1 Topic by darkodimitrovski

  • darkodimitrovski
  • Member
  • Offline
  • Registered: 2015-10-18
  • Posts: 5

Topic: AD integration problems when AD domain different from mail domain

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.3
- Linux/BSD distribution name and version: Ubuntu 14.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====
Hi all,

Can someone please help me with integration of iRedMail with AD in case the windows domain is not identical to the mail domain? I have tried following this but I couldn't make it work: http://www.iredmail.org/forum/topic3165 … omain.html

I need the easiest and simplest way to integrate mail domain domain.com with AD intnet.domain.com.

I tried the advice of Zhang in that topic, in the /etc/postfix/ad*.cf to use %u@intnet.domain.com instead of %s but it doesn't help. One thing that is confusing me, does the search need to have the intnet or not? Because if the search is how it will look in the AD, then without intnet it will not match the user, no?

During the iredmail setup when it asked me about the first virtual domain I said domain.com which looked like the right thing to do.

I have made a similar setup about a year ago and it worked but in that case the AD and mail domain were identical.

I'm getting stuck with this project and I would appreciate if someone gives me a hand to get the authentication/search part right. Thanks in advance.

Darko.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: AD integration problems when AD domain different from mail domain

darkodimitrovski wrote:

I tried the advice of Zhang in that topic, in the /etc/postfix/ad*.cf to use %u@intnet.domain.com instead of %s but it doesn't help. One thing that is confusing me, does the search need to have the intnet or not? Because if the search is how it will look in the AD, then without intnet it will not match the user, no?

What do you mean "it doesn't help"? It returns nothing? or it returns incorrect value?

Please set `debuglevel = 1` in file /etc/postfix/ad_*.cf, then query the user manually. it now will print detailed debug message.

For example:

postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

3 Reply by darkodimitrovski

  • darkodimitrovski
  • Member
  • Offline
  • Registered: 2015-10-18
  • Posts: 5

Re: AD integration problems when AD domain different from mail domain

Yes, it doesn't return anything. I currently have it set up with the original integration config (after various intents I returned to the orig config), where mail domain and windows domain are identical, and that works. I have also checked Roundcube login and outgoing test mail, all good. But coming from a domain that I do not want to use as mail... sad

Let me get that debug for you.

4 Reply by darkodimitrovski

  • darkodimitrovski
  • Member
  • Offline
  • Registered: 2015-10-18
  • Posts: 5

Re: AD integration problems when AD domain different from mail domain

What I did now was:
In ad_sender_lofin_maps.cf and ad_virtual_mailbox_maps.cf in the query_filter I replaced '%s' with '%u@domain.com' and set debug level to 1.

Here is what postmap -q test1@domain.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf:
-----
postmap: dict_ldap_debug: ** ld 0x55f3b9b4c4f0 Connections:
postmap: dict_ldap_debug: * host: dc1.intnet.domain.com  port: 389  (default)
postmap: dict_ldap_debug:   refcnt: 2  status: Connected
postmap: dict_ldap_debug:   last used: Sun Dec 27 15:17:55 2015
postmap: dict_ldap_debug:
postmap: dict_ldap_debug: ** ld 0x55f3b9b4c4f0 Outstanding Requests:
postmap: dict_ldap_debug:  * msgid 2,  origid 2, status InProgress
postmap: dict_ldap_debug:    outstanding referrals 0, parent count 0
postmap: dict_ldap_debug:   ld 0x55f3b9b4c4f0 request count 1 (abandoned 0)
postmap: dict_ldap_debug: ** ld 0x55f3b9b4c4f0 Response Queue:
postmap: dict_ldap_debug:    Empty
postmap: dict_ldap_debug:   ld 0x55f3b9b4c4f0 response count 0
-----
Do you need the rest of the debug? I think this is the important part that confirms connection with dc1 and returns empty answer to the query.

I am beginning to doubt I if am modifying the ad_ files correctly. If the internal windows domain is 'intnet.domain.com' and the public domain for mail is 'domain.com', how exactly I need to hardcode the %s replacement?

As '%u@domain.com' or '%u@intnet.domain.com'? With the second option I think the query works but that is not the domain I want to use for the mail. In such query the domain part is identical to the windows internal domain so the query naturally works.

Darko.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: AD integration problems when AD domain different from mail domain

darkodimitrovski wrote:

Do you need the rest of the debug?

Please always paste FULL output.

6 Reply by darkodimitrovski

  • darkodimitrovski
  • Member
  • Offline
  • Registered: 2015-10-18
  • Posts: 5

Re: AD integration problems when AD domain different from mail domain

OK Zhang, sorry. But I think I managed to get it going meantime. I think I was doing it the other way around.

I was trying to hardcode the public domain when in fact you need to hardcode the internal domain, right? Which makes sense because the LDAP query needs the internal domain.

I have now tested with this:
1. In ad_sender_login_maps.cf and ad_virtual_mailbox_maps.cf I replaced the '%s' with '%u@intnet.domain.com' and reloaded postfix.
2. In dovecot-ldap.conf I replaced the '%u' with '%n@intnet.domain.com' and restarted dovecot.

After that Rouncube allowed me to login with test1@domain.com. And the test mail sent from the Roundcube webmail arrived as from test1@domain.com.

Earlier this was not working. It was allowing me login only with test1@intnet.domain.com and the test mails were arriving as from this address too.

I'll need further tests but so far it looks good. Is the above the correct way of hardcoding?

Darko.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: AD integration problems when AD domain different from mail domain

darkodimitrovski wrote:

Is the above the correct way of hardcoding?

Yes.