Configuring Multiple AD
From Zarafa wiki
Zarafa in a multi AD environment (aka Domain Forest)
If you intend to use Zarafa in a environment with more than one Windows Active Directory you have to watch out to certain topics
You at least need Version 6.40.7 because of
Feature: #7131 Allow search_base to be empty, so AD global catalog is supported.
So one simply sets:
Important for your ldap.cfg
ldap_port = 3268 #(the global catalog port)
If you want to manage all your groups in the directory of dc=main-company,dc=loc but members of those groups are also from other ones like dc=company-b,dc=anything,dc=else, trusted, domains in that forest, you need to chase referrals in postfix
chase_referrals = yes
for your ldap-groups.cf etc in postfix
Because postfix can not work with an empty search_base you also need multiple alias map definitions
virtual_alias_maps = ldap:/etc/postfix/main-company-ldap-aliases.cf,ldap:/etc/postfix/company-b-ldap-aliases.cf, . . .
There is some crazy bug in libldap which makes this plan unfeasable if you don't use a libldap => 2.4.13 (Lenny Backports at least; or Debian Squeeze)
If you don't, you'll have some segmentation faults as well as unpredictable search results!
When postfix follows a referral because e.g. a member of a group is not in the same AD as the group itself, it searches via DNS for the next suitable AD server. For that to work you need 1. to have a working DNS (nslookup main-company.loc as well as nslookup company-b.anything.else should work)
Also check out your /etc/resolv.conf
2. If this is done, the second bind (for the referral) is done anonymously! I do not know of a way to change that behaviour. So you need to allow anonymous read requests on your AD's. On every single AD server. Example KB article on this: http://support.microsoft.com/kb/320528
When doing such things, always have a "ldapsearch" at hands.
ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person -D "cn=Administrator,cn=Users,dc=one-of-the,dc=doms"
for an auth'ed search
ldapsearch -h <ip-of-a-AD-controller> -p 389 -b "dc=one-of-the,dc=doms" -LLL -W -x -z0 objectCategory=person
for an anonymous request
You can now "grep" for "dn:" and compare, if everything goes well.