1

Topic: AD integration

Hello all,

I'm trying to integrate iredmail in AD environment.
I'm using this howto, Ubuntu server 10.04.4 x86, Windows Server 2008 R2. Active directory works as a charm, for the moment..
I've created an account in the AD database that i use to login to Windows clients stations.

First, the command

ldapsearch -x -h ad.mydomain.lan -D 'vmail' -W -b 'cn=users,dc=mydomain,dc=lan'

didn't work for me, i had to use

ldapsearch -x -h ad.mydomain.lan -D 'MYDOMAIN\vmail' -W -b 'cn=users,dc=mydomain,dc=lan'

I've done every changes said in the howto, then i'm stuck when i use the command :

postmap -q accountivecreated@mydomain.lan ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

Ubuntu server returns me this error :

postmap: warning: dict_ldap_lookup: Search error 1: Operations error

There's nothin in windows logs..

Anyone can help me to solve this problem ?

Thanks in advance smile

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: AD integration

It seems that it's the same error than in the howto begining.
In /etc/postfix/ad_*.cf config files, I've to change

bind_dn         = vmail

by

bind_dn         = MYDOMAIN\vmail

I no longer have the previous error, but nothing appears, so I changed the debug level to 1 in the /etc/postfix/ad_mailbox_maps.cf
So, here's the result :

postmap: dict_ldap_debug: ldap_create
postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://ad.mydomain.lan:389)
postmap: dict_ldap_debug: ldap_sasl_bind
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_new_connection 1 1 0
postmap: dict_ldap_debug: ldap_int_open_connection
postmap: dict_ldap_debug: ldap_connect_to_host: TCP ad.mydomain.lan:389
postmap: dict_ldap_debug: ldap_new_socket: 4
postmap: dict_ldap_debug: ldap_prepare_socket: 4
postmap: dict_ldap_debug: ldap_connect_to_host: Trying 192.168.x.2:389
postmap: dict_ldap_debug: ldap_pvt_connect: fd: 4 tm: 10 async: 0
postmap: dict_ldap_debug: ldap_ndelay_on: 4
postmap: dict_ldap_debug: ldap_int_poll: fd: 4 tm: 10
postmap: dict_ldap_debug: ldap_is_sock_ready: 4
postmap: dict_ldap_debug: ldap_ndelay_off: 4
postmap: dict_ldap_debug: ldap_pvt_connect: 0
postmap: dict_ldap_debug: ldap_open_defconn: successful
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({i) ber:
postmap: dict_ldap_debug: ber_flush2: 36 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0xb7cd4028 msgid 1
postmap: dict_ldap_debug: wait4msg ld 0xb7cd4028 msgid 1 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0xb7cd4028 msgid 1 all 1
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Connections:
postmap: dict_ldap_debug: * host: ad.mydomain.lan  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Fri Mar 23 11:26:24 2012
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 1,  origid 1, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0xb7cd4028 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0xb7cd4028 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0xb7cd4028 msgid 1 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0xb7cd4028 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 msgid 1 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 16 contents:
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 msgid 1 message type bind
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0xb7cd4028 msgid 1
postmap: dict_ldap_debug: request done: ld 0xb7cd4028 msgid 1
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 1, msgid 1)
postmap: dict_ldap_debug: ldap_parse_sasl_bind_result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_search_ext
postmap: dict_ldap_debug: put_filter: "(&(objectclass=person)(userPrincipalName=user@mydomain.lan))"
postmap: dict_ldap_debug: put_filter: AND
postmap: dict_ldap_debug: put_filter_list "(objectclass=person)(userPrincipalName=user@mydomain.lan)"
postmap: dict_ldap_debug: put_filter: "(objectclass=person)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "objectclass=person"
postmap: dict_ldap_debug: put_filter: "(userPrincipalName=user@mydomain.lan)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "userPrincipalName=user@mydomain.lan"
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({) ber:
postmap: dict_ldap_debug: ber_flush2: 140 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0xb7cd4028 msgid 2
postmap: dict_ldap_debug: wait4msg ld 0xb7cd4028 msgid 2 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0xb7cd4028 msgid 2 all 1
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Connections:
postmap: dict_ldap_debug: * host: ad.mydomain.lan  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Fri Mar 23 11:26:24 2012
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0xb7cd4028 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0xb7cd4028 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0xb7cd4028 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0xb7cd4028 msgid 2 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0xb7cd4028 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 msgid 2 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 16 contents:
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 msgid 2 message type search-result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0xb7cd4028 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0xb7cd4028 msgid 2
postmap: dict_ldap_debug: request done: ld 0xb7cd4028 msgid 2
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 2, msgid 2)
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_free_connection 1 1
postmap: dict_ldap_debug: ldap_send_unbind
postmap: dict_ldap_debug: ber_flush2: 7 bytes to sd 4
postmap: dict_ldap_debug: ldap_free_connection: actually freed

