lst_ho...@kwsoft.de wrote:
Zitat von Goutam Baul <goutam.b...@cesc.co.in>:
Hello Everybody,
I am facing a scenario where the client needs a mailing solution
while the
user information will be kept in a Microsoft Active Directory server.
I was
trying to search for any material that talks about whether it is
possible to
make postfix and courier-imap talk to Microsoft ADS. I have done
implementation with Open LDAP but not with ADS. Another work around
might be
to have LDAP for the mailing solution and create an application for user
management that ensures that the LDAP and the MDS are always in sync.
This
would not be an elegant one and it would be great if the mailing
solution
(postfix,courier-imap,courier-authlib all in Linux] could talk to the
ADS.
May I request for some pointer please?
For user authentication Postfix uses SASL which in turn can use PAM
which is able to do NTLM (Windows authentication) against a windows
domain.
For routing information you can query the DCs with LDAP if you have
the necessary fields stored there (normaly the case if MS-Exchange is
used as mailstore).
I have done it some time ago but the details are lost :-(
Regards
Andreas
There are several ways I know how you could do this on Linux:
1. Use "389 Directory Server" (formerly Fedora Directory Server,
which is formerly the Netscape Directory Server) to regularly sync
the AD users and groups to a local replication store, and use
ordinary pam_ldap/libnss_ldap to authenticate your postfix
straight to the 389 directory server.
2. Use Samba + Winbind + pam_winbind to extract and provide
usernames/groups, UID/GIDs to postfix.
3. Assuming your active directory is schema version 31 or above (the
schema that comes in Windows Server 2003 R2), you can enable RFC
2307 information directly in AD and use pam_krb5 and pam_ldap have
your postfix box pull that information straight out of AD
(instructions from Scott Lowe's blog at
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/)
4. If your AD schema is not version 31 or above (Windows Server 2003,
Windows SBS Server 2003 R2 and below) use Scott Lowe's
instructions for getting the same thing happening, using Services
For Unix
(http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/)
5. Purchase a proprietary product to authenticate Linux directly to
AD (such as the Quest Authentication Services
http://www.quest.com/active-directory/directory-consolidation.aspx;
CA might also have one as a part of their Unicentre TNG suite,
Centrify have toolsets as well)
I've deployed options 2, 3 & 4 in production environments before.
Option 2 was a multitude of times easier to get working than options 3 &
4, but in some distributions winbindd has some severe bugs (RHEL 4.4,
4.5, 4.6). If you can't move off these platforms because your vendor
wont support their application, your forced to go another route.
Although I've never deployed it before, Option 1 in theory is also a
sound way to go.
Of course, option 5 is another way to go, if you're willing to pay the
licensing fees.
Regards,
Stewart
