Configuring Multiple AD

From Zarafa wiki

Jump to: navigation, search

Zarafa in a multi AD environment (aka Domain Forest)

If you intend to use Zarafa in a environment with more than one Windows Active Directory you have to watch out to certain topics

Zarafa

You at least need Version 6.40.7 because of

Feature: #7131 Allow search_base to be empty, so AD global catalog is supported.

So one simply sets:

ldap_search_base =

Important for your ldap.cfg

ldap_port = 3268
#(the global catalog port)


Postfix

If you want to manage all your groups in the directory of dc=main-company,dc=loc but members of those groups are also from other ones like dc=company-b,dc=anything,dc=else, trusted, domains in that forest, you need to chase referrals in postfix

Hints:

chase_referrals = yes

for your ldap-groups.cf etc in postfix

Because postfix can not work with an empty search_base you also need multiple alias map definitions

virtual_alias_maps = ldap:/etc/postfix/main-company-ldap-aliases.cf,ldap:/etc/postfix/company-b-ldap-aliases.cf, . . .

Caveat:

There is some crazy bug in libldap which makes this plan unfeasable if you don't use a libldap => 2.4.13 (Lenny Backports at least; or Debian Squeeze)

If you don't, you'll have some segmentation faults as well as unpredictable search results!


Active Directory

When postfix follows a referral because e.g. a member of a group is not in the same AD as the group itself, it searches via DNS for the next suitable AD server. For that to work you need 1. to have a working DNS (nslookup main-company.loc as well as nslookup company-b.anything.else should work)

Also check out your /etc/resolv.conf

2. If this is done, the second bind (for the referral) is done anonymously! I do not know of a way to change that behaviour. So you need to allow anonymous read requests on your AD's. On every single AD server. Example KB article on this: http://support.microsoft.com/kb/320528


General hint:

When doing such things, always have a "ldapsearch" at hands.

Example:

ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person -D "cn=Administrator,cn=Users,dc=one-of-the,dc=doms"

for an auth'ed search

and

ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person

for an anonymous request

You can now "grep" for "dn:" and compare, if everything goes well.

Personal tools