Page 1 of 1

LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 15 Oct 2018 12:33
by Mail2GoCa
I've been playing around with this for a few hours now and finally got it working the way I wanted it.

In my Exchange environment, most users log in with their primary email address such as user@domain.com
It is also possible to log in with a user principal name (user@domain.local) or the older way (DOMAIN\user)
In most situations the primary email address and the user principal name are the same, but I can think of many instances where they are not. In fact some accounts in my environment have a login name (user principal name) which is not their primary email address. For clarity, the primary email address is the default sending address.

Anyway, the following configuration in /var/www/html/MailScanner/conf.php will work in both instances.
If it doesn't work for you, post a reply here and I will try to assist you.
Have fun.

Code: Select all

/ LDAP settings for AD authentication & Address Validation on Exchange Server
define('USE_LDAP', true); // Set to true to enable LDAP
define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption. Requires certificates
define('LDAP_HOST', 'XXX.XXX.XXX.XXX'); // IP address of your domain controller
define('LDAP_PORT', '389'); // Standard LDAP port is 389
define('LDAP_DN', 'DC=domain,DC=local'); // Your AD domain DN
define('LDAP_USER', 'ldap-account@domain.com'); // If no email, set: ldap-account@domain.local' or 'cn=ldap-account,dc=domain,dc=local'
define('LDAP_PASS', 'your_ldap_account_password_goes_here');
define('LDAP_SITE', 'First-Site-Name'); // Look this value up in AD Sites and Services snap-in on your domain controller
define('LDAP_FILTER', 'proxyAddresses=smtp:%s', 'mail=%s'); // %s will be replaced by email address or user 
define('LDAP_PROTOCOL_VERSION', 3); 
define('LDAP_EMAIL_FIELD', 'mail'); 
define('LDAP_USERNAME_FIELD', 'userprincipalname');
define('LDAP_MS_AD_COMPATIBILITY', true); // Must be set to true for MS AD scompatibility

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 14:29
by alexmateescu
hi

i am trying to enable LDAP logins and followed your instructions, however it does not work for me

can you help please?

alex

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 14:37
by Mail2GoCa
Hi Alex,
Not all Exchange environments are the same. A lot depends on how your firewall is configured, if the exch server is not the same subnet at the EFA box, whether or not the users log in with their exchange alias or their email address, if the email address and the user principal name are the same, etc etc.

I'd love to help, but I will need more detail.

Without revealing sensitive info, can you give me an idea of how you have everything set up?

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 15:28
by alexmateescu
Hi

so the exchange server is in outlook365.

the EFA server and the AD are in the same network and that is what i am trying to achieve. If i can make the user login with his/her email address and AD password that is fine.

now in AD i am not using proxyaddresses do the script to import ad users does not help at all.

I have tried tweaking it but the users get created as part of the DN.

email is listed in AD as "mail". userprincipalname is in the format firstname.lastname@domain.local

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Posted: 05 Dec 2018 18:39
by Mail2GoCa
Hi Alex,

Provided your AD is responding to LDAP queries, you should be good to go.

To test ldap connectivity from the EFA box, you can formulate a simple query using ldapsearch. If it is not installed, you can download the package. The download package is called openldap-clients

Code: Select all

yum install openldap-clients
Try a connection test. There is no need to submit a complex query to test the connection. Just make sure you can connect, authenticate and get back some results.

Try this... Substitute my dummy variables for your actual ones.

Code: Select all

ldapsearch -x -h 192.168.1.1 -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn
You will be prompted for your password

Code: Select all

Enter LDAP Password:
If you manage to connect, the query will return a list of all objects in the 'users' ou in active directory.