Hey all!
I think your HOWTO is way too complicated! One don't have to install
SFU - all you need is to set control/ldaprebind to '1' and
users can login with their AD password as well. Here are all the
changes needed to run qmail-ldap with AD vanilla scheme:
$ cat ~/qmail-1.03-mps/qmail-ldap.h
...
#define LDAP_MAIL "mail"
#define LDAP_MAILSTORE "mail"
#define LDAP_UID "mail"
...
$ cat /var/qmail/control/ldapmessagestore
/home/vmail
I also prefer using 'mail' as LDAP_UID, thus users will login using
their full email address and AD password. Also setting LDAP_MAILSTORE
to 'mail' (remember this value can be relative to Message Store) and control/ldapmessagestore
to '/home/vmail' will generate virtual users folders like this:
$ ll /home/vmail/
total 488
drwx------ 3 vmail vmail 4096 Apr 2 13:18 anastasia.ne...mps.bg
drwx------ 4 vmail vmail 4096 Apr 2 13:18 andrei.atana...mps.bg
drwx------ 3 vmail vmail 4096 Apr 2 13:18 andrey.geo...mps.bg
drwx------ 3 vmail vmail 4096 Apr 2 13:18 angel.dimi...mps.bg
drwx------ 3 vmail vmail 4096 Apr 2 13:18 antoaneta.rad...mps.bg
....
drwx------ 3 vmail vmail 4096 Apr 2 13:18 youliy.ni...mps.bg
drwx------ 3 vmail vmail 4096 Apr 2 13:18 zdravko.hleb...mps.bg
drwx------ 3 vmail vmail 4096 Apr 2 13:18 zdravko.stoy...mps.bg
One could test if it's ok by running both:
$ cd ~/qmail-1.03-mps/
$ ./qmail-ldaplookup -u
<user's_email_address>
$ ./qmail-ldaplookup -m
<user's_email_address>
The results should be for the same person in both cases (switches -u
and -m) and both should find 1 result. This configuration will allow
users to use AUTH_SMTP (with TLS) with full email address as username
and AD password, as well.
As for the 'userAccountControl' usage, I think your implementation need
some tailoring (see bellow why).
First, some information. The 'userAccountControl' attribute in AD is a
set of flags. The flags are cumulative. Right, to disable a user's
account, set the UserAccountControl attribute to 0x0202 (0x002 +
0x0200). In decimal, this is 514 (2 + 512) where:
Property flag Value in
hexadecimal Value in decimal
ACCOUNTDISABLE 0x0002 2
LOCKOUT 0x0010 16
PASSWD_CANT_CHANGE 0x0040 64
NORMAL_ACCOUNT 0x0200 512
DONT_EXPIRE_PASSWORD 0x10000 65536
These are the default UserAccountControl values for the certain objects:
- Typical user : 0x200 (512)
- Domain controller : 0x82000 (532480)
- Workstation/server: 0x1000 (4096)
For full list of possible flags visit: http://support.microsoft.com/kb/305144.
You're using values 512 and 514 but some accounts might have set
PASSWD_CANT_CHANGE or DONT_EXPIRE_PASSWORD flags, so these values will
not match. You have to mask it before case:
if (r != OK) fail(q, "qldap_get_status", r);
switch (status & 0x202) {
case STATUS_BOUNCE:
...
It's going to be a nice HOWTO anyway and we should put it in Wiki
documentation as well ! :)
Regards,
Zdravko
Carlos wrote:
Hi peoples,
I make one simple howto and patch to install and configure qmail-ldap
authenticate in AD.
its attached the Howto and patch.
excuse by my english
good luck
Carlos
--
Zdravko Stoychev
System Software and Support
MPS Ltd.
zdravko.stoychev@mps.bg
+359-2-491-1827 (ext.271)
Ако не отговарям на писмата Ви - погледнете тук: http://6lyokavitza.org/mail
This e-mail is intended only for the addressee(s) and may contain privileged and confidential information. It should not be disseminated, distributed, or copied. If you have received this e-mail message by mistake, please inform the sender, and delete it from your system.
|
smime.p7s
Description: S/MIME Cryptographic Signature
|