I post here, because in the howto, it's mentionned that I must have an anwser like my email adress after use the command, and I've nothing...

Thanks

3

Re: AD integration

postmap -q accountivecreated@mydomain.lan ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

Please paste content of /etc/postfix/ad_virtual_mailbox_maps.cf here to help troubleshoot. REPLACE sensitive information before posting.

Also, could you please set debug level to 0, then execute postmap with option '-v' again and post output here?

# postmap -v -q accountivecreated@mydomain.lan ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

4 (edited by nicolasfo 2012-03-23 20:23:32)

Re: AD integration

The two first commands are now ok, but i don't know why, but i'll search later..

I've got a problem with the third command now. (the one queries groups)

Here's my ad_virtual_group_maps :

server_host     = ad.mydomain.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = MYDOMAIN\vmail
bind_pw         = vmailpasswd
search_base     = cn=users,dc=mydomain,dc=lan
scope           = sub
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

And here's the command result with "-v":

root@server:~# postmap -v -q grp_test@mydomain.lan ldap:/etc/postfix/ad_virtual_group_maps.cf
postmap: dict_eval: const  mail
postmap: dict_eval: const  ipv4
postmap: dict_eval: const
postmap: dict_eval: const
postmap: dict_eval: const
postmap: name_mask: ipv4
postmap: dict_eval: const  server.mydomain.lan
postmap: dict_eval: const  mydomain.lan
postmap: dict_eval: const  Postfix
postmap: dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
postmap: dict_eval: const  postfix
postmap: dict_eval: const  postdrop
postmap: dict_eval: expand $myhostname, localhost, localhost.localdomain, localhost.$myhostname -> server.mydomain.lan, localhost, localhost.localdomain, localhost.server.mydomain.lan
postmap: dict_eval: const  server
postmap: dict_eval: const
postmap: dict_eval: const  /usr/lib/postfix
postmap: dict_eval: const  /var/lib/postfix
postmap: dict_eval: const  /usr/sbin
postmap: dict_eval: const  /var/spool/postfix
postmap: dict_eval: const  pid
postmap: dict_eval: const  all
postmap: dict_eval: const
postmap: dict_eval: const  double-bounce
postmap: dict_eval: const  nobody
postmap: dict_eval: const  hash:/etc/postfix/aliases
postmap: dict_eval: const  20100213
postmap: dict_eval: const  2.7.0
postmap: dict_eval: const  hash
postmap: dict_eval: const  deferred, defer
postmap: dict_eval: const  +
postmap: dict_eval: const
postmap: dict_eval: expand $relay_domains ->
postmap: dict_eval: const  TZ MAIL_CONFIG LANG
postmap: dict_eval: const  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
postmap: dict_eval: const  subnet
postmap: dict_eval: const
postmap: dict_eval: const  +=
postmap: dict_eval: const  -=+
postmap: dict_eval: const  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postmap: dict_eval: const
postmap: dict_eval: const  bounce
postmap: dict_eval: const  cleanup
postmap: dict_eval: const  defer
postmap: dict_eval: const  pickup
postmap: dict_eval: const  qmgr
postmap: dict_eval: const  rewrite
postmap: dict_eval: const  showq
postmap: dict_eval: const  error
postmap: dict_eval: const  flush
postmap: dict_eval: const  verify
postmap: dict_eval: const  trace
postmap: dict_eval: const  proxymap
postmap: dict_eval: const  proxywrite
postmap: dict_eval: const
postmap: dict_eval: const
postmap: dict_eval: const  15728640
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  3600s
postmap: dict_eval: const  3600s
postmap: dict_eval: const  5s
postmap: dict_eval: const  5s
postmap: dict_eval: const  1000s
postmap: dict_eval: const  1000s
postmap: dict_eval: const  10s
postmap: dict_eval: const  10s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  500s
postmap: dict_eval: const  500s
postmap: dict_eval: const  18000s
postmap: dict_eval: const  18000s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  127.0.0.0/8
postmap: inet_addr_local: configured 2 IPv4 addresses
postmap: dict_ldap_open: Using LDAP source /etc/postfix/ad_virtual_group_maps.cf
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: server_host = ad.mydomain.lan
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: server_port = 389
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: version = 3
postmap: dict_ldap_open: /etc/postfix/ad_virtual_group_maps.cf server_host URL is ldap://ad.mydomain.lan:389
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: scope = sub
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: search_base = cn=users,dc=mydomain,dc=lan
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: timeout = 10
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: query_filter = (&(objectClass=group)(mail=%s))
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_format = <NULL>
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_filter = %s
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: domain =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: terminal_result_attribute =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: leaf_result_attribute = mail
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_attribute = userPrincipalName
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: special_result_attribute = member
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: bind = on
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: bind_dn = MYDOMAIN\vmail
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: bind_pw = vmailpasswd
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: cache = off
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: cache_expiry = -1
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: cache_size = -1
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: recursion_limit = 1000
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: expansion_limit = 0
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: size_limit = 0
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: dereference = 0
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: chase_referrals = off
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: start_tls = off
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: tls_require_cert = off
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_ca_cert_file =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_ca_cert_dir =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_cert =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_key =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_random_file =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_cipher_suite =
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: debuglevel = 0
postmap: dict_open: ldap:/etc/postfix/ad_virtual_group_maps.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source /etc/postfix/ad_virtual_group_maps.cf, reopening
postmap: dict_ldap_connect: Connecting to server ldap://ad.mydomain.lan:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://ad.mydomain.lan:389 as dn MYDOMAIN\vmail
postmap: dict_ldap_connect: Successful bind to server ldap://ad.mydomain.lan:389 as MYDOMAIN\vmail
postmap: dict_ldap_connect: Cached connection handle for LDAP source /etc/postfix/ad_virtual_group_maps.cf
postmap: dict_ldap_lookup: /etc/postfix/ad_virtual_group_maps.cf: Searching with filter (&(objectClass=group)(mail=grp_test@mydmain.lan))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source /etc/postfix/ad_virtual_group_maps.cf

