1 Topic by CrashXRU

  • CrashXRU
  • Member
  • Offline
  • From: Russia Siberia
  • Registered: 2019-12-09
  • Posts: 32

Topic: Installing the LDAP version with password synchronization with AD ?

Installing the LDAP version with password synchronization with AD
has anyone tried this option?
https://camratus.com/blog/OpenLdap_%E2% … through-12

I want to keep the most authentic control and the ability to create

aliases between domains

the server is now configured for authorization to hell
but it is necessary that all letters coming to domain2 come to exactly the same addresses of the main domain1

without loading alias list user1@domain1 user1@domain2
there are a lot of users, so I would like to get functionality like on gmail, Yandex and other mail servers

where you simply specify domain2 as an alias to domain1

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Installing the LDAP version with password synchronization with AD ?

Didn't try this before. sad

3 Reply by CrashXRU (edited by CrashXRU 2022-06-09 17:11:01)

  • CrashXRU
  • Member
  • Offline
  • From: Russia Siberia
  • Registered: 2019-12-09
  • Posts: 32

Re: Installing the LDAP version with password synchronization with AD ?

solved the problem of authorization ldap and AD


Debian 11

Config
interfaces & resolv.conf

Cheking
ldapsearch -x -h dc.domain.local -D 'iredmail@domain.local' -w SUPA_DUPA_FLY -b 'dc=domain,dc=local'
ldapsearch -x -h dc.domain.local -D 'domain\iredmail' -w SUPA_DUPA_FLY -b 'dc=domain,dc=local'



apt install sasl2-bin
saslauthd -v

EDIT OPTIONS
nano /etc/default/saslauthd

START=yes

MECHANISMS="ldap"

nano /etc/saslauthd.conf

ldap_servers: ldap://dc.domain.local
ldap_search_base: dc=domain,dc=local
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: domain\iredmail
ldap_password: SUPA_DUPA_FLY
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

service saslauthd restart


At this stage, it is possible to test whether SASL operates fine, by attempting a connection with an AD user:
testsaslauthd -u user1@domain.local -p AbcPassword

Create the /etc/ldap/sasl2/slapd.conf file (if it doesn't exist) and fill it with:
nano /etc/ldap/sasl2/slapd.conf

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Add the ldap user to the sasl group:
adduser openldap sasl


service slapd restart && service saslauthd restart

for each user whose password must be validated by the remote Active Directory, fill the password field with:
{SASL}<test2>@<domain.local>


https://c2n.me/4fSkWLq

TEST WEB/ APPS


for full support with iRedAdmin
please add

- the ability to specify a password like {SASL}<user>@<domain.local>
- block on changing passwords globally for all users

thus there will be a complete migration from AD, with full preservation of the functionality of iRedAdmin and iRedAdmin Pro





one of these days I will finish synchronizing users from a domain controller