Page 1 of 1

How to integrate E.F.A with Active Directory (Part 2)

Posted: 23 Feb 2014 21:47
by shawniverson
There's a nice little user/alias import script located here...

/usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh

By design, this script parses the proxyAddresses field in LDAP/AD to import all users in a domain into E.F.A.

1) Populate the required definitions....

Code: Select all

LDAP_URI="ldap://myldaphost.mydomain:3268"
LDAP_BASE="DC=mydomain,DC=com"
LDAP_USER="myldapproxy@mydomain"
LDAP_PASS="myldappass"
MYSQL_HOST="localhost"
MYSQL_PORT="3306"
MYSQL_NAME="mailscanner"
MYSQL_USER="mailwatch"
MYSQL_PASS="mymailwatchpass"  # <-- Look in /etc/EFA-Config for the password needed here (MAILWATCHSQLPWD)
2)

Code: Select all

sudo yum install openldap-clients
3) Run the script. If errors occur (especially about a missing tmp file) , verify your definitions above are correct and try again

4) When satified...

Link it in /etc/cron.daily...

Code: Select all

ln -s /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh /etc/cron.daily/mailwatch_ldap_sync.sh
:twocents-02cents:

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 23 Jun 2014 12:46
by Widmo
Anyone can paste sample working Active Directory config?

Thanks

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 05 Nov 2014 12:46
by Archer
I am getting the following message when I try to manually run this job. (sudo /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh)

ERROR at line 74: Unknown command '\@'.

I am not sure what is even wrong.....much less how to fix it.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 27 Dec 2014 16:02
by DJ_L
FYI, the script has issues if the displayName contains parenthesis. Probably also a problem for other attributes later on (and probably other characters), but the script completely skips that user with an invalid search filter (-7). I didn't bother actually trying to fix the script for fear of caffeine deficiency. The error occurs somewhere in the first loop - I did throw in a couple of echos to see how far it gets before the error surfaces, figured I couldn't easily mess that up at least. ;) At best guess, it's probably a case of using double quotes where single quotes would be sufficient, or rather preferable in this case without escaping bash control characters (parenthesis, exclamation point, etc.). In the interim, I changed the user's properties in AD to work around it. I'll create a test user a little later on today and report back if/when I have found the error, but suggestions are appreciated too.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 03 Feb 2015 21:54
by azuercher
Has anyone modified this script to use "mail" attribute instead of "proxyaddress" for use with eDirectory or other LDAP sources?

I'll play around with it but I'm hoping someone else has been down this path already?

Thanks,
Aaron

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 18 Feb 2015 18:04
by fbessone
Hello,
just tried the AD integration and it wouldnt work.
I changed the settings and now it works.

i put the 389 port and now it works, maybe it can help

Code: Select all

LDAP_URI="ldap://172.16.1.10:389"
LDAP_BASE="DC=domain,DC=ext"
LDAP_USER="user@domain.ext"
LDAP_PASS="secret"
Please note that when you update this file gets overwritten.
Now it populates the DB table, but mailscanner doesnt reject these addresses ... :) ... still trying to understand why

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 18 Feb 2015 20:49
by shawniverson
I will flag this file for merge instead of overwrite on future updates. :D

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 19 Feb 2015 09:27
by fbessone
:) Thank you

Can you help me with the issue i have ?
I cant understand how i can set MailScanner to reject email to non existant recipient. The script populates the mySql table ... but MailScanner doesnt look it up ..
Is there i place where i tell MailScanner to macht the email address in recipient table ??
Thank you

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 19 Feb 2015 13:19
by cdburgess75
That's part isn't built into GUI. It can be done in postfix easily. I setup mine with directions in this forum. Search and I'm sure your find it. Valid recipients.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 19 Feb 2015 15:38
by fbessone
mmm, i beg your pardon, but i'm not sure if i understood correctly.
I already set up the script in the linux shell, and put it into CRON, and it works.

But ... how can i tell the MailScanner/postfix to reject invalid recipients ?
With the old ESVA i had to postmap a text file, pointed from the postfix configuration, and it worked.
But the script here discussed populates a mysql table and i dont know how to reference it.

federico

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 04 Mar 2015 18:09
by X1400
Good day, can someone provide instructions on how to "activate" this please? I'm at the same place as fbessone, I've got the script running fine, the database is loaded with address's, but I'm not sure what to enable so the program will begin blocking invalid recipients. Thanks!

