Mailing List Archive

exim samba4 active directory
Hi,

I doesnt find documentation with example to create
transport/router/authentification configuration file to integrate samba4
active directory...

but i find this documentation :
-
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html
-
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
-
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_plaintext_authenticator.html

So someone can help me with example file or i will try it alone (with my
no-brain) ? :)

Thanks,

Benoît
Re: exim samba4 active directory [ In reply to ]
Mandi! Beno?t PELISSIER via Exim-users
In chel di` si favelave...

> So someone can help me with example file or i will try it alone (with my
> no-brain) ? :)

For examples:

LOCAL_AD_SERVERS = vdcsv1.ad.fvg.lnf.it::3268
LOCAL_AD_BASE_DN = ${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}
# You have to create a user to access the LDAP/AD server
LOCAL_AD_BIND_DN = ${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it}
LOCAL_AD_PASS = "nontelado"


Then:

.ifdef LOCAL_AD_SERVERS
ldap_default_servers = LOCAL_AD_SERVERS
ldap_start_tls = true
ldap_require_cert = never
.endif


so, a query:

.ifdef LOCAL_AD_SERVERS

user_ad_aliases:
debug_print = "R: user_ad_aliases for $local_part@$domain"
driver = redirect
domains = +local_domains
data = ${lookup ldap {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS ldap:///LOCAL_AD_BASE_DN?uid?sub?(&(objectClass=user)(!(objectClass=computer))(mail=${quote_ldap:${local_part}}@${quote_ldap:${domain}}))}}

.endif

--
Non mi interessa sentirmi intelligente guardando in tv dei cretini,
preferirei sentirmi un cretino di fronte a persone eccellenti.
(Franco Battiato)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim samba4 active directory [ In reply to ]
Hi Marco,

thanks for your answer.

So third block is router.

And first and second ? Where can i put here ?

First on main exim config ?
Second on transport exim config ?

Sorry for my stupid question !

Why there is not template on https://www.exim.org/ ?
Nobody use exim as mta on ldap/AD ?

Beno?t

Le 07/05/2020 ? 22:55, Marco Gaiarin via Exim-users a ?crit?:
> LOCAL_AD_SERVERS = vdcsv1.ad.fvg.lnf.it::3268
> LOCAL_AD_BASE_DN = ${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}
> # You have to create a user to access the LDAP/AD server
> LOCAL_AD_BIND_DN = ${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it}
> LOCAL_AD_PASS = "nontelado"
>
>
> Then:
>
> .ifdef LOCAL_AD_SERVERS
> ldap_default_servers = LOCAL_AD_SERVERS
> ldap_start_tls = true
> ldap_require_cert = never
> .endif
>
>
> so, a query:
>
> .ifdef LOCAL_AD_SERVERS
>
> user_ad_aliases:
> debug_print = "R: user_ad_aliases for $local_part@$domain"
> driver = redirect
> domains = +local_domains
> data = ${lookup ldap {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASSldap:///LOCAL_AD_BASE_DN?uid?sub?(&(objectClass=user)(!(objectClass=computer))(mail=${quote_ldap:${local_part}}@${quote_ldap:${domain}}))}}
>
> .endif
Re: exim samba4 active directory [ In reply to ]
Mandi! Beno?t PELISSIER via Exim-users
In chel di` si favelave...

> So third block is router.
> And first and second ? Where can i put here ?

Put everywhere you want on the first section of exim config file, before ACL
definition.

--
And did you exchange a walk on part in the war
for a lead role in a cage? (Pink Floyd)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim samba4 active directory [ In reply to ]
Hi,

thanks for your help !

I do it and now its working !

cat <<EOF >/etc/exim4/conf.d/main/15_exim4-ldap

LOCAL_AD_SERVERS = ${IPAD}::389
LOCAL_AD_BASE_DN = \${quote_ldap:CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
LOCAL_AD_BIND_DN =
\${quote_ldap:CN=${LDAPUSER},CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
LOCAL_AD_PASS = "${LDAPPASS}"

.ifdef LOCAL_AD_SERVERS
ldap_default_servers = LOCAL_AD_SERVERS
ldap_start_tls = false
ldap_require_cert = never
.endif
EOF

chmod 644 /etc/exim4/conf.d/main/15_exim4-ldap

cat <<EOF >/etc/exim4/conf.d/router/898_exim4-config_ldap
.ifdef LOCAL_AD_SERVERS

user_ad_aliases:
debug_print = "R: user_ad_aliases for \$local_part@\$domain"
driver = redirect
domains = +local_domains
data = \${lookup ldap {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN?uid?sub?(&(objectClass=user)(!(objectClass=computer))(mail=\${quote_ldap:\${local_part}}@\${quote_ldap:\${domain}}))}}

.endif
EOF

chmod 644 /etc/exim4/conf.d/router/898_exim4-config_ldap

Beno?t

Le 09/06/2020 ? 21:42, Marco Gaiarin via Exim-users a ?crit?:
> Mandi! Beno?t PELISSIER via Exim-users
> In chel di` si favelave...
>
>> So third block is router.
>> And first and second ? Where can i put here ?
>
> Put everywhere you want on the first section of exim config file, before ACL
> definition.
>
Re: exim samba4 active directory [ In reply to ]
little correction.