I've no return as mentionned in the howto.

Thanks smile

PS : I'm sure that "grp_test" exists, and there's users in it.
I tried to make a "distribution" group and put users in it, it's the same result.

5

Re: AD integration

I've continue the howto despite groups working..

I'm now at the connection test with dovecot.

I can connect to localhost, then i type this command :

. login user@mydomain.lan passwduser

Mail server returned me :

. NO [UNAVAILABLE] Temporary authentication failure.

And, in the Dovecot logs :

Mar 23 15:28:28 auth(default): Error: ldap(user@mydomain.lan,127.0.0.1): ldap_search((&(userPrincipalName=user@mydomain.lan)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))) failed: Referral

Thanks smile

6

Re: AD integration

Log says:

nicolasfo wrote:

for LDAP source /etc/postfix/ad_virtual_group_maps.cf
postmap: dict_ldap_lookup: /etc/postfix/ad_virtual_group_maps.cf: Searching with filter (&(objectClass=group)(mail=grp_test@mydmain.lan))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)

It means cannot find accounts with LDAP filter "(&(objectClass=group)(mail=grp_test@mydmain.lan))".

As mentioned in the wiki tutorial:

If your group account doesn't contains attribute 'mail' and 'userPrincipalName', please try 'query_filter = (&(objectClass=group)(sAMAccountName=%u))' instead.

I guess you should give it another try.

Please also refer to this forum topic:
http://www.iredmail.org/forum/post14632.html#p14632

7

Re: AD integration

Hello,

I continue the integration.
When I changed the ad_virtual_group_maps.cf, result was the same.

I used the "-v" argument, and I saw users as members as it had to be, but no line appears without verbose argument.

I continue the howto, and I'm at the Dovecot test step.

I used telnet, it connected wells. When I use ". login myuser@mydomain.lan passworduser" it returns me :

. NO [UNAVAILABLE] Temporary authentication failure.

I looked in Dovecot logs, and there is :

Mar 26 11:47:49 auth(default): Error: ldap(myuser@mydomain.lan,127.0.0.1): ldap_search((&(userPrincipalName=myuser@mydomain.lan)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))) failed: Referral

Any advice ?

