domain.ca' ldap:/etc/postfix/ldap_relay_recipient_maps.cf
I get this: enduser@domain.ca OK,enduser@domain.ca OK,enduser@domain.ca OK,enduser@domain.ca OK

If I run the same test for an invalid user, I get a blank line returned, so that makes me think it is working.

When I enable it, and restart MailScanner, it still tries delivering invalid email addresses to our Exchange server....

Any ideas?

Thanks!

Quintin

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 06 Sep 2017 10:04
by wilbourne
Here is my solution.

you can use the script I provided. This script retrieves the list of mail addresses from AD as well as the aliases and create an ldap_recipient file in / etc / postfix.

Once the file is created, simply add the following lines:

in /etc/postfix/main.cf

Code: Select all

relay_recipient_maps = hash:/etc/postfix/ldap_recipients
and enter the command in prompt :

Code: Select all

postmap /etc/postfix/ldap_recipients

and

service postfix reload

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 11 Oct 2017 01:34
by maik
Has anyone figured out how to get LDAPS to work properly? By properly I mean copying in the CA cert so LDAP trusts the certificate. I've exported a base64 encoded .cer file from my CA, into /etc/openldap/certs, modified /etc/openldap/ldap.conf to point to the .cer file, and used ldapsearch successfully to establish an LDAPS session and query data. I'm so close to having this all working, but it seems like Apache/PHP don't know where to look for the CA certificate.

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 11 Oct 2017 06:08
by maik
Ah so it turns out LDAP_SSL doesn't really do anything. Nothing checks that parameter (I spent way more time on this than I care to admit). I modified functions.php:2887 (or thereabouts) to read:

Code: Select all

if ((defined('LDAP_SSL') && LDAP_SSL === true)) {
    ldap_start_tls($ds) or die(ldap_print_error($ds));
}
With the CA cert in place and relevant modifications to /etc/openldap/ldap.conf everything appears to be flowing smoothly.

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 22 Jan 2018 12:15
by andreasmalta
Thanks a lot for the pointers above.
To get valid recipients from our Zimbra server I had to use these settings:
(I used "LDAP Admin" to get the info and test the LDAP settings)

#add to /etc/postfix/ldap_relay_recipient_maps.cf:
server_host = ZIMBRA.DOMAIN.COM
start_tls = yes
bind_dn = uid=ldap.lookups,ou=people,dc=DOMAIN,dc=COM
bind_pw = password
query_filter = mail=%s
result_attribute = mail
version = 3

#add to /etc/postfix/main.cf:
relay_recipient_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf

postmap -q TEST@DOMAIN.COM ldap:/etc/postfix/ldap_relay_recipient_maps.cf
service mailscanner restart

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 12 Feb 2018 09:41
by ofer5183
Hello,
I started since a couple of days to try the E.F.A and cant succeed to fully integrate with our ad.
the E.F.A version is 3.0.2.6 latest.
the ad contains multi-domains.
after I configured the LDAP like in the first post of ver: 3.0.0.9, I can only login white the root domain account that configured on 'LDAP_DN'' .
white the root domain users white email and password I can login and with other users that authenticate with UPN I got "bad username or password ".
how I can troubleshoot it or make it worked ?
:think:

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Posted: 18 May 2019 03:04
by dallenk
Apologies or resurrecting an old thread but I've been trying everything I can do get EFA to authenticate my users on a UCS (Univention Corporate Server) all users are denied except for the Administrator login to the EFA system.

I have 5 other systems working flawlessly with the LDAP service of UCS but I can't get EFA working.

MailWatch for MailScanner v1.2.7-dev running on EFA-3.0.2.6
UCS 4.4-0 errata90

Code: Select all

// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption.
define('LDAP_HOST', '10.10.50.10');
define('LDAP_PORT', '7389');
define('LDAP_DN', 'dc=mydomain,dc=lan');
define('LDAP_USER', 'uid=rouser,cn=users,dc=mydomain,dc=lan'); // If no email set: cn=admin,dc=example,dc=com
define('LDAP_PASS', '10ngc0nvolut3dpa33w0rd');
define('LDAP_FILTER', 'mailPrimaryAddress=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'mailPrimaryAddress');

// Ldap field that is used to bind to the ldap server to check the credentials.
// The value of the LDAP_USERNAME_FIELD will be extended by LDAP_BIND_PREFIX and LDAP_BIND_SUFFIX to created the binding username.
define('LDAP_USERNAME_FIELD', 'mailPrimaryAddress');
// define('LDAP_BIND_PREFIX', 'cn=');
// define('LDAP_BIND_SUFFIX', ',' . LDAP_DN);
// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', true);



Inbound verification is working with :
main.cf: relay_recipient_maps = ldap:/etc/postfix/ldap_maps_domain.cf

Code: Select all

/etc/postfix/ldap_maps_domain.cf
[root@efa log]# cat /etc/postfix/ldap_maps_domain.cf
domain = mydomain.com
server_host = 10.10.50.10:7389
search_base = DC=mydomain,DC=lan
bind = yes
bind_dn = uid=rouser,cn=users,dc=mydomain,dc=lan
bind_pw = 10ngc0nvolut3dpa33w0rd
query_filter = (|(mail=%s)(mailPrimaryAddress=%s))
leaf_result_attribute = mail
version = 3
[root@efa log]#
Has anyone used UCS with EFA successfully?

edit.. if there is a logfile to provide I would be more than happy.. but I an't seem to find one.