Results 1 to 4 of 4

Thread: Restrict senders based on Active Directory

  1. #1
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Default Restrict senders based on Active Directory

    Hello,
    We are migrating from a postfix/dovecot installation to zimbra open source and need to enforce senders security.
    Actually our postfix is configured to restrict authenticated senders to use only authorized emails addresses from Active Directory field "userPrincipalName, mail and othermailbox". This is the configuration on main.cf

    smtpd_sender_login_maps = ldap:/etc/postfix/ldap_sender_map.conf

    and here is the listing of /etc/postfix/ldap_sender_map.conf
    #########
    result_format = %s
    result_attribute = userPrincipalName othermailbox mail
    server_host = xxx.xxx.xxx.xxx
    domain = domain.org.ma
    version = 3
    bind = yes
    bind_dn = domain\adrbook
    bind_pw = password
    query_filter = (&(objectclass=person)(|(userPrincipalName=%s)(oth ermailbox=%s)(mail=%s)))
    search_base = dc=domain,dc=org,dc=ma
    ########
    We found this wiki article to achieve the same think with zimbra
    Enforcing a match between the FROM address and the sasl username - Zimbra :: Wiki

    The problem is that we need the ldap connexion to retrieve the information from Active Directory not from the local Ldap and these specifics field "userPrincipalName, mail and othermailbox"

    Please can you help us to get the right Ldap query in order to make it work with Zimbra.

    Thank you for your help.

  2. #2
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    Hi,

    I never done this myself, but for what I can see in your ldap sentences:

    bind_dn = domain\adrbook > This is usually the distinguished name that looks something like this "cn=administrator,cn=users,dc=domain,dc=local (assuming you want to use the administrator account for domain.local and that the object is located in the OU "Users". If it is in other ou, it should read "ou=nameoftheou"). A good way to check this sort of things, is to use the windows tool ADSI edit or if you prefer some third party tool like apache directory studio.

    (&(objectclass=person)(|(userPrincipalName=%s)(oth ermailbox=%s)(mail=%s))) > This looks good to me

    server_host = xxx.xxx.xxx.xxx > This usually is something like "ldap://servername.domain:389 (or the port on which you are using ldap)

    result_attribute = userPrincipalName othermailbox mail > As stated before, I never tried this configuration myself, so I'm not familiar with this "result_attribute", but, when I have to import users from Active Directory I have to match some attributes "transforming" them to the desired attribute in the Zimbra LDAP. At this exact moment, I don't have access to a Zimbra machine, but, make sure that this attributes do exist with the exact name in LDAP.

    I don't see any line in which you specify a port. This should be something like "server_port" but I do not know if this applies to the specific configuration you are trying to achieve here.

    Regards,
    Sebas
    Last edited by pup_seba; 03-06-2014 at 01:27 PM.

  3. #3
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Default

    Quote Originally Posted by pup_seba View Post
    Hi,

    I never done this myself, but for what I can see in your ldap sentences:

    bind_dn = domain\adrbook > This is usually the distinguished name that looks something like this "cn=administrator,cn=users,dc=domain,dc=local (assuming you want to use the administrator account for domain.local and that the object is located in the OU "Users". If it is in other ou, it should read "ou=nameoftheou"). A good way to check this sort of things, is to use the windows tool ADSI edit or if you prefer some third party tool like apache directory studio.

    (&(objectclass=person)(|(userPrincipalName=%s)(oth ermailbox=%s)(mail=%s))) > This looks good to me

    server_host = xxx.xxx.xxx.xxx > This usually is something like "ldap://servername.domain:389 (or the port on which you are using ldap)

    result_attribute = userPrincipalName othermailbox mail > As stated before, I never tried this configuration myself, so I'm not familiar with this "result_attribute", but, when I have to import users from Active Directory I have to match some attributes "transforming" them to the desired attribute in the Zimbra LDAP. At this exact moment, I don't have access to a Zimbra machine, but, make sure that this attributes do exist with the exact name in LDAP.

    I don't see any line in which you specify a port. This should be something like "server_port" but I do not know if this applies to the specific configuration you are trying to achieve here.

    Regards,
    Sebas
    Hello Sebas,
    Thank you for your reply. The ldap config i post did work perfectly with our postfix installation, and from the zimbra installation when i run postmap -q email@domain ldap://opt/zimbra/conf/ldap_sender_map.conf it returns Active directory attribute value which are the emails addresses the user is allowed to sent from.
    So the Attribute exist in Active Directory but not in zimbra ldap installation. My question is how to make the conrespondance between Active Directory attribute name and Zimbra ones.
    Not sur if I'm explaining this correctly in english.

    Thank you.

  4. #4
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    Hi!

    Yes I fully understand your question now.

    The only way that I used for a correspondence like the one you are trying to do, is thru powershell scripting. Where I combined a "get-account" sort of command, "where" I defined the properties I wanted to get and map them to variables that I used to write in the form of "zmprov ca $user"@domain....."etc.

    I don't know about a way of doing this directly from the .conf file you are trying to use.

    One thing that I wouldn't do (although it is possible), is to change your ldap schema in order for it to have those attributes in your Zimbra LDAP. I think that it is also not supported by Zimbra to do that but I'm not sure.

    Other thing you could do, is to write those in attributes that DO exist.

    Why don't you try to start with something simpler like
    result_format = %s
    result_attribute = attributeThatExistsBothInADandInLDAP
    server_host = xxx.xxx.xxx.xxx
    domain = domain.org.ma
    version = 3
    bind = yes
    bind_dn = domain\adrbook
    bind_pw = password
    query_filter = (&(objectclass=person)(attributeThatExistsBothInADandInLDAP=%s)))
    search_base =ou=testou,dc=domain,dc=org,dc=ma

    And see if this works...Then, try to map that specific attribute to some other attribute of Zimbra LDAP.

    Regards,
    Sebas

Similar Threads

  1. Restrict Postfix Senders
    By nwhit in forum Administrators
    Replies: 6
    Last Post: 08-22-2011, 06:47 PM
  2. how to restrict senders by COS
    By fmodola in forum Administrators
    Replies: 2
    Last Post: 10-11-2010, 02:22 PM
  3. Replies: 4
    Last Post: 08-12-2008, 05:53 AM
  4. Active Directory based GAL
    By alexbsa in forum Administrators
    Replies: 10
    Last Post: 05-27-2008, 12:18 AM
  5. Integration based Active Directory
    By rlamana in forum Installation
    Replies: 0
    Last Post: 01-25-2008, 04:56 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •