Page 1 of 1

LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 15 Oct 2018 12:33
by Mail2GoCa
I've been playing around with this for a few hours now and finally got it working the way I wanted it.

In my Exchange environment, most users log in with their primary email address such as user@domain.com
It is also possible to log in with a user principal name (user@domain.local) or the older way (DOMAIN\user)
In most situations the primary email address and the user principal name are the same, but I can think of many instances where they are not. In fact some accounts in my environment have a login name (user principal name) which is not their primary email address. For clarity, the primary email address is the default sending address.

Anyway, the following configuration in /var/www/html/MailScanner/conf.php will work in both instances.
If it doesn't work for you, post a reply here and I will try to assist you.
Have fun.

Code: Select all

/ LDAP settings for AD authentication & Address Validation on Exchange Server
define('USE_LDAP', true); // Set to true to enable LDAP
define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption. Requires certificates
define('LDAP_HOST', 'XXX.XXX.XXX.XXX'); // IP address of your domain controller
define('LDAP_PORT', '389'); // Standard LDAP port is 389
define('LDAP_DN', 'DC=domain,DC=local'); // Your AD domain DN
define('LDAP_USER', 'ldap-account@domain.com'); // If no email, set: ldap-account@domain.local' or 'cn=ldap-account,dc=domain,dc=local'
define('LDAP_PASS', 'your_ldap_account_password_goes_here');
define('LDAP_SITE', 'First-Site-Name'); // Look this value up in AD Sites and Services snap-in on your domain controller
define('LDAP_FILTER', 'proxyAddresses=smtp:%s', 'mail=%s'); // %s will be replaced by email address or user 
define('LDAP_PROTOCOL_VERSION', 3); 
define('LDAP_EMAIL_FIELD', 'mail'); 
define('LDAP_USERNAME_FIELD', 'userprincipalname');
define('LDAP_MS_AD_COMPATIBILITY', true); // Must be set to true for MS AD scompatibility

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 14:29
by alexmateescu
hi

i am trying to enable LDAP logins and followed your instructions, however it does not work for me

can you help please?

alex

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 14:37
by Mail2GoCa
Hi Alex,
Not all Exchange environments are the same. A lot depends on how your firewall is configured, if the exch server is not the same subnet at the EFA box, whether or not the users log in with their exchange alias or their email address, if the email address and the user principal name are the same, etc etc.

I'd love to help, but I will need more detail.

Without revealing sensitive info, can you give me an idea of how you have everything set up?

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 15:28
by alexmateescu
Hi

so the exchange server is in outlook365.

the EFA server and the AD are in the same network and that is what i am trying to achieve. If i can make the user login with his/her email address and AD password that is fine.

now in AD i am not using proxyaddresses do the script to import ad users does not help at all.

I have tried tweaking it but the users get created as part of the DN.

email is listed in AD as "mail". userprincipalname is in the format firstname.lastname@domain.local

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 18:39
by Mail2GoCa
Hi Alex,

Provided your AD is responding to LDAP queries, you should be good to go.

To test ldap connectivity from the EFA box, you can formulate a simple query using ldapsearch. If it is not installed, you can download the package. The download package is called openldap-clients

Code: Select all

yum install openldap-clients
Try a connection test. There is no need to submit a complex query to test the connection. Just make sure you can connect, authenticate and get back some results.

Try this... Substitute my dummy variables for your actual ones.

Code: Select all

ldapsearch -x -h 192.168.1.1 -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn
You will be prompted for your password

Code: Select all

Enter LDAP Password:
If you manage to connect, the query will return a list of all objects in the 'users' ou in active directory.

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 26 Jun 2019 13:08
by andyhud
Thanks @Mail2GoCa for this info, very helpful

Question: can "ldapsearch" specific multiple AD Domain Controllers for LDAP connectivity instead of just one? That way if one is offline, would ldapsearch try the next one in the list (maybe just separated by a comma)?

As I have DNS recursion enabled on my EFA I can't manually specific my AD Domain controllers otherwise I was going to try just my internal AD domain name which would cause ldapsearch to search against any DC

e.g. : ldapsearch -x -h myADfqdn.local -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn

as I say, as my EFA dns resolution is performed directly to the internet it can't resolve my AD FQDN to my DCs, so I have to specify one, like your example in the ldapsearch syntax.

maybe it would perform failover if it was something like:

e.g: ldapsearch -x -h 192.168.1.1,192.168.1.2,192.168.1.3 -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn

?

