Configuring Multiple AD
From Zarafa wiki
| Line 4: | Line 4: | ||
you have to watch out to certain topics | you have to watch out to certain topics | ||
| + | == '''Zarafa''' == | ||
| - | |||
You at least need Version 6.40.7 because of | You at least need Version 6.40.7 because of | ||
| Line 21: | Line 21: | ||
| - | '''Postfix''' | + | == '''Postfix''' == |
| + | |||
If you want to manage all your groups in the directory of '''dc=main-company,dc=loc''' | If you want to manage all your groups in the directory of '''dc=main-company,dc=loc''' | ||
| Line 45: | Line 46: | ||
| - | '''Active Directory''' | + | == '''Active Directory''' == |
| + | |||
When postfix follows a referral because e.g. a member of a group is not in the same AD as the | When postfix follows a referral because e.g. a member of a group is not in the same AD as the | ||
Latest revision as of 14:57, 26 April 2011
Zarafa in a multi AD environment (aka Domain Forest)
If you intend to use Zarafa in a environment with more than one Windows Active Directory you have to watch out to certain topics
Zarafa
You at least need Version 6.40.7 because of
Feature: #7131 Allow search_base to be empty, so AD global catalog is supported.
So one simply sets:
ldap_search_base =
Important for your ldap.cfg
ldap_port = 3268 #(the global catalog port)
Postfix
If you want to manage all your groups in the directory of dc=main-company,dc=loc but members of those groups are also from other ones like dc=company-b,dc=anything,dc=else, trusted, domains in that forest, you need to chase referrals in postfix
Hints:
chase_referrals = yes
for your ldap-groups.cf etc in postfix
Because postfix can not work with an empty search_base you also need multiple alias map definitions
virtual_alias_maps = ldap:/etc/postfix/main-company-ldap-aliases.cf,ldap:/etc/postfix/company-b-ldap-aliases.cf, . . .
Caveat:
There is some crazy bug in libldap which makes this plan unfeasable if you don't use a libldap => 2.4.13 (Lenny Backports at least; or Debian Squeeze)
If you don't, you'll have some segmentation faults as well as unpredictable search results!
Active Directory
When postfix follows a referral because e.g. a member of a group is not in the same AD as the group itself, it searches via DNS for the next suitable AD server. For that to work you need 1. to have a working DNS (nslookup main-company.loc as well as nslookup company-b.anything.else should work)
Also check out your /etc/resolv.conf
2. If this is done, the second bind (for the referral) is done anonymously! I do not know of a way to change that behaviour. So you need to allow anonymous read requests on your AD's. On every single AD server. Example KB article on this: http://support.microsoft.com/kb/320528
General hint:
When doing such things, always have a "ldapsearch" at hands.
Example:
ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person -D "cn=Administrator,cn=Users,dc=one-of-the,dc=doms"
for an auth'ed search
and
ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person
for an anonymous request
You can now "grep" for "dn:" and compare, if everything goes well.
