How to integrate E.F.A with Active Directory (Part 2)

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

How to integrate E.F.A with Active Directory (Part 2)

Post by shawniverson »

There's a nice little user/alias import script located here...

/usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh

By design, this script parses the proxyAddresses field in LDAP/AD to import all users in a domain into E.F.A.

1) Populate the required definitions....

Code: Select all

LDAP_URI="ldap://myldaphost.mydomain:3268"
LDAP_BASE="DC=mydomain,DC=com"
LDAP_USER="myldapproxy@mydomain"
LDAP_PASS="myldappass"
MYSQL_HOST="localhost"
MYSQL_PORT="3306"
MYSQL_NAME="mailscanner"
MYSQL_USER="mailwatch"
MYSQL_PASS="mymailwatchpass"  # <-- Look in /etc/EFA-Config for the password needed here (MAILWATCHSQLPWD)
2)

Code: Select all

sudo yum install openldap-clients
3) Run the script. If errors occur (especially about a missing tmp file) , verify your definitions above are correct and try again

4) When satified...

Link it in /etc/cron.daily...

Code: Select all

ln -s /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh /etc/cron.daily/mailwatch_ldap_sync.sh
:twocents-02cents:
Widmo
Posts: 17
Joined: 23 Jun 2014 12:45

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by Widmo »

Anyone can paste sample working Active Directory config?

Thanks
Archer
Posts: 27
Joined: 30 Oct 2014 13:38

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by Archer »

I am getting the following message when I try to manually run this job. (sudo /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh)

ERROR at line 74: Unknown command '\@'.

I am not sure what is even wrong.....much less how to fix it.
DJ_L
Posts: 4
Joined: 29 Nov 2014 01:47

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by DJ_L »

FYI, the script has issues if the displayName contains parenthesis. Probably also a problem for other attributes later on (and probably other characters), but the script completely skips that user with an invalid search filter (-7). I didn't bother actually trying to fix the script for fear of caffeine deficiency. The error occurs somewhere in the first loop - I did throw in a couple of echos to see how far it gets before the error surfaces, figured I couldn't easily mess that up at least. ;) At best guess, it's probably a case of using double quotes where single quotes would be sufficient, or rather preferable in this case without escaping bash control characters (parenthesis, exclamation point, etc.). In the interim, I changed the user's properties in AD to work around it. I'll create a test user a little later on today and report back if/when I have found the error, but suggestions are appreciated too.
azuercher
Posts: 10
Joined: 03 Feb 2015 20:08

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by azuercher »

Has anyone modified this script to use "mail" attribute instead of "proxyaddress" for use with eDirectory or other LDAP sources?

I'll play around with it but I'm hoping someone else has been down this path already?

Thanks,
Aaron
fbessone
Posts: 10
Joined: 18 Feb 2015 18:02

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by fbessone »

Hello,
just tried the AD integration and it wouldnt work.
I changed the settings and now it works.

i put the 389 port and now it works, maybe it can help

Code: Select all

LDAP_URI="ldap://172.16.1.10:389"
LDAP_BASE="DC=domain,DC=ext"
LDAP_USER="user@domain.ext"
LDAP_PASS="secret"
Please note that when you update this file gets overwritten.
Now it populates the DB table, but mailscanner doesnt reject these addresses ... :) ... still trying to understand why
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by shawniverson »

I will flag this file for merge instead of overwrite on future updates. :D
fbessone
Posts: 10
Joined: 18 Feb 2015 18:02

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by fbessone »

:) Thank you

Can you help me with the issue i have ?
I cant understand how i can set MailScanner to reject email to non existant recipient. The script populates the mySql table ... but MailScanner doesnt look it up ..
Is there i place where i tell MailScanner to macht the email address in recipient table ??
Thank you
cdburgess75
Posts: 49
Joined: 11 Jun 2014 21:43

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by cdburgess75 »

That's part isn't built into GUI. It can be done in postfix easily. I setup mine with directions in this forum. Search and I'm sure your find it. Valid recipients.
fbessone
Posts: 10
Joined: 18 Feb 2015 18:02

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by fbessone »

mmm, i beg your pardon, but i'm not sure if i understood correctly.
I already set up the script in the linux shell, and put it into CRON, and it works.

But ... how can i tell the MailScanner/postfix to reject invalid recipients ?
With the old ESVA i had to postmap a text file, pointed from the postfix configuration, and it worked.
But the script here discussed populates a mysql table and i dont know how to reference it.

federico
X1400
Posts: 1
Joined: 04 Mar 2015 17:32

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by X1400 »

Good day, can someone provide instructions on how to "activate" this please? I'm at the same place as fbessone, I've got the script running fine, the database is loaded with address's, but I'm not sure what to enable so the program will begin blocking invalid recipients. Thanks!