Cheers

Andy

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 26 Jun 2019 13:27
by Mail2GoCa
Hi andyhud

I'm not sure if that can be done. I have never had a need to do that so I've never researched or tested it. However, there is a way to get around the DNS issue.

1. Set up a random 'A' record hostname in your public DNS records. Something like specialhost.domain.com (substitute domain.com with your actual public domain name) pointing to your primary DC/LDAP server private IP address.
2. Create additional 'A' record hostnames with the same name for each additional DC/LDAP server on your private network.
3. Specify that hostname in your ldapsearch test to make sure it resolves and works.

Example

Code: Select all

specialhost.domain.com	A	192.168.1.1
specialhost.domain.com	A	192.168.1.2
specialhost.domain.com	A	192.168.1.3
Whilst anybody on the internet will be able to query that hostname, all they will get back is a series of private IP addresses which they can never access unless they are connected to your private LAN.

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 02 Jul 2019 11:10
by andyhud
Hi Mail2GoCa

Thanks for this info, yep, while not ideal that would indeed work... maybe I'll give it a go

Appreciate you sharing your thoughts

Andy

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 17 Jan 2020 15:58
by Richie1972
Hi,
I've installed eFa v4:
MailWatch Version: 1.2.14
Operating System Version: CentOS Linux 7 (Core)
Postfix Version: 3.3.0
MailScanner Version: 5.1.4
ClamAV Version: 0.101.5
SpamAssassin Version: 3.4.2
PHP Version: 7.2.26
MySQL Version: 10.1.41-MariaDB
GeoIP Database Version: No database downloaded

I've configured the settings as per the first post in this thread.
I've confirmed ldap works with the ldapsearch check in post 5.
However, I am unable to login to the mailscanner with any AD account.
I'm not seeing any users from AD listed in User Management, except the ones I manually created.
Am i missing something or misunderstanding what this is doing?

AD is Windows Server 2016
Mail system is MS Exchange 2016

Thanks,
Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 18 Jan 2020 15:17
by shawniverson
Richie1972 wrote: 17 Jan 2020 15:58 However, I am unable to login to the mailscanner with any AD account.
I'm not seeing any users from AD listed in User Management, except the ones I manually created.
Am i missing something or misunderstanding what this is doing?
LDAP in MailWatch is for authentication only. It does not create the users for you. For that you need a script to pull in the users.

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 19 Jan 2020 12:28
by Zwabber
You can use this script for pulling in the users;
https://marcocarcano.wordpress.com/getadsmtp-pl-script/

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 20 Jan 2020 12:44
by Richie1972
Hi,
Thanks for confirming.
I now have AD authentication working

Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 20 Jan 2020 13:35
by Richie1972
Hi zwabber,
I couldn't get your script to return anything - even with basic filter i just got an empty file
I should have started a new thread really, as I'm using v4 and not v3

Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 20 Jan 2020 19:53
by Zwabber
I'm still running the old version and it works.
Some Googling did return that it could be related to Centos 7
View https://www.perlmonks.org/?node_id=1217432 for a possible solution.

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 21 Jan 2020 20:46
by Richie1972
Hi,
Had a look at that thread, made a few changes to match it, but no difference.
I'm not a Linux programmer, so not sure what to try next.
Are there any particular logs I can check for any ideas?

Thanks,
Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 21 Jan 2020 21:42
by Richie1972
Hi,
My Perl skills are literally non-existent, but I'm trying to use checks like this:
print Dumper("here 1");
print Dumper(\@args);

So far I can get it to display "here 1":

@args = ( base => $hqbase,
# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
#filter => "(&(sAMAccountName=*)(mail=*))",
filter => "(& (mailnickname=*) (| (&(objectCategory=person)
(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
(objectCategory=group)(objectCategory=publicFolder) ))",
control => [ $page ],
attrs => "proxyAddresses",
);


#print Dumper("here 1");
#print Dumper(\@args);


my $cookie;
while(1) {
# Perform search
my $mesg = $ldap->search( @args );

print Dumper("here 1");


