How to integrate E.F.A with Active Directory on 3.0.1.9

[milauria]

Not sure if it's me but I cannot integrate Mailwatch user authentication with my ActiveDirectory under SBS2008 and EFA 3.0.1.9.

I am editing the MailScanner conf.php as follows:

Code: Select all

define('USE_LDAP',true);
define('LDAP_SSL',false); // set to true if using LDAP with SSL encryption
define('LDAP_HOST','192.168.0.xxx'); // THIS IS MY 2008 SERVER WITH THE LOCAL DOMAIN AD 
define('LDAP_PORT','389');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_DN','DC=mydomain,DC=local'); // THIS IS THE TOP LEVEL AD THAT I CAN READ WHEN BROWSING THE AD STRUCTURE
define('LDAP_USER','username@mydomain.local'); // THIS IS A WORKING USER NAME WITH ITS PASSWORD
define('LDAP_PASS','password');
define('LDAP_SITE','default');
define('LDAP_FILTER','mail=%s'); // THE ATTRIBUTE "MAIL" IS REFERENCING THE USERNAME FIELD OF MAILWATCH LOGIN 
define('LDAP_EMAIL_FIELD', 'mail'); // THE ATTRIBUTE "MAIL" IS USED TO MATCH THE USERNAME OF MAILWATCH LOGIN
define('LDAP_USERNAME_FIELD', 'userPrincipalName'); // IN THE AD THE USERNAME IS FOUND WITH THIS ATTRIBUTE 
define('LDAP_MS_AD_COMPATIBILITY',false);

when I try to login I receive a "bad user/password" error message
I have tried to paly with the follwing variations with no success:

Code: Select all

define('LDAP_FILTER','mail=SMTP:%s');
define('LDAP_EMAIL_FIELD', 'proxyaddresses');
define('LDAP_USERNAME_FIELD', 'sAMAccountName');

Any hints to troubleshoot and make thsi work ?
Many thanks for any help yopu can provide

[geraldbrandt]

I have lost my AD connectivity after upgrading to 3.0.1.9, so I need help as well.

Gerald

[shawniverson]

While trying to log in, can you see anything appearing in /var/log/httpd error logs?

[gbr]

Nothing in error.log.

[shawniverson]

Code: Select all

define('LDAP_MS_AD_COMPATIBILITY',false);

^ This needs to be true if you are using AD and you are targeting the base DN.

[milauria]

I think I need some explanations on the fields used by mailscanner to authenticate over AD as I get bad username or password every time.
I have done several AD integration with other software but this seems particularly hostile to me !

• LDAP_DN : here I copied exactly the OU and DC names chain to navigate to the AD folder where my users are defined. I used a sw called ADExplorer to find the exact address like 'OU=blabla, OU=blabla, DC=domain, DC=local'.

• LDAP_USER and LDAP_PASS : I set as the service username and password to authenticate to the AD. the username format is 'username@mydomain.local' to make it work

• LDAP_SITE : did not touch default value = 'default'

• LDAP_FILTER : I left 'mail=%s'. I take that %s is the mailscanner username. in Mailscanner user settings I have put an email address (identical) under both fields 'username' and 'quarantine email' . I take that the system should go into and filter for mail = MailScanner username

• LDAP_EMAIL_FIELD : I left 'mail' as I see a filed called 'mail' in my AD that matches the Mailscanner quarantine email for the user

• LDAP_USERNAME_FIELD : seems to be the field in AD that contains the username to authenticate in AD, for me it should either sAMAccountNAme or userPrincipalName (depending on the format needed, I tried both)

• LDAP_MS_AD_COMPATIBILITY : I left as 'false" (but I tried also true with no success)

Anything that I am missing in setting above ? I have tried and tried but can't authenticate
I will be grateful to whoever can give some direction...

[shawniverson]

Here's my working sample using Active Directory

define('USE_LDAP', true);
define('LDAP_HOST', 'examplehost.example.org');
define('LDAP_SSL', true);
define('LDAP_PORT', '389');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_DN', 'DC=example,DC=org');
define('LDAP_USER', 'xxxxxxxx@example.org');
define('LDAP_PASS', 'xxxxxxxxx');
define('LDAP_SITE', 'default-first-site-name');
define('LDAP_FILTER', 'mail=%s')
define('LDAP_EMAIL_FIELD', 'mail');
define('LDAP_USERNAME_FIELD', 'cn');
define('LDAP_MS_AD_COMPATIBILITY', true);

[milauria]

The field 'default-first-site-name' ... should it be left as is ... or should I replace it with the AD root name?

[Zwabber]

Just left it as it is