A long time ago, in a galaxy far, far way, someone said... > Hi, this is my first post here, but it is an important question > that I have and I will appreciate any help you guys can give me. > > I'm working as a consultant for a company that wants to have an email > server (POP3, IMAP and WebMail) authenticating in their Windows 2000 > Active Directory forest. I installed a Slackware 8, kernel 2.4.18, with > Courier-IMAP/POP3 1.4.3 and OpenLDAP 2.0.23, but I cannot make it work.
The LDAP module for Courier cannot use AD as a LDAP data source - Microsoft created their own schema for users in AD, and does not provide enough information for Courier (or any other non-AD-aware MTA, AFAICT) to either make a delivery or for Courier IMAP/POP3 to know where to find the users's mailbox. In theory (I haven't gotten far enough in my research in this matter to be sure) Exim will be able to deliver to Maildirs based in part on information in AD. But you'll still have a problem will getting the messages out of the users' INBOXes. As such, you have 3 options: 1) Unix services for NT/2k, which will export the AD forest as NIS maps; LDAP won't be needed any more, as all AD users will appear in NIS as Unix users. 2) Create a custom authentication module that allows you to use various "data sources" (LDAP, SQL, hard-coded defaults, PAM) for delivering & retrieving messages. This will allow the Courier SMTP, IMAP & POP3 components to do their job. 3) A mail system running on Windows :( > I configured Courier-IMAP/POP3 to make LDAP queries like this: > (suppose my domain is abcd.br and my user is username@dmz in a server > dmz.abcd.br with IP address 10.96.0.9) > > LDAP_SERVER = 10.96.0.3 > LDAP_PORT = 389 > LDAP_BASEDN = ou=users, dc=abcd, dc=br You need to use port 3268. LDAP_BASEDN may not be correct, either. The correct value depends on how the OUs are set up in the AD forest. > LDAP_BINDDN and LDAP_BINDPW are still misterious to me. Do I need > then? This user must be an AD admins!? LDAP_BINDDN = abcd.br\administrator LDAP_BINDPW = the administrator password > LDAP_MAIL = cn (Is this the field on AD that should the lookup?) The attribute cn exists in the MS AD schema, but, just like in the posixAccount schema, this typically holds the person's full name. The attribute sAMAccountName is probably what you're looking for. > LDAP_DOMAIN = abcd.br > LDAP_CLEARPW = clearPassword (Is it the right choice) No, as user passwords are not accessible via LDAP in AD. They are accessible via the Kerberos PAM modules, however. That's why I said a custom authentication module needs to be developed. [...] > - I think the LDAP query is just fine, am I right? Nope. Unfortunately, LDAP won't cut it. > - For me the problem seens to be that W2K is not allowing me to query > AD and that this: "Invalid credentials" message is just about it. I've > tried to use LDAP_BINDDN and LDAP_BINDPW with an administrator > username and password with no different results. Answered above. > - I couldn't find my password sent in this packets... and couldn't figure > out why... > > Is there somebody who can give me any light on this?! I read the > documentation but it is not oriented to people trying to work with W2K > LDAP database, just a OpenLDAP database... and Microsoft search for the > error message helped nothing... > > Sorry for the long email... I will try to get all the help, solve the > problem and then write a paper about it... maybe a mini-HOWTO for others > that may be in the same situation... I'll keep you apprised with what I find out in my research :) -- Phil _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