Thanks smile

8

Re: AD integration

Could you please post dovecot-ldap.conf here to help troubleshoot?

9

Re: AD integration

Hello,

To be sure to understand all I do, I delete mail server and I re-install it, it's the 5th time I do that smile

Previously, I had a problem with the Dovecot authentication, it seems it was an error of mine, the howto is OK. Apologies.

But in each re-install I do, I've already the error with the listing of the distribution groups of the AD.

The Distribution group is in the AD "users" folder, and it's name is "grp_test_mail" and there's two users in it.

Here's the ad_virtual_group_maps.cf :

server_host     = adserver.mydomain.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@mydomain.lan
bind_pw         = vmail_passwd
search_base     = cn=users,dc=mydomain,dc=lan
scope           = sub
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

When i use the command with the config file above :

postmap -q -v grp_test_mail@mydomain.lan ldap:/etc/postfix/ad_virtual_group_maps.cf

I got his error (the same as in the mail.log file) :

postmap: fatal: open database grp_test_mail@mydomain.lan.db: No such file or directory

huh, grp_test_mail@mydomain.lan.db WTF ?

Thanks in advance smile

10

Re: AD integration

Did you try:

# postmap -v -q grp_test_mail@mydomain.lan ldap:/xxx

I mean, place '-v' in front of '-q'.

11 (edited by nicolasfo 2012-03-28 20:00:22)

Re: AD integration

OK, I've made a mistake, but there's always a problem smile

root@mail:~# postmap -v -q grp_test_mail@mydomain.lan ldap:/etc/postfix/ad_virtual_group_maps.cf
postmap: dict_eval: const  mail
postmap: dict_eval: const  ipv4
postmap: dict_eval: const
postmap: dict_eval: const
postmap: dict_eval: const
postmap: name_mask: ipv4
postmap: dict_eval: const  mail.mydomain.lan
postmap: dict_eval: const  mydomain.lan
postmap: dict_eval: const  Postfix
postmap: dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
postmap: dict_eval: const  postfix
postmap: dict_eval: const  postdrop
postmap: dict_eval: expand $myhostname, localhost, localhost.localdomain, localhost.$myhostname -> mail.mydomain.lan, localhost, localhost.localdomain, localhost.mail.mydomain.lan
postmap: dict_eval: const  mail.mydomain.lan
postmap: dict_eval: const
postmap: dict_eval: const  /usr/lib/postfix
postmap: dict_eval: const  /var/lib/postfix
postmap: dict_eval: const  /usr/sbin
postmap: dict_eval: const  /var/spool/postfix
postmap: dict_eval: const  pid
postmap: dict_eval: const  all
postmap: dict_eval: const
postmap: dict_eval: const  double-bounce
postmap: dict_eval: const  nobody
postmap: dict_eval: const  hash:/etc/postfix/aliases
postmap: dict_eval: const  20100213
postmap: dict_eval: const  2.7.0
postmap: dict_eval: const  hash
postmap: dict_eval: const  deferred, defer
postmap: dict_eval: const  +
postmap: dict_eval: const
postmap: dict_eval: expand $relay_domains ->
postmap: dict_eval: const  TZ MAIL_CONFIG LANG
postmap: dict_eval: const  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
postmap: dict_eval: const  subnet
postmap: dict_eval: const
postmap: dict_eval: const  +=
postmap: dict_eval: const  -=+
postmap: dict_eval: const  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postmap: dict_eval: const
postmap: dict_eval: const  bounce
postmap: dict_eval: const  cleanup
postmap: dict_eval: const  defer
postmap: dict_eval: const  pickup
postmap: dict_eval: const  qmgr
postmap: dict_eval: const  rewrite
postmap: dict_eval: const  showq
postmap: dict_eval: const  error
postmap: dict_eval: const  flush
postmap: dict_eval: const  verify
postmap: dict_eval: const  trace
postmap: dict_eval: const  proxymap
postmap: dict_eval: const  proxywrite
postmap: dict_eval: const
postmap: dict_eval: const
postmap: dict_eval: const  15728640
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  100s
postmap: dict_eval: const  3600s
postmap: dict_eval: const  3600s
postmap: dict_eval: const  5s
postmap: dict_eval: const  5s
postmap: dict_eval: const  1000s
postmap: dict_eval: const  1000s
postmap: dict_eval: const  10s
postmap: dict_eval: const  10s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  500s
postmap: dict_eval: const  500s
postmap: dict_eval: const  18000s
postmap: dict_eval: const  18000s
postmap: dict_eval: const  1s
postmap: dict_eval: const  1s
postmap: dict_eval: const  127.0.0.0/8
postmap: inet_addr_local: configured 2 IPv4 addresses
postmap: dict_ldap_open: Using LDAP source /etc/postfix/ad_virtual_group_maps.cf
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: server_host = ad.mydomain.lan
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: server_port = 389
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: version = 3
postmap: dict_ldap_open: /etc/postfix/ad_virtual_group_maps.cf server_host URL is ldap://ad.mydomain.lan:389
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: scope = sub
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: search_base = cn=users,dc=mydomain,dc=lan
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: timeout = 10
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: query_filter = (&(objectClass=group)(mail=%s))
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_format = <NULL>
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_filter = %s
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: domain =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: terminal_result_attribute =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: leaf_result_attribute = mail
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: result_attribute = userPrincipalName
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: special_result_attribute = member
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: bind = on
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: bind_dn = vmail@mydomain.lan
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: bind_pw = vmail_passwd
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: cache = off
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: cache_expiry = -1
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: cache_size = -1
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: recursion_limit = 1000
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: expansion_limit = 0
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: size_limit = 0
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: dereference = 0
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: chase_referrals = off
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: start_tls = off
postmap: cfg_get_bool: /etc/postfix/ad_virtual_group_maps.cf: tls_require_cert = off
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_ca_cert_file =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_ca_cert_dir =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_cert =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_key =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_random_file =
postmap: cfg_get_str: /etc/postfix/ad_virtual_group_maps.cf: tls_cipher_suite =
postmap: cfg_get_int: /etc/postfix/ad_virtual_group_maps.cf: debuglevel = 0
postmap: dict_open: ldap:/etc/postfix/ad_virtual_group_maps.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source /etc/postfix/ad_virtual_group_maps.cf, reopening
postmap: dict_ldap_connect: Connecting to server ldap://win-ad.resfrox.lan:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://ad.mydomain.lan:389 as dn vmail@mydomain.lan
postmap: dict_ldap_connect: Successful bind to server ldap://ad.mydomain.lan:389 as vmail@mydomain.lan
postmap: dict_ldap_connect: Cached connection handle for LDAP source /etc/postfix/ad_virtual_group_maps.cf
postmap: dict_ldap_lookup: /etc/postfix/ad_virtual_group_maps.cf: Searching with filter (&(objectClass=group)(mail=grp_test_mail@mydomain.lan))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source /etc/postfix/ad_virtual_group_maps.cf

