LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Questions and answers about how to do stuff
Post Reply
Mail2GoCa
Posts: 26
Joined: 10 Oct 2018 09:11

LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by Mail2GoCa » 15 Oct 2018 12:33

I've been playing around with this for a few hours now and finally got it working the way I wanted it.

In my Exchange environment, most users log in with their primary email address such as user@domain.com
It is also possible to log in with a user principal name (user@domain.local) or the older way (DOMAIN\user)
In most situations the primary email address and the user principal name are the same, but I can think of many instances where they are not. In fact some accounts in my environment have a login name (user principal name) which is not their primary email address. For clarity, the primary email address is the default sending address.

Anyway, the following configuration in /var/www/html/MailScanner/conf.php will work in both instances.
If it doesn't work for you, post a reply here and I will try to assist you.
Have fun.

Code: Select all

/ LDAP settings for AD authentication & Address Validation on Exchange Server
define('USE_LDAP', true); // Set to true to enable LDAP
define('LDAP_SSL', false); // Set to true if using LDAP with SSL encryption. Requires certificates
define('LDAP_HOST', 'XXX.XXX.XXX.XXX'); // IP address of your domain controller
define('LDAP_PORT', '389'); // Standard LDAP port is 389
define('LDAP_DN', 'DC=domain,DC=local'); // Your AD domain DN
define('LDAP_USER', 'ldap-account@domain.com'); // If no email, set: ldap-account@domain.local' or 'cn=ldap-account,dc=domain,dc=local'
define('LDAP_PASS', 'your_ldap_account_password_goes_here');
define('LDAP_SITE', 'First-Site-Name'); // Look this value up in AD Sites and Services snap-in on your domain controller
define('LDAP_FILTER', 'proxyAddresses=smtp:%s', 'mail=%s'); // %s will be replaced by email address or user 
define('LDAP_PROTOCOL_VERSION', 3); 
define('LDAP_EMAIL_FIELD', 'mail'); 
define('LDAP_USERNAME_FIELD', 'userprincipalname');
define('LDAP_MS_AD_COMPATIBILITY', true); // Must be set to true for MS AD scompatibility

alexmateescu
Posts: 2
Joined: 05 Dec 2018 14:28

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by alexmateescu » 05 Dec 2018 14:29

hi

i am trying to enable LDAP logins and followed your instructions, however it does not work for me

can you help please?

alex

Mail2GoCa
Posts: 26
Joined: 10 Oct 2018 09:11

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by Mail2GoCa » 05 Dec 2018 14:37

Hi Alex,
Not all Exchange environments are the same. A lot depends on how your firewall is configured, if the exch server is not the same subnet at the EFA box, whether or not the users log in with their exchange alias or their email address, if the email address and the user principal name are the same, etc etc.

I'd love to help, but I will need more detail.

Without revealing sensitive info, can you give me an idea of how you have everything set up?

alexmateescu
Posts: 2
Joined: 05 Dec 2018 14:28

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by alexmateescu » 05 Dec 2018 15:28

Hi

so the exchange server is in outlook365.

the EFA server and the AD are in the same network and that is what i am trying to achieve. If i can make the user login with his/her email address and AD password that is fine.

now in AD i am not using proxyaddresses do the script to import ad users does not help at all.

I have tried tweaking it but the users get created as part of the DN.

email is listed in AD as "mail". userprincipalname is in the format firstname.lastname@domain.local

Mail2GoCa
Posts: 26
Joined: 10 Oct 2018 09:11

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by Mail2GoCa » 05 Dec 2018 18:39

Hi Alex,

Provided your AD is responding to LDAP queries, you should be good to go.

To test ldap connectivity from the EFA box, you can formulate a simple query using ldapsearch. If it is not installed, you can download the package. The download package is called openldap-clients

Code: Select all

yum install openldap-clients
Try a connection test. There is no need to submit a complex query to test the connection. Just make sure you can connect, authenticate and get back some results.

Try this... Substitute my dummy variables for your actual ones.

Code: Select all

ldapsearch -x -h 192.168.1.1 -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn
You will be prompted for your password

Code: Select all

Enter LDAP Password:
If you manage to connect, the query will return a list of all objects in the 'users' ou in active directory.

andyhud
Posts: 14
Joined: 15 May 2014 14:57

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by andyhud » 26 Jun 2019 13:08

Thanks @Mail2GoCa for this info, very helpful

Question: can "ldapsearch" specific multiple AD Domain Controllers for LDAP connectivity instead of just one? That way if one is offline, would ldapsearch try the next one in the list (maybe just separated by a comma)?

As I have DNS recursion enabled on my EFA I can't manually specific my AD Domain controllers otherwise I was going to try just my internal AD domain name which would cause ldapsearch to search against any DC

e.g. : ldapsearch -x -h myADfqdn.local -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn

as I say, as my EFA dns resolution is performed directly to the internet it can't resolve my AD FQDN to my DCs, so I have to specify one, like your example in the ldapsearch syntax.

maybe it would perform failover if it was something like:

e.g: ldapsearch -x -h 192.168.1.1,192.168.1.2,192.168.1.3 -D user@domain.local -W -b "cn=users,dc=domain,dc=local" -s sub "(cn=*)" cn main sn

?

Cheers

Andy

Mail2GoCa
Posts: 26
Joined: 10 Oct 2018 09:11

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by Mail2GoCa » 26 Jun 2019 13:27

Hi andyhud

I'm not sure if that can be done. I have never had a need to do that so I've never researched or tested it. However, there is a way to get around the DNS issue.

1. Set up a random 'A' record hostname in your public DNS records. Something like specialhost.domain.com (substitute domain.com with your actual public domain name) pointing to your primary DC/LDAP server private IP address.
2. Create additional 'A' record hostnames with the same name for each additional DC/LDAP server on your private network.
3. Specify that hostname in your ldapsearch test to make sure it resolves and works.

Example

Code: Select all

specialhost.domain.com	A	192.168.1.1
specialhost.domain.com	A	192.168.1.2
specialhost.domain.com	A	192.168.1.3
Whilst anybody on the internet will be able to query that hostname, all they will get back is a series of private IP addresses which they can never access unless they are connected to your private LAN.

andyhud
Posts: 14
Joined: 15 May 2014 14:57

Re: LDAP Auth and Validation with Active Directory / Exchange for EFA 3.0.2.6

Post by andyhud » 02 Jul 2019 11:10

Hi Mail2GoCa

Thanks for this info, yep, while not ideal that would indeed work... maybe I'll give it a go

Appreciate you sharing your thoughts

Andy

Post Reply