Re: Qmail-LDAP and AD Howto
Hey all! I think your HOWTO is way too complicated! One don't have to install SFU - all you need is to set *control/ldaprebind* to '1' and users can login with their AD password as well. Here are all the changes needed to run qmail-ldap with AD vanilla scheme: $ cat ~/qmail-1.03-mps/qmail-ldap.h ... #define LDAP_MAIL mail #define LDAP_MAILSTOREmail #define LDAP_UID mail ... $ cat /var/qmail/control/ldapmessagestore /home/vmail I also prefer using 'mail' as LDAP_UID, thus users will login using their full email address and AD password. Also setting LDAP_MAILSTORE to 'mail' (remember this value can be relative to Message Store) and *control/ldapmessagestore* to '/home/vmail' will generate virtual users folders like this: $ ll /home/vmail/ total 488 drwx-- 3 vmail vmail 4096 Apr 2 13:18 anastasia.ne...mps.bg drwx-- 4 vmail vmail 4096 Apr 2 13:18 andrei.atana...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 andrey.geo...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 angel.dimi...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 antoaneta.rad...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 youliy.ni...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 zdravko.hleb...mps.bg drwx-- 3 vmail vmail 4096 Apr 2 13:18 zdravko.stoy...mps.bg One could test if it's ok by running both: $ cd ~/qmail-1.03-mps/ $ ./qmail-ldaplookup -u user's_email_address $ ./qmail-ldaplookup -m user's_email_address The results should be for the same person in both cases (switches -u and -m) and both should find 1 result. This configuration will allow users to use AUTH_SMTP (with TLS) with full email address as username and AD password, as well. As for the 'userAccountControl' usage, I think your implementation need some tailoring (see bellow why). First, some information. The 'userAccountControl' attribute in AD is a set of flags. The flags are cumulative. Right, to disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512) where: Property flag Value in hexadecimal Value in decimal ACCOUNTDISABLE 0x0002 2 LOCKOUT0x0010 16 PASSWD_CANT_CHANGE 0x0040 64 NORMAL_ACCOUNT 0x0200 512 DONT_EXPIRE_PASSWORD 0x165536 These are the default UserAccountControl values for the certain objects: * Typical user : 0x200 (512) * Domain controller : 0x82000 (532480) * Workstation/server: 0x1000 (4096) For full list of possible flags visit: http://support.microsoft.com/kb/305144. You're using values 512 and 514 but some accounts might have set PASSWD_CANT_CHANGE or DONT_EXPIRE_PASSWORD flags, so these values will not match. You have to mask it before case: if (r != OK) fail(q, qldap_get_status, r); switch (status 0x202) { case STATUS_BOUNCE: ... It's going to be a nice HOWTO anyway and we should put it in Wiki documentation as well ! :) Regards, Zdravko Carlos wrote: Hi peoples, I make one simple howto and patch to install and configure qmail-ldap authenticate in AD. its attached the Howto and patch. excuse by my english good luck Carlos -- Zdravko Stoychev System Software and Support MPS Ltd. [EMAIL PROTECTED] +359-2-491-1827 (ext.271) Ако не отговарям на писмата Ви - погледнете тук: http://6lyokavitza.org/mail This e-mail is intended only for the addressee(s) and may contain privileged and confidential information. It should not be disseminated, distributed, or copied. If you have received this e-mail message by mistake, please inform the sender, and delete it from your system. smime.p7s Description: S/MIME Cryptographic Signature
Re: Qmail-LDAP and AD Howto
OK, just realised that next is incorrect: Zdravko Stoychev wrote: You have to mask it before case: if (r != OK) fail(q, qldap_get_status, r); switch (status 0x202) { case STATUS_BOUNCE: ... Actually the file *qldap.c* should be modified (see qldap_get_status() function implementation). -- Zdravko Stoychev System Software and Support MPS Ltd. [EMAIL PROTECTED] +359-2-491-1827 (ext.271) Ако не отговарям на писмата Ви - погледнете тук: http://6lyokavitza.org/mail This e-mail is intended only for the addressee(s) and may contain privileged and confidential information. It should not be disseminated, distributed, or copied. If you have received this e-mail message by mistake, please inform the sender, and delete it from your system. smime.p7s Description: S/MIME Cryptographic Signature