I don't understand, in my opinion, the problem isn't located in the ad_virtual_group_maprs.cf...

Thanks

12

Re: AD integration

In addition, something I can't explain to myself :

In ad_*_maps.cf, bind_dn is a user stored in AD database.

I can't explain how a user (with valid credidentials, OK) can read a whole database and tell if this or this user exists, and if the password of another account isn't wrong. This reasonning is true with ad_sender and ad_virtual_mailbox config files.

However, I'm agree (despite of I don't understand...) when we talk about user accounts...

BUT

When we talk about distribution groups, how a user, which isn't part of any group, can read AD database, and tell "this user or this user" is in "this or this group" ?!

I searched on Google, but my question isn't accurate enought to have a valid answer to me.

Thanks for explain me smile

13

Re: AD integration

Log says:

postmap: dict_ldap_lookup: /etc/postfix/ad_virtual_group_maps.cf: Searching with filter (&(objectClass=group)(mail=grp_test_mail@mydomain.lan))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)

That means it cannot find accounts with LDAP filter "(&(objectClass=group)(mail=grp_test_mail@mydomain.lan))".
Does your group account has 'mail' attribute? Does it has attribute 'sAMAccountName'?
Please paste the LDIF info of a sample mail group account to help troubleshoot.

14 (edited by nicolasfo 2012-03-29 15:53:40)

Re: AD integration

OK,

I just didn't know that I had to fill "mail adress" in the group properties like on this pic :
http://img11.hostingpics.net/thumbs/mini_305445iredad.jpg

It seems to work now.

