Saturday, October 4, 2008

QMAIL-LDAP + AD INTEGRATE

========================================
QMAIL-LDAP + AD INTEGRATE
========================================


* Objective

Authenticate Windows AD Server with qmail-ldap.

* System tested

Windows 2003 Server with SP2
OpenSuse Linux-10.2 and Ubuntu 6.10
qmail-ldap-1.03-20060201.patch

* Install process

First install Windows 2003 Server, and after finish installation, install SFU (MS Services for Unix) with NIS support.
After this add new user in AD and in new tab "Unix Attributtes" choose the domain and click in OK.
Change again the user password.

FINISH :-)


Now in you linux system, see the steps of site http://www.qmail-ldap.org/wiki/Full_Installation_Guide.
In step "Basic Qmail Installation"

After apply qmail-ldap patch.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src
wget http://200.4.48.8/pub/mail-tools/qmail/dist/qmail-1.03.tar.gz
wget http://www.nrg4u.com/qmail/qmail-ldap-1.03-20060201.patch.gz
tar xvfz qmail-1.03.tar.gz
cd qmail-1.03
zcat ../qmail-ldap-1.03-20060201.patch.gz | patch -p1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Apply my patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src/qmail-1.03
patch -p1 < /var/src/qmail-ad.patch
patching file Makefile
patching file qmail-ldap.h
patching file qmail-ldaplookup.c
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


And continue the steps from site.

Finish :D


-----------------------------------------------------------
My control files (my domain is test.com)

ldapbasednldapdefaultdotmode
cn=Users,dc=test,dc=com

ldapdefaultdotmode
both

ldaplogin
cn=Administrador,cn=Users,dc=test,dc=com

ldapmessagestore
/home/vmail

ldapobjectclass
User

ldappassword
mypass

ldapserver (Ip address of AD)
192.168.2.11

ldapuid
11184

ldapgid
2110
---------------------------------------------------------

Patch qmail-ad.patch

diff -uNr qmail-1.03.Ori/Makefile /var/src/qmail-1.03.ORI/Makefile
--- qmail-1.03.Ori/Makefile 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/Makefile 2007-03-07 15:46:34.000000000 -0300
@@ -19,7 +19,7 @@
# -DQMQP_COMPRESS to use the QMQP on the fly compression (for clusters)
# -DQUOTATRASH to include the Trash in the quota calculation (normaly it is not)
# -DSMTPEXECCHECK to enable smtp DOS/Windows executable detection
-#LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK
+LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK -DALTQUEUE

# Perhaps you have different ldap libraries, change them here
LDAPLIBS=-L/usr/local/lib -lldap -llber
@@ -33,7 +33,7 @@
#LDAPINCLUDES=-I/opt/OpenLDAP/include

# ZLIB needed for -DDATA_COMPRESS and -DQMQP_COMPRESS
-#ZLIB=-lz
+ZLIB=-lz
# or you installed zlib in a different path you can use something like this
#ZLIB=-L/opt/zlib/lib -lz
#ZINCLUDES=-I/opt/zlib/include
@@ -43,13 +43,13 @@
# use -DTLS_REMOTE to enable tls support in qmail-remote
# use -DTLS_SMTPD to enable tls support in qmail-smtpd
# use -DTLSDEBUG to enable additional tls debug information in qmail-remote
-#TLS=-DTLS_REMOTE -DTLS_SMTPD
+TLS=-DTLS_REMOTE -DTLS_SMTPD
# Path to OpenSSL includes
-#TLSINCLUDES=-I/usr/local/include
+TLSINCLUDES=-I/usr/local/include
# Path to OpenSSL libraries
-#TLSLIBS=-L/usr/local/lib -lssl -lcrypto
+TLSLIBS=-L/usr/local/lib -lssl -lcrypto
# Path to OpenSSL binary
-#OPENSSLBIN=/usr/local/bin/openssl
+OPENSSLBIN=/usr/bin/openssl
#OPENSSLBIN=openssl

# to make the Netscape download progress bar work with qmail-pop3d
@@ -57,13 +57,13 @@
MNW=-DMAKE_NETSCAPE_WORK

# to enable the auto-maildir-make feature uncomment the next line
-#MDIRMAKE=-DAUTOMAILDIRMAKE
+MDIRMAKE=-DAUTOMAILDIRMAKE

# to enable the auto-homedir-make feature uncomment the next line
-#HDIRMAKE=-DAUTOHOMEDIRMAKE
+HDIRMAKE=-DAUTOHOMEDIRMAKE