Re: Qmail-LDAP and AD Howto
I think that no Mario, The patch is complete. I tested and is working Test and tell me the result []'s Carlos Em 05 Apr 2007, Mário_Gamito escreveu: Hi, I think the patch is incomplete. Maybe your e-mail exceeded the message size limit of the list. Or some mistake ? [In portuguese] Parece que o teu patch está incompleto. Será que o teu mail excedeu o limite permitido pela lista, ou tu te enganas-te nalguma coisa ? [/In Portuguese] Best Regards, Mário Gamito
Re: Qmail-LDAP and AD Howto
Hi, I think the patch is incomplete. Maybe your e-mail exceeded the message size limit of the list. Or some mistake ? [In portuguese] Parece que o teu patch está incompleto. Será que o teu mail excedeu o limite permitido pela lista, ou tu te enganas-te nalguma coisa ? [/In Portuguese] Best Regards, Mário Gamito Carlos wrote: Hi peoples, I make one simple howto and patch to install and configure qmail-ldap authenticate in AD. its attached the Howto and patch. excuse by my english good luck Carlos QMAIL-LDAP + AD INTEGRATE * Objective Authenticate Windows AD Server with qmail-ldap. * System tested Windows 2003 Server with SP2 OpenSuse Linux-10.2 and Ubuntu 6.10 qmail-ldap-1.03-20060201.patch * Install process First install Windows 2003 Server, and after finish installation, install SFU (MS Services for Unix) with NIS support. After this add new user in AD and in new tab Unix Attributtes choose the domain and click in OK. Change again the user password. FINISH :-) Now in you linux system, see the steps of site http://www.qmail-ldap.org/wiki/Full_Installation_Guide. In step Basic Qmail Installation After apply qmail-ldap patch. ++ cd /usr/local/src wget http://200.4.48.8/pub/mail-tools/qmail/dist/qmail-1.03.tar.gz wget http://www.nrg4u.com/qmail/qmail-ldap-1.03-20060201.patch.gz tar xvfz qmail-1.03.tar.gz cd qmail-1.03 zcat ../qmail-ldap-1.03-20060201.patch.gz | patch -p1 ++ Apply my patch ++ cd /usr/local/src/qmail-1.03 patch -p1 /var/src/qmail-ad.patch patching file Makefile patching file qmail-ldap.h patching file qmail-ldaplookup.c ++ And continue the steps from site. Finish :D --- My control files (my domain is test.com) ldapbasednldapdefaultdotmode cn=Users,dc=test,dc=com ldapdefaultdotmode both ldaplogin cn=Administrador,cn=Users,dc=test,dc=com ldapmessagestore /home/vmail ldapobjectclass User ldappassword mypass ldapserver (Ip address of AD) 192.168.2.11 ldapuid 11184 ldapgid 2110 - good luck Carlos Cesario [EMAIL PROTECTED] diff -uNr qmail-1.03.Ori/Makefile /var/src/qmail-1.03.ORI/Makefile --- qmail-1.03.Ori/Makefile 2007-04-05 06:19:17.0 -0300 +++ /var/src/qmail-1.03.ORI/Makefile 2007-03-07 15:46:34.0 -0300 @@ -19,7 +19,7 @@ # -DQMQP_COMPRESS to use the QMQP on the fly compression (for clusters) # -DQUOTATRASH to include the Trash in the quota calculation (normaly it is not) # -DSMTPEXECCHECK to enable smtp DOS/Windows executable detection -#LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK +LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK -DALTQUEUE # Perhaps you have different ldap libraries, change them here LDAPLIBS=-L/usr/local/lib -lldap -llber @@ -33,7 +33,7 @@ #LDAPINCLUDES=-I/opt/OpenLDAP/include # ZLIB needed for -DDATA_COMPRESS and -DQMQP_COMPRESS -#ZLIB=-lz +ZLIB=-lz # or you installed zlib in a different path you can use something like this #ZLIB=-L/opt/zlib/lib -lz #ZINCLUDES=-I/opt/zlib/include @@ -43,13 +43,13 @@ # use -DTLS_REMOTE to enable tls support in qmail-remote # use -DTLS_SMTPD to enable tls support in qmail-smtpd # use -DTLSDEBUG to enable additional tls debug information in qmail-remote -#TLS=-DTLS_REMOTE -DTLS_SMTPD +TLS=-DTLS_REMOTE -DTLS_SMTPD # Path to OpenSSL includes -#TLSINCLUDES=-I/usr/local/include +TLSINCLUDES=-I/usr/local/include # Path to OpenSSL libraries -#TLSLIBS=-L/usr/local/lib -lssl -lcrypto +TLSLIBS=-L/usr/local/lib -lssl -lcrypto # Path to OpenSSL binary -#OPENSSLBIN=/usr/local/bin/openssl +OPENSSLBIN=/usr/bin/openssl #OPENSSLBIN=openssl # to make the Netscape download progress bar work with qmail-pop3d @@ -57,13 +57,13 @@ MNW=-DMAKE_NETSCAPE_WORK # to enable the auto-maildir-make feature uncomment the next line -#MDIRMAKE=-DAUTOMAILDIRMAKE +MDIRMAKE=-DAUTOMAILDIRMAKE # to