Thanks smile

15 (edited by nicolasfo 2012-03-29 18:44:00)

Re: AD integration

I just passed the Roundcube step.

It seems all is OK, but in the Adress Book, I've only groups (like grp_mail_test) but no users.

No errors, nowhere..

Is Adress book must show AD users ?

Thanks smile

EDIT : OK, my fault, same error than before, I must put an email adress in the user's properties.

16 (edited by nicolasfo 2012-04-18 21:44:23)

Re: AD integration

Hello all,

Today is new day, I come with 2 questions :

  • Is there a way that dovecot, don't only search users in CN=users but in the whole domain ?
    For example, I've created an OU (organisationnal unit ), and put a user which "worked" when it was in CN=users. With telnet command, I can't log in with this account...
    In dovecot ldap config files, I deleted CN=users, but it doesn't work...
    But when I use ldapsearch command with this account, it works normally. So, it's a Dovecot "problem", I think.

  • What's the advantage of iRedAdmin with active directory configuration ?

Thanks smile

PS : I forgot the log file :

Apr 18 15:41:49 auth(default): Error: ldap(myuser@mydomain.fr,127.0.0.1): ldap_search((&(userPrincipalName=myuser@mydomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))) failed: No such object

17

Re: AD integration

nicolasfo wrote:

Is there a way that dovecot, don't only search users in CN=users but in the whole domain ?

Sure. Change 'base =' in dovecot-ldap.conf to the one you want. For example:

# OLD SETTING
#base           = cn=users,dc=example,dc=com

# NEW SETTING
base            = dc=example,dc=com

Note: Please make sure your Active Directory server is allowed to search 'dc=example,dc=com'. As i remember, it's not allowed by default. (maybe i was wrong, just a kindly remind.)

nicolasfo wrote:

What's the advantage of iRedAdmin with active directory configuration ?

iRedAdmin doesn't work with Active Directory, sorry.
It works with OpenLDAP, MySQL, and PostgreSQL (will be available in next release).

18

Re: AD integration

ZhangHuangbin wrote:

Sure. Change 'base =' in dovecot-ldap.conf to the one you want. For example:

# OLD SETTING
#base           = cn=users,dc=example,dc=com

# NEW SETTING
base            = dc=example,dc=com

I've already done this, but it doesn't work. sad

ZhangHuangbin wrote:

Note: Please make sure your Active Directory server is allowed to search 'dc=example,dc=com'. As i remember, it's not allowed by default. (maybe i was wrong, just a kindly remind.)

I use this tutorial, and it doesn't work.
The Dovecot' log said nothing, no error. But in the telnet shell, it told me

* OK Waiting for authentication process to respond..

but after a little time, I get timeout inactivity and get disconnected. I already have this "error" before make change in Windows Server.

I admit, I don't understand what you're talking about when you said allowed to search 'dc=example,dc=com'. The problem is, I don't know what to search on Google, I understand it deals with Windows restriction but nothing more...
Why does it work with ldapsearch command but not with dovecot ?

Thnaks smile

19 (edited by nicolasfo 2012-04-19 15:06:59)

Re: AD integration

ZhangHuangbin wrote:
nicolasfo wrote:
nicolasfo wrote:

What's the advantage of iRedAdmin with active directory configuration ?

iRedAdmin doesn't work with Active Directory, sorry.
It works with OpenLDAP, MySQL, and PostgreSQL (will be available in next release).

Ok, thx for information smile

20

Re: AD integration

nicolasfo wrote:

Why does it work with ldapsearch command but not with dovecot ?

if it works with ldapsearch, then it should work in Dovecot too.
Did you try to set 'mail_debug = yes' in Dovecot, restart Dovecot, then monitor Dovecot log file?
Could you please paste the whole dovecot-ldap.conf? REPLACE password by 'xxx' to hide sensitive information before posting.

