Okay. LDAPS. Not working for sasl auth yet, but I'll try that next.
So, my assumption is that you've got a certificate for your AD DC already. In my case, I've got ADCS running PKI for my domain. I'll assume since you're using Windows that you've got the certificate in .DER format. What you'll want to get is the CA certificate for your domain controller - in my case, it's the root CA from the ADCS PKI server.
I can convert that to PEM format using openssl:
Code: Select all
openssl x509 -inform der -in certificate.cer -out ca-cert.pem
Next, copy this file to
/etc/openldap/certs. I usually use putty so I'd use
Code: Select all
pscp ca-cert.pem user@efa-host:/etc/openldap/certs/ca-cert.pem
Edit the file:
/etc/openldap/ldap.conf
Code: Select all
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/certs
BASE DC=<YOURDOMAIN>,DC=<YOURDOMAIN SUFFIX>
URI ldaps://<FQDN of your DC>
This file should be copied to the $HOME of the user running the MailScanner process and renamed to
.ldaprc. Which in our case is looks like it might be
apache? I got this to work under my account, using a test script I created in php ( to get the ldap query working for disabled and locked out users )
test.php based on
http://php.net/manual/en/function.ldap-bind.php and the modifications made in the earlier post to the ldap query.
Code: Select all
#/home/<myhome>/test.php
// config
$ldapserver = "ldaps://<FQDN of your DC>";
$ldapuser = '<DN of your service account user>';
$ldappass = '<secret>';
$ldaptree = "<LDAP search base>";
$user = "<this is the username we want to test authentication for>";
define("LDAP_EMAIL_FIELD", "proxyAddresses");
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldap_query_sAMAccountName_custom = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=$user)(!(userAccountControl=514))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$ldap_query_Email_Field_custom = "(&(objectClass=user)(objectCategory=person)(" . LDAP_EMAIL_FIELD . "=$user)(!(userAccountControl=514))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$ldap_query_Email_SMTP_custom = "(&(objectClass=user)(objectCategory=person)(" . LDAP_EMAIL_FIELD . "=SMTP:$user)(!(userAccountControl=514))(!(userAccountControl:1.2.840.113556.1.4.803:=2))
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)."\n");
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
$result = ldap_search($ldapconn,$ldaptree, $ldap_query_Email_SMTP_custom) or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
// SHOW ALL DATA
echo 'Dump all data' . "\n";
//print_r($data);
echo '';
for ($i=0; $i<$data["count"]; $i++) {
echo "user: " . $data[$i]["dn"] . "\n";
}
echo "Number of entries found: " . ldap_count_entries($ldapconn, $result) . "\n";
} else {
echo "LDAP bind failed...\n";
if (ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
echo "Error Binding to LDAP: $extended_error\n";
} else {
echo "Error Binding to LDAP: no additional information is available.\n";
}
I run this with
php -e test.php from /home/<my home drive>. This will ONLY work once you've copied
/etc/openldap/ldap.conf to your home drive and renamed it
.ldaprc. According to this
https://www.mkssoftware.com/docs/man5/ldap_config.5.asp which was the first hit and I'm too lazy to search the actual OpenLDAP documentation just this minute,
.ldaprc can be placed in the current working directory and function properly. So I'm hopeful that I can drop it in the
/var/www/html/MailScanner/ directory and we'll be off and running. I recommend using
Code: Select all
sudo tcpdump -i eth0 host <Your DC FQDN>
to verify that you're connecting via LDAPS and that the data is encrypted.
So, next, edit
/var/www/html/mailscanner/conf.php
Code: Select all
define('LDAP_HOST', 'ldaps://<Your DC FQDN>');
define('LDAP_PORT', '389');
( I also copied the .ldaprc to /var/www/html/mailscanner/ folder, but I think that was not a necassary step )
I did not have mch luck using port 636. I received an error on the webpage when I attempted to log in. However, using 389 as above but preprending the server fully-qualified domain name with the
ldaps:// uri-prefix did the trick. Verified with tcpdump as above.
I also managed to install python-ldap and python3 to try and work out how to automagically synchronize my 'users' table in the mailscanner database Active Directory. It's awesome that the recipient maps lookup live, but I can't trust my users to log into the new spam filter in order to generate a record to allow them to get spam non-delivery reports. I did it manually the first time using Softerra LDAP browser and exporting to a CSV which I imported into mysql, but I'm not a fan of manual processes like that on an ongoing basis. Too many things will come up and I'll get sidetracked and miss one.
Anyway, I hope this has been helpful to someone.
--EDITED--
SASL authentication is now using LDAPS after completing the above steps, edit the file below.
/etc/saslauthd.conf
Code: Select all
ldap_servers: ldaps://<Your DC FQDN>