# Filtering results for proxyAddresses attributes
foreach my $entry ( $mesg->entries ) {
my $name = $entry->get_value( "cn" );

print Dumper("here 2");
#print Dumper(\$entry);
#print Dumper(\$name);


# LDAP Attributes are multi-valued, so we have to print each one.
foreach my $mail ( $entry->get_value( "proxyAddresses" ) ) {
# Test if the Line starts with one of the following lines:
# proxyAddresses: [smtp|SMTP]:
# and also discard this starting string, so that $mail is only the
# address without any other characters...

print Dumper($mail);

if ( $mail =~ s/^(smtp|SMTP)://gs ) {
push(@valid, $mail." OK\n");
}
}
}

# Only continue on LDAP_SUCCESS
$mesg->code and last;

# Get cookie from paged control
my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or last;

#$cookie = $resp->cookie or last;
$cookie = $resp->cookie;
last if (!defined($cookie) || !length($cookie));

# Set cookie in paged control
$page->cookie($cookie);
}



@args contains:
$VAR1 = [
'base',
'ou=Users,ou=USEROU,dc=domain,dc=com',
'filter',
'(& (mailnickname=*) (| (&(objectCategory=person)
(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
(objectCategory=group)(objectCategory=publicFolder) ))',
'control',
[
bless( {
'type' => '1.2.840.113556.1.4.319',
'asn' => {
'cookie' => '',
'size' => 990
},
'size' => 990
}, 'Net::LDAP::Control::Paged' )
],
'attrs',
'proxyAddresses'
];


I'm guessing that:

foreach my $entry ( $mesg->entries ) {

is not returning any values, but not sure how I can check

Any suggestions?

Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 21 Jan 2020 21:47
by Richie1972
Ahh, more info.
This is the print dumper for $mesg before the for loop:

$VAR1 = bless( {
'resultCode' => 83,
'parent' => bless( {
'net_ldap_version' => 3,
'net_ldap_scheme' => 'ldap',
'net_ldap_debug' => 0,
'net_ldap_socket' => bless( \*Symbol::GEN0, 'IO::Socket::INET6' ),
'net_ldap_host' => 'svrvmdc01.domain.com',
'net_ldap_uri' => 'svrvmdc01.domain.com',
'net_ldap_resp' => {},
'net_ldap_mesg' => {},
'net_ldap_async' => 0,
'net_ldap_port' => 389,
'net_ldap_refcnt' => 1
}, 'Net::LDAP' ),
'callback' => undef,
'mesgid' => 2,
'pdu' => undef,
'errorMessage' => 'Can\'t use string ("proxyAddresses") as an ARRAY ref while "strict refs" in use at /usr/share/perl5/vendor_perl/Convert/ASN1/_encode.pm line 269, <DATA> line 747.
',
'raw' => undef
}, 'Net::LDAP::Search' );

Ok, so how would I fix this?

Thanks,
Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 21 Jan 2020 22:05
by Richie1972
I did a fair bit more googling around the error and look to be getting a lot further after finding this:
http://vnlinuxworld.blogspot.com/2010/0 ... -maps.html

Which effectively says put [] around proxyAddresses:

filter => "(& (mailnickname=*) (| (&(objectCategory=person)
(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
(objectCategory=group)(objectCategory=publicFolder) ))",
control => [ $page ],
attrs => ["proxyAddresses"],

I now have a file populated with a list of emal@address.com OK

Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 21 Jan 2020 22:14
by Richie1972
Hi,
Ok, so now I've got it working I've lost the original thread that says how I get "/etc/postfix/example_recipients" imported

Thanks,
Richie

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 01 May 2020 09:50
by vondess
I am confused now. Are you going to say that you can sing up with one email address, and then use a different one for logging in? Is that possible at all? It sounds like an open gate for all possible scammers. Or do I understand something wrong? Who can give me a clearer explanation? I am from San Diego zip code and it looks in not technically wise at all, to my despair.

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 01 May 2020 19:41
by smyers119
vondess wrote: 01 May 2020 09:50 i am trying to enable LDAP logins and followed your instructions, however it does not work for me
Your going to need to add more details then that.