On Fri, Sep 03, 2010 at 02:45:41PM -0500, Seann wrote:
> My current issue with Postfix is that I am not able to
> get the LDAP account mapping to work correctly with my Active Directory
> security settings.
Postfix supports LDAP servers that offer:
- No authentication, allowing anonymous queries
- Simple password authentication (possibly via TLS).
- Client cert authentication (via TLS).
> My AD LDAP system requires strong authentication, by
> means of SASL signing of the LDAP connections, as outlined in this
> document: http://support.microsoft.com/kb/935834.
The Postfix LDAP driver does not support LDAP SASL mechanisms other than
"simple".
> I can't get Postfix to
> connect VIA SSL (Which is my usual work around since it seems only Samba
> does this, by way of client ldap sasl wrapping = sign in the
> configuration).
Postfix supports TLS connections to LDAP, either "LDAP" inside SSL
("ldaps") or STARTTLS over LDAP.
> # Server config
> server_host = ldap://DC.domain.net
If you are not using an SSL-specific LDAP port, you need to
use "start_tls = yes" to enable TLS over LDAP.
> search_base = CN=Users,DC=domain,DC=net
> version = 3
> start_tls = no
> query_filter = (&(objectclass=person)(|(mail=%s)(othermailbox=%s)))
> result_attribute = samaccountname
> result_format = %s/Mail/
> bind = yes
> bind_dn = CN=admin,CN=Users,DC=domain,DC=net
> bind_pw = p...@s$w0rd
> tls_cert = /etc/pki/tls/certs/server.crt
> tls_key = /etc/pki/tls/private/server.key
> tls_ca_cert_file = /etc/pki/tls/certs/ca_domain.crt
> tls_require_cert = no
> tls_random_file = /dev/urandom
So, what happens when you enable TLS?
--
Viktor.
