1 Topic by elektra_for_ever

  • elektra_for_ever
  • Member
  • Offline
  • Registered: 2013-10-25
  • Posts: 2

Topic: Active directory mail attribute

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: Latest
- Linux/BSD distribution name and version: Ubuntu 12.04.3 LTS
====

Hi all,

I just installed iRedmail and integrated it to Samba 4.1.0 AD mode followind your tutorial and frankly, this was probably the easiest experience I had connecting an AD to a linux mail server.

I had to modify a few things though:
for the "# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf and # postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf" quries to work I had to modify the impacted cf files references to:
search_base     = dc=example,dc=com

So I wondered if there was a problem with that.

also, the " # postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf " query doesn't work for me though I can connect to the DC, the group is exists and there is a user inside.

the log says that:

postmap: dict_ldap_debug: ldap_create
postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://irispassDC.irispass.lan:389)
postmap: dict_ldap_debug: ldap_sasl_bind
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_new_connection 1 1 0
postmap: dict_ldap_debug: ldap_int_open_connection
postmap: dict_ldap_debug: ldap_connect_to_host: TCP irispassDC.irispass.lan:389
postmap: dict_ldap_debug: ldap_new_socket: 4
postmap: dict_ldap_debug: ldap_prepare_socket: 4
postmap: dict_ldap_debug: ldap_connect_to_host: Trying 192.168.1.10:389
postmap: dict_ldap_debug: ldap_pvt_connect: fd: 4 tm: 10 async: 0
postmap: dict_ldap_debug: ldap_ndelay_on: 4
postmap: dict_ldap_debug: ldap_int_poll: fd: 4 tm: 10
postmap: dict_ldap_debug: ldap_is_sock_ready: 4
postmap: dict_ldap_debug: ldap_ndelay_off: 4
postmap: dict_ldap_debug: ldap_pvt_connect: 0
postmap: dict_ldap_debug: ldap_open_defconn: successful
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({i) ber:
postmap: dict_ldap_debug: ber_flush2: 50 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x7fcb7872a6d0 msgid 1
postmap: dict_ldap_debug: wait4msg ld 0x7fcb7872a6d0 msgid 1 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x7fcb7872a6d0 msgid 1 all 1
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Connections:
postmap: dict_ldap_debug: * host: irispassDC.irispass.lan  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Thu Oct 24 18:10:49 2013
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 1,  origid 1, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x7fcb7872a6d0 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x7fcb7872a6d0 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7fcb7872a6d0 msgid 1 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7fcb7872a6d0 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 msgid 1 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents:
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 msgid 1 message type bind
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x7fcb7872a6d0 msgid 1
postmap: dict_ldap_debug: request done: ld 0x7fcb7872a6d0 msgid 1
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 1, msgid 1)
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_search_ext
postmap: dict_ldap_debug: put_filter: "(&(objectClass=group)(mail=mailgroup@irispass.lan))"
postmap: dict_ldap_debug: put_filter: AND
postmap: dict_ldap_debug: put_filter_list "(objectClass=group)(mail=mailgroup@irispass.lan)"
postmap: dict_ldap_debug: put_filter: "(objectClass=group)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "objectClass=group"
postmap: dict_ldap_debug: put_filter: "(mail=mailgroup@irispass.lan)"
postmap: dict_ldap_debug: put_filter: simple
postmap: dict_ldap_debug: put_simple_filter: "mail=mailgroup@irispass.lan"
postmap: dict_ldap_debug: ldap_send_initial_request
postmap: dict_ldap_debug: ldap_send_server_request
postmap: dict_ldap_debug: ber_scanf fmt ({it) ber:
postmap: dict_ldap_debug: ber_scanf fmt ({) ber:
postmap: dict_ldap_debug: ber_flush2: 144 bytes to sd 4
postmap: dict_ldap_debug: ldap_result ld 0x7fcb7872a6d0 msgid 2
postmap: dict_ldap_debug: wait4msg ld 0x7fcb7872a6d0 msgid 2 (timeout 10000000 usec)
postmap: dict_ldap_debug: wait4msg continue ld 0x7fcb7872a6d0 msgid 2 all 1
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Connections:
postmap: dict_ldap_debug: * host: irispassDC.irispass.lan  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Thu Oct 24 18:10:49 2013
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x7fcb7872a6d0 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x7fcb7872a6d0 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x7fcb7872a6d0 response count 0
postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7fcb7872a6d0 msgid 2 all 1
postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7fcb7872a6d0 NULL
postmap: dict_ldap_debug: ldap_int_select
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 msgid 2 all 1
postmap: dict_ldap_debug: ber_get_next
postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents:
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 msgid 2 message type search-result
postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber:
postmap: dict_ldap_debug: read1msg: ld 0x7fcb7872a6d0 0 new referrals
postmap: dict_ldap_debug: read1msg:  mark request completed, ld 0x7fcb7872a6d0 msgid 2
postmap: dict_ldap_debug: request done: ld 0x7fcb7872a6d0 msgid 2
postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <>
postmap: dict_ldap_debug: ldap_free_request (origid 2, msgid 2)
postmap: dict_ldap_debug: ldap_parse_result
postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber:
postmap: dict_ldap_debug: ber_scanf fmt (}) ber:
postmap: dict_ldap_debug: ldap_msgfree
postmap: dict_ldap_debug: ldap_free_connection 1 1
postmap: dict_ldap_debug: ldap_send_unbind
postmap: dict_ldap_debug: ber_flush2: 7 bytes to sd 4
postmap: dict_ldap_debug: ldap_free_connection: actually freed