# on most systems we need this to make auth_pop and auth_imap
-#SHADOWLIBS=-lcrypt
+SHADOWLIBS=-lcrypt
# OpenBSD and other Systems do not have libcrypt, so comment the line out
# if you get linking problems.
# To use shadow passwords under some Linux OS, uncomment the next two lines.
@@ -73,7 +73,7 @@

# to enable the possibility to log and debug imap and pop uncoment the
# next line
-#DEBUG=-DDEBUG
+DEBUG=-DDEBUG
# WARNING: you need a NONE DEBUG auth_* to run with inetd

# for profiling ...
diff -uNr qmail-1.03.Ori/qmail-ldap.h /var/src/qmail-1.03.ORI/qmail-ldap.h
--- qmail-1.03.Ori/qmail-ldap.h 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldap.h 2007-03-07 15:46:32.000000000 -0300
@@ -93,11 +93,11 @@
ldap variables used in qmail-lspawn and auth_*
*********************************************************************/
#define LDAP_MAIL "mail"
-#define LDAP_MAILALTERNATE "mailAlternateAddress"
+#define LDAP_MAILALTERNATE "otherMailbox"
#define LDAP_QMAILUID "qmailUID"
#define LDAP_QMAILGID "qmailGID"
-#define LDAP_MAILSTORE "mailMessageStore"
-#define LDAP_HOMEDIR "homeDirectory"
+#define LDAP_MAILSTORE "sAMAccountName"
+#define LDAP_HOMEDIR "NOhomeDirectory"
#define LDAP_QUOTA "mailQuota"
#define LDAP_QUOTA_SIZE "mailQuotaSize"
#define LDAP_QUOTA_COUNT "mailQuotaCount"
@@ -108,10 +108,10 @@
#define LDAP_MODE "deliveryMode"
#define LDAP_REPLYTEXT "mailReplyText"
#define LDAP_DOTMODE "qmailDotMode"
-#define LDAP_UID "uid"
-#define LDAP_PASSWD "userPassword"
+#define LDAP_UID "mail"
+#define LDAP_PASSWD "msSFU30Password"
#define LDAP_OBJECTCLASS "objectClass"
-#define LDAP_ISACTIVE "accountStatus"
+#define LDAP_ISACTIVE "userAccountControl"
#define LDAP_PURGE "qmailAccountPurge"

#define DOTMODE_LDAPONLY "ldaponly"
@@ -132,10 +132,11 @@
#define MODE_PROG "program"
#define MODE_NOREPLY "noreply"

-#define ISACTIVE_BOUNCE "disabled"
+#define ISACTIVE_BOUNCE "514"
#define ISACTIVE_DELETE "deleted"
#define ISACTIVE_NOACCESS "noaccess"
-#define ISACTIVE_ACTIVE "active"
+#define ISACTIVE_ACTIVE "512"
+#define ISACTIVE_ACTIVE_AD "66048"

/*********************************************************************
ldap variables used in qmail-group
diff -uNr qmail-1.03.Ori/qmail-ldaplookup.c /var/src/qmail-1.03.ORI/qmail-ldaplookup.c
--- qmail-1.03.Ori/qmail-ldaplookup.c 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldaplookup.c 2007-03-07 15:46:33.000000000 -0300
@@ -321,16 +321,16 @@
if (r != OK) fail(q, "qldap_get_status", r);
switch (status) {
case STATUS_BOUNCE:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_BOUNCE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_BOUNCE, "=> disabled");
break;
case STATUS_NOACCESS:
output(subfdout, "%s: %s\n",
LDAP_ISACTIVE, ISACTIVE_NOACCESS);
break;
case STATUS_OK:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_ACTIVE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_ACTIVE, "=>active");
break;
case STATUS_UNDEF:
output(subfdout, "%s: %s\n", LDAP_ISACTIVE,

3 comments:

  1. Could work this without install SFU??? I'm seeing the LDAP attributes you use and you don't use any attribute wich isn't included in AD default schema.

    Regards and thank you.

    ReplyDelete
  2. Sorry, I already verify a new FIELD:

    msSFU30Password

    so, SFU is needed.

    Thanks!

    ReplyDelete
  3. I'm using RHLE 5.5 and when I use this, user authentication and RCPTCHECK doesn't work.

    Probably I'm doing something wrong, but I don't know any log file for can trace what are doing qmail-ldap with ldap connections and I don't found any opened connection (netstat) to ldap server that I configured in /var/qmail/control/ldapserver.

    Can anyone help me?

    ReplyDelete