BTW, this filter is awesome, thanks for the hard work! :clap:

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 05 Mar 2015 11:30
by shawniverson
This script merely imports users into MailWatch but not Postfix.

You need a different script to import users into Postfix to do what you are asking.

Check out this post part way down.
viewtopic.php?f=14&t=433

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 18 Mar 2015 16:06
by phideauxx
I just modified my script to use "mail" instead of "proxyaddresses" I did a find and replace for all instances of "proxyaddresses" to replace them, and also had to go through and delete any references to "smtp:" from each of the places where it was searching for "proxyaddresses" since the "mail" field doesn't have that prefix. I also commented out the "ALIASES" and "GROUP_ALIASES" parts, including the "DELETE FROM user_filters" query as that will delete any manual filters you have put in after users are created.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 25 Mar 2015 06:36
by pdwalker
successful integration using the following settings

Code: Select all

LDAP_URI="ldap://<ip address of domain controller>:389"
LDAP_BASE="DC=<domain name>,DC=<domain extension (local in my case>"
LDAP_USER="<windows domain>\<login name>"
LDAP_PASS="<my windows login password>"
MYSQL_HOST="localhost"
MYSQL_PORT="3306"
MYSQL_NAME="mailscanner"
MYSQL_USER="mailwatch"
MYSQL_PASS="<the db password from `cat /etc/EFA-Config |grep MAILWATCHSQLPWD|awk -F: '{print $2}'`>"

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 03 Oct 2015 07:30
by Rob.M.P
Adding to an old thread....

We currently use domain.com as a primary domain, but e-mails from domain.net may also come through to the same username. Active directory only stores the domain.com address and not the domain.net address - this is aliased in exchange server.

Can I setup the system to filter similar?

As a newbie...Is this functionality primary function of this to allow users to authenticated to view their own mail, or reject any mail that has come in for an unrecognised address?

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 03 Oct 2015 16:05
by shawniverson
You may be able to use postfix to map domain.net emails back to domain.com, effectively solving the problem at the MTA, so that you don't have to generate two lists or mess with proxyaddress mappings...

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 18 Nov 2015 18:05
by VMguru
Archer wrote:I am getting the following message when I try to manually run this job. (sudo /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh)

ERROR at line 74: Unknown command '\@'.

I am not sure what is even wrong.....much less how to fix it.

I am getting the same error at but at line 252 which doesn't even exist in the mailwatch_ldap_sync.sh file. It ends at line 144.

So being a Windows guy, can someone help me understand what's supposed to be happening and how I use this?
I am trying to get AD linked up with EFA users so I can then have users log into the EFA MailWatch for MailScanner web interface to view ONLY THEIR quarantined items.

I am assuming this AD integration allows them to login, but I don't see all the AD users listed in the MailWatch for MailScanner TOOLS/LINKS --> User Management list. I see 21 users inly. I assume that's because my manual run of the shell script bombed out.

Then if they can login to MailWatch for MailScanner should they just see only their Quarantine list? Thank you.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 18 Nov 2015 21:05
by VMguru
Well I figured out the problem I had with the script bombing out was because I had an email account with an apostrophe in it, once I removed it, all the user accounts populated in the EFA User Management database.

My question now is, how do I truly Active Directory integrate the list? All the passwords came through as NULL and I want them tied to AD for AUTH, not in a separate MySQL database with it's own set of passwords for AUTH.

Thank you so much.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 12 Jan 2017 19:55
by ktan
This looks very close to what I need, has it been updated to "merge" the file instead of overwrite? Trying to get this to work with multi LDAP configuration.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 30 Jan 2017 11:00
by radiogen
shawniverson wrote: 23 Feb 2014 21:47

Code: Select all

sudo yum install openldap-clients
3) Run the script. If errors occur (especially about a missing tmp file) , verify your definitions above are correct and try again

I get error" ./mailwatch_ldap_sync.sh: line 138: /tmp/tmp.XfkLdno2Dn: No such file or directory " If i run mktemp under the root tmp file created with no issues.

any ideas how to fix it? no other errors with the script. thank you for the hint.

Re: How to integrate E.F.A with Active Directory (Part 2)

Posted: 19 Jun 2017 18:37
by phideauxx
I have found with any updates recently, this file is completely deleted so I have a copy stored in my own home directory that I have to copy back to the correct location: /usr/local/bin/mailwatch/tools/Cron_jobs/ and then chmod it to be executable. There is previous mention of flagging this as merge instead of overwrite, but it seems to just be deleting it at this point.