BTW, this filter is awesome, thanks for the hard work! :clap:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by shawniverson »

This script merely imports users into MailWatch but not Postfix.

You need a different script to import users into Postfix to do what you are asking.

Check out this post part way down.
viewtopic.php?f=14&t=433
phideauxx
Posts: 17
Joined: 26 Feb 2015 18:21

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by phideauxx »

I just modified my script to use "mail" instead of "proxyaddresses" I did a find and replace for all instances of "proxyaddresses" to replace them, and also had to go through and delete any references to "smtp:" from each of the places where it was searching for "proxyaddresses" since the "mail" field doesn't have that prefix. I also commented out the "ALIASES" and "GROUP_ALIASES" parts, including the "DELETE FROM user_filters" query as that will delete any manual filters you have put in after users are created.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by pdwalker »

successful integration using the following settings

Code: Select all

LDAP_URI="ldap://<ip address of domain controller>:389"
LDAP_BASE="DC=<domain name>,DC=<domain extension (local in my case>"
LDAP_USER="<windows domain>\<login name>"
LDAP_PASS="<my windows login password>"
MYSQL_HOST="localhost"
MYSQL_PORT="3306"
MYSQL_NAME="mailscanner"
MYSQL_USER="mailwatch"
MYSQL_PASS="<the db password from `cat /etc/EFA-Config |grep MAILWATCHSQLPWD|awk -F: '{print $2}'`>"
Rob.M.P
Posts: 26
Joined: 28 Jan 2014 23:01

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by Rob.M.P »

Adding to an old thread....

We currently use domain.com as a primary domain, but e-mails from domain.net may also come through to the same username. Active directory only stores the domain.com address and not the domain.net address - this is aliased in exchange server.

Can I setup the system to filter similar?

As a newbie...Is this functionality primary function of this to allow users to authenticated to view their own mail, or reject any mail that has come in for an unrecognised address?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by shawniverson »

You may be able to use postfix to map domain.net emails back to domain.com, effectively solving the problem at the MTA, so that you don't have to generate two lists or mess with proxyaddress mappings...
User avatar
VMguru
Posts: 18
Joined: 18 Nov 2015 16:04

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by VMguru »

Archer wrote:I am getting the following message when I try to manually run this job. (sudo /usr/local/bin/mailwatch/tools/Cron_jobs/mailwatch_ldap_sync.sh)

ERROR at line 74: Unknown command '\@'.

I am not sure what is even wrong.....much less how to fix it.

I am getting the same error at but at line 252 which doesn't even exist in the mailwatch_ldap_sync.sh file. It ends at line 144.

So being a Windows guy, can someone help me understand what's supposed to be happening and how I use this?
I am trying to get AD linked up with EFA users so I can then have users log into the EFA MailWatch for MailScanner web interface to view ONLY THEIR quarantined items.

I am assuming this AD integration allows them to login, but I don't see all the AD users listed in the MailWatch for MailScanner TOOLS/LINKS --> User Management list. I see 21 users inly. I assume that's because my manual run of the shell script bombed out.

Then if they can login to MailWatch for MailScanner should they just see only their Quarantine list? Thank you.
User avatar
VMguru
Posts: 18
Joined: 18 Nov 2015 16:04

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by VMguru »

Well I figured out the problem I had with the script bombing out was because I had an email account with an apostrophe in it, once I removed it, all the user accounts populated in the EFA User Management database.

My question now is, how do I truly Active Directory integrate the list? All the passwords came through as NULL and I want them tied to AD for AUTH, not in a separate MySQL database with it's own set of passwords for AUTH.

Thank you so much.
ktan
Posts: 2
Joined: 12 Jan 2017 18:58

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by ktan »

This looks very close to what I need, has it been updated to "merge" the file instead of overwrite? Trying to get this to work with multi LDAP configuration.
radiogen
Posts: 4
Joined: 30 Jan 2017 10:57

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by radiogen »

shawniverson wrote: 23 Feb 2014 21:47

Code: Select all

sudo yum install openldap-clients
3) Run the script. If errors occur (especially about a missing tmp file) , verify your definitions above are correct and try again

I get error" ./mailwatch_ldap_sync.sh: line 138: /tmp/tmp.XfkLdno2Dn: No such file or directory " If i run mktemp under the root tmp file created with no issues.

any ideas how to fix it? no other errors with the script. thank you for the hint.
phideauxx
Posts: 17
Joined: 26 Feb 2015 18:21

Re: How to integrate E.F.A with Active Directory (Part 2)

Post by phideauxx »

I have found with any updates recently, this file is completely deleted so I have a copy stored in my own home directory that I have to copy back to the correct location: /usr/local/bin/mailwatch/tools/Cron_jobs/ and then chmod it to be executable. There is previous mention of flagging this as merge instead of overwrite, but it seems to just be deleting it at this point.
Post Reply