Hi Ismail > By the way, Can you please tell us what you did to enable AD support in > qmail-ldap? I am trying to integrate all useful patches into qmail-ldap > as a tarball. > I would like to enable AD support too.
I got most of my info from the mailing list archives for qmail-ldap. There are several posts with people who say it is possible to query AD just by changing the ldap values in qmail-ldap.h. I can confirm that, because that is what I have working. For example, set "#define LDAP_UID" as sAMAccountName or userPrincipalName depending on how you want your users to log in. There is a thread where I found a patch to deal with the userAccountControl attribute of AD. http://marc.info/?l=qmail-ldap&m=117031804500233&w=2 I wasn't able to get these patches working off the bat, but now that I have a working system, I may go back and take another crack at them. In the meantime, I have set LDAP_ISACTIVE to userAccountControl, and ISACTIVE_ACTIVE to 66048 and ISACTIVE_BOUNCE to 66050 (the correct valued for a normal AD user account with password never expires), which gives me the same results as these patches, except that I can't have some users with passwords that never expire and some that do. I found another thread: http://marc.info/?l=qmail-ldap&m=117581086321393&w=2 that describes setting the AD user up with unix attributes by using SFU on a windows server. Didn't fit my situation, but is definitely relevant here. I hope you find that useful... > > Thanks > > > Ismail YENIGUL > Team Leader / Takim Lideri > SurGATE Labs > Phone :+90 216-4709423 | Mobile:+90 533 747 36 65 > SurGATE: West Coast Labs Premium Anti-Spam Certificated > Twitter: http://www.twitter.com/surgate > Blog: http://www.surgate.com/blog > > On 30.03.2012 07:13, Bob Miller wrote: > > Gennedy, > > > > Thank you so much, enabling ldaprebind solved the problem > > > > > > On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote: > >> Hello Bob, > >> > >> What state of ldapprebind file in qmail/control/ ? > >> > >> Best wishes, > >> Gennady. > >> > >> Bob Miller писал 30.03.2012 04:47: > >>> Hi Nicolas, > >>> > >>> Thank you for your response. > >>> > >>> I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both > >>> cases > >>> the authentication failed, even though the correct search string > >>> appears > >>> to have been passed to samba4's ldb. it's as though qmail is able to > >>> do > >>> a lookup, but isn't able to verify that the password is correct... > >>> > >>> > >>> On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia > >>> Rojas > >>> wrote: > >>>> Hi, check that your /var/qmail/control/qmail-smtpd.rules have > >>>> something like > >>>> > >>>> :allow,SMTPAUTH="" > >>>> > >>>> > >>>> > >>>> On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller<b...@computerisms.ca> > >>>> wrote: > >>>>> greetings > >>>>> > >>>>> I have been trying to get qmail-ldap to work with samba4's Active > >>>>> Directory implementation. It seems that all parts are working > >>>> with the > >>>>> exception of smtpauth. > >>>>> > >>>>> WHAT WORKS: When I send a mail to the system, it successfully > >>>> verifies > >>>>> if a user exists and denies if the user doesn't exist. > >>>> qmail-ldaplookup > >>>>> -m/-u both run without error and report what I would expect to > >>>> see. > >>>>> When I set samba4 into a debug mode, I can see the ldb query > >>>> coming > >>>>> through in the logs. In fairness, those logs do not report > >>>> success or > >>>>> failure of the lookup, or the values returned, but the fact that > >>>> things > >>>>> work indicate the ldap communication to samba4 was a success. I > >>>> also > >>>>> take these successes to mean my ~controls/ldap* files are set up > >>>>> correctly. I can also use ldbsearch to verify my user/pass info > >>>> is > >>>>> correct. > >>>>> > >>>>> SMTPAUTH: I have compiled with TLS and enabled > >>>> SMTPAUTH="TLSREQUIRED", I > >>>>> can verify the encryption is working because when I rename the > >>>> cert, I > >>>>> get an error in qmail's logs when it is not working (presumably > >>>> thanks > >>>>> to TLSDEBUG). I gather from what I have read that that is all I > >>>> need to > >>>>> do. There were mentions in the life with qmail-ldap that some > >>>> extra > >>>>> arguments are required in the run script, but I found some mailing > >>>> list > >>>>> post that says that is not required. > >>>>> > >>>>> BROKEN:When I try to send a authenticated mail using thunderbird, > >>>> I see > >>>>> the following in qmail logs: > >>>>> > >>>>> auth login > >>>>> authentication failed: authentication failure > >>>>> > >>>>> However, the samba4 logs continue to indicate a valid search query > >>>> is > >>>>> being made. When I base64-encode my user/pass and use telnet to > >>>> test > >>>>> the smtp connection, I get the exact same symptoms as using > >>>> thunderbird; > >>>>> the samba4 logs indicate a good search string and the qmail logs > >>>> say > >>>>> authentication failure. > >>>>> > >>>>> TRIED: I have scoured the mailing lists, there are those who say > >>>> active > >>>>> directory works out of the box just by modifying qmail-ldap.h, > >>>> there are > >>>>> those who say you need to modify qldap.c and/or qmail-ldaplookup.c > >>>> in > >>>>> order to account for userAccountControl. Over the last days, I > >>>> have > >>>>> tried any patches/suggestions that could apply to samba4 (as > >>>> opposed to > >>>>> windows server), but not one of them has solved this problem. > >>>>> > >>>>> In the interest of not making this a novel nobody wants to read, I > >>>> will > >>>>> leave out the remaining details on what I have done and which > >>>> articles I > >>>>> have referenced, but I can make that info available. > >>>>> > >>>>> If anyone can get me pointed in the right direction, I would truly > >>>>> appreciate it... > >>>>> > >>>>> -- > >>>>> Bob Miller > >>>>> 867-334-7117 / 867-633-3760 > >>>>> http://computerisms.ca > >>>>> b...@computerisms.ca > >>>>> Network, Internet, Server, > >>>>> and Open Source Solutions > >>>>> > >>>> > >>>> -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