another question I have:

My AD users have mail adressed stored on the mail attribute of their accounts.
these do not necessarly belong the domain for example:

user1 is on the domain irispass.lan but has user1@gmail.com as mail attribute stored on his account in the AD db.

is it possible for iRedmail instead of creating a mailbox "user1@irispass.lan" to use user1@gmail.com stored in the mail attribute of the account? if so how?

Thanks a lot and keep up the good work.

Kris.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,091

Re: Active directory mail attribute

elektra_for_ever wrote:

I had to modify the impacted cf files references to:
search_base     = dc=example,dc=com
So I wondered if there was a problem with that.

If it returns proper value, it's fine, it will SLIGHTLY impact ldap server performance.

dc=xx,dc=xx is the root dn, it contains all ldap objects. That means if you search from dc=xx,dc=xx, it will query all ldap objects. So if you can search from a sub container, like 'ou=users,dc=xx,dc=xx', or even small like 'ou=xx, ou=users,dc=xx,dc=xx', it will be better for performance. Similar to 'LIMIT 1' (found one matched record, then abort instead of continuing querying the whole table) in SQL command, to narrow the search area.

It's about performance, but it does NOT mean you will have a BAD performance.

elektra_for_ever wrote:

also, the " # postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf " query doesn't work for me though I can connect to the DC, the group is exists and there is a user inside.
the log says that:
postmap: dict_ldap_debug: ldap_create

I cannot find any error in log, connection is ok, just returns empty value. So, does it return something if you query with the same LDAP filter on iRedMail server with command "ldapsearch"? For example:

# ldapsearch -x -h "AD_server_address_here" -D 'bind_dn_here' -W -b "dc=xx,dc=xx"
elektra_for_ever wrote:

is it possible for iRedmail instead of creating a mailbox "user1@irispass.lan" to use user1@gmail.com stored in the mail attribute of the account? if so how?

Sorry, i don't quite understand what you mean. (forgive my poor english please)

3 Reply by elektra_for_ever

  • elektra_for_ever
  • Member
  • Offline
  • Registered: 2013-10-25
  • Posts: 2

Re: Active directory mail attribute

Hi and thank you so much for answering

I had to modify the impacted cf files references to:
search_base     = dc=example,dc=com
So I wondered if there was a problem with that.

"It's about performance, but it does NOT mean you will have a BAD performance."

Ok thanks, anyway it works like that and only like that. probably because of Samba 4.1.0 structure because if "cn=users,dc=xx,dc=xx" no value will be returned for any of the 3 queries.( I will try to find out though)

For the virtual_group_maps query, I had to modif this according to the tutorial : "If your group account doesn't contains attribute 'mail' and 'userPrincipalName', please try 'query_filter = (&(objectClass=group)(sAMAccountName=%u))' instead."

it works now.

elektra_for_ever wrote:

    is it possible for iRedmail instead of creating a mailbox "user1@irispass.lan" to use user1@gmail.com stored in the mail attribute of the account? if so how?

Sorry, i don't quite understand what you mean. (forgive my poor english please)

Well when you create a user in Samba 4.1.0 AD mode, there is an option switch to define its mail  address : --mail-address=MAIL_ADDRESS

So "samba-tool user create newuser P@ssword --mail-address=newuser@gmail.com" will create your user and define "newuser@gmail.com" in the user's AD mail attribute

...sorry, I realized how stupid it was from me... as even if mail attribute is set to gmail or hotmail or anything else, there is no way for those services to be accessed only with AD authentication anyway...right?

thanks a lot. Kris

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,091

Re: Active directory mail attribute

elektra_for_ever wrote:

as even if mail attribute is set to gmail or hotmail or anything else, there is no way for those services to be accessed only with AD authentication anyway...right?

Yes.
Mails sent to @gmail.com will be sent to mail servers defined in DNS record of 'gmail.com', it will never sent to your server directly.