21 (edited by nicolasfo 2012-04-19 19:09:38)

Re: AD integration

Here's the dovecot log file when i try telnet connexion (no error seems to worry dovecot...) :

Apr 19 13:01:37 auth(default): Info: new auth connection: pid=16300
Apr 19 13:01:50 auth(default): Info: client in: AUTH    1       PLAIN   service=imap    secured lip=127.0.0.1   rip=127.0.0.1   lport=143       rport=60724     resp=AHNtYXJ0aW5AZnJbmNlb3h5Z2VuZS5gBzbTEyMzQ1NiE=
Apr 19 13:01:50 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): bind search: base=dc=LOCALDOMAIN,dc=lan filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

And the dovecot-ldap.conf :

hosts           = dc.mydomain.lan:389
ldap_version    = 3
auth_bind       = yes
dn              = MYDOMAIN\vmail
dnpass          = passwd_vmail
base            = dc=mydomain,dc=lan
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/home/mail/%Ld/%Ln/Maildir/,=mail=maildir:/home/mail/%Ld/%Ln/Maildir/

The problem is, now, users I don't move to an OU, which is always in "Users" don't work since I changed "base" in dovecot-ldap.conf. I think "Users" group is considerate like an OU to the mail side.

Thanks smile

22

Re: AD integration

For information, here's dovecot logfile when an authentication is successfull. We can see that a lot of things are missing when it doesn't work smile :

Apr 19 13:18:42 auth(default): Info: new auth connection: pid=16646
Apr 19 13:18:57 auth(default): Info: client in: AUTH    1       PLAIN   service=imap    secured lip=127.0.0.1   rip=127.0.0.1   lport=143       rport=60773     resp=AHNtYXJ0aW5AZnJhbm3h5Z2VuZS5mcgBzbTEyMzQ1NiE=
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): bind search: base=cn=users,dc=resfrox,dc=lan filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= memberOf(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= badPwdCount(?unknown?)= codePage(?unknown?)= countryCode(?unknown?)= badPasswordTime(?unknown?)= lastLogoff(?unknown?)= lastLogon(?unknown?)= pwdLastSet(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= accountExpires(?unknown?)= logonCount(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)= dSCorePropagationData(?unknown?)= lastLogonTimestamp(?unknown?)=
Apr 19 13:18:57 auth(default): Info: client out: OK     1       user=user@mypublicdomain.fr
Apr 19 13:18:57 auth(default): Info: master in: REQUEST 2       16624   1
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): user search: base=cn=users,dc=localdomain,dc=lan scope=subtree filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) fields=
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= memberOf(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= badPwdCount(?unknown?)= codePage(?unknown?)= countryCode(?unknown?)= badPasswordTime(?unknown?)= lastLogoff(?unknown?)= lastLogon(?unknown?)= pwdLastSet(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= accountExpires(?unknown?)= logonCount(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)= dSCorePropagationData(?unknown?)= lastLogonTimestamp(?unknown?)=
Apr 19 13:18:57 auth(default): Info: master out: USER   2       user@mypublicdomain.fr        home=/home/mail/mypublicdomain.fr/user/Maildir/       mail=maildir:/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 imap-login: Info: Login: user=<user@mypublicdomain.fr>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Loading modules from directory: /usr/lib/dovecot/modules/imap
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib20_autocreate_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Effective uid=1000, gid=1000, home=/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota root: name=user backend=dict args=:proxy::quotadict
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota rule: root=user mailbox=* bytes=0 messages=0
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (85%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 85
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (90%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 90
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (95%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 95
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: dict quota: user=user@mypublicdomain.fr, uri=proxy::quotadict, noenforcing=0
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: maildir: data=/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: maildir++: root=/home/mail/mypublicdomain.fr/user/Maildir, index=, control=, inbox=/home/mail/mypublicdomain.fr/user/Maildir
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace: type=shared, prefix=Shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: shared: root=, index=, control=, inbox=
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace : Using permissions from /home/mail/mypublicdomain.fr/user/Maildir: mode=0700 gid=-1

23

Re: AD integration

Does below command work for you?

# ldapsearch -x -b 'dc=mydomain,dc=lan' -D 'MYDOMAIN\vmail' -W "(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

if not, please add '-d 256' after 'ldapsearch' and try again. Paste output of both commands here please (REMOVE sensitive info before posting)

24

Re: AD integration

I tried, it doesn't work. Same result with -d 256.
I tried with MYDOMAIN\vmail and vmail@mydomain.lan

Here's the error :

ldap_bind: Invalid DN syntax (34)
        additional info: invalid DN

Thanks smile

25

Re: AD integration

nicolasfo wrote:

ldap_bind: Invalid DN syntax (34)

It complains "MYDOMAIN\vmail" is a invalid DN. Did you try to use 'vmail' instead? For example:

# ldapsearch ... -D 'vmail' ...