Its working with :
data = ${lookup ldapm {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN?mail?sub?(memberOf=${lookup
ldapdn{user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN??sub?(cn=${quote_ldap:$local_part})}})}}

not with :
data = ${lookup ldap {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN?uid?sub?(&(objectClass=user)(!(objectClass=computer))(mail=${quote_ldap:${local_part}}@${quote_ldap:${domain}}))}}


Beno?t

Le 30/06/2020 ? 16:48, Beno?t PELISSIER via Exim-users a ?crit?:
> Hi,
>
> thanks for your help !
>
> I do it and now its working !
>
> cat <<EOF >/etc/exim4/conf.d/main/15_exim4-ldap
>
> LOCAL_AD_SERVERS = ${IPAD}::389
> LOCAL_AD_BASE_DN = \${quote_ldap:CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
> LOCAL_AD_BIND_DN =
> \${quote_ldap:CN=${LDAPUSER},CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
> LOCAL_AD_PASS = "${LDAPPASS}"
>
> .ifdef LOCAL_AD_SERVERS
> ldap_default_servers = LOCAL_AD_SERVERS
> ldap_start_tls = false
> ldap_require_cert = never
> .endif
> EOF
>
> chmod 644 /etc/exim4/conf.d/main/15_exim4-ldap
>
> cat <<EOF >/etc/exim4/conf.d/router/898_exim4-config_ldap
> .ifdef LOCAL_AD_SERVERS
>
> user_ad_aliases:
> ? debug_print = "R: user_ad_aliases for \$local_part@\$domain"
> ? driver = redirect
> ? domains = +local_domains
> ? data = \${lookup ldap {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
> ldap:///LOCAL_AD_BASE_DN?uid?sub?(&(objectClass=user)(!(objectClass=computer))(mail=\${quote_ldap:\${local_part}}@\${quote_ldap:\${domain}}))}}
>
>
> .endif
> EOF
>
> chmod 644 /etc/exim4/conf.d/router/898_exim4-config_ldap
>
> Beno?t
>
> Le 09/06/2020 ? 21:42, Marco Gaiarin via Exim-users a ?crit?:
>> Mandi! Beno?t PELISSIER via Exim-users
>> ?? In chel di` si favelave...
>>
>>> So third block is router.
>>> And first and second ? Where can i put here ?
>>
>> Put everywhere you want on the first section of exim config file,
>> before ACL
>> definition.
>>
>
Re: Exim samba4 active directory [ In reply to ]
Mandi! Odhiambo Washington via Exim-users
In chel di` si favelave...

> My next quest is to see if I can have Exim to authenticate users against
> it.

Probably different setup can be built (eg: Kerberos/GSSAPI direct
authentication, or auth against Dovecod, configured with kwerberos) but
indeed a simpler setup can be done, as i've just done.

Simply configure winbind provider for NSS/PAM and use 'standard' auth via
sasl (in debian, apt-get install sasl2-bind).


Probably this setup is not really well suited for multiple domains...

--
Sai come fanno i Serbi ad abbattere i caccia americani?
Disegnando una funivia sul terreno...



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim samba4 active directory [ In reply to ]
Hi,

I will do mail tomorrow to explain it. I do it with exim and dovecot-lda delivery.

Le 20 novembre 2020 08:08:19 GMT+01:00, Odhiambo Washington via Exim-users <exim-users@exim.org> a écrit :
>Hello good people,
>
>My Google-fu having failed me miserably, I am only left with one option
>-
>to ask here.
>
>I have setup a Samba4 as a domain controller on a Unix box.
>
>My next quest is to see if I can have Exim to authenticate users
>against
>it.
>I have 2 domains that I'd love to virtualize.
>Ultimately I am looking for an SSO setup for all services.
>
>I am pretty sure there are members of this list who are running such
>setups. I could not find (well, either Google or me) any
>detailed documentation in one place.
>
>I am requesting you to kindly share me with any HOWTOs, if anyone has
>documented their setup.
>
>Thanking you in advance.
>
>--
>Best regards,
>Odhiambo WASHINGTON,
>Nairobi,KE
>+254 7 3200 0004/+254 7 2274 3223
>"Oh, the cruft.", grep ^[^#] :-)
>--
>## List details at https://lists.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/

--
Benoît Pélissier - Lan2Net
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim samba4 active directory [ In reply to ]
Hi Benoît,

Thanking you in advance for your help with this. I will be waiting for your
reply.

On Sat, 21 Nov 2020, 00:46 Benoît, <bpelissier@lan2net.fr> wrote:

> Hi,
>
> I will do mail tomorrow to explain it. I do it with exim and dovecot-lda
> delivery.
>
> Le 20 novembre 2020 08:08:19 GMT+01:00, Odhiambo Washington via Exim-users
> <exim-users@exim.org> a écrit :
>>
>> Hello good people,
>>
>> My Google-fu having failed me miserably, I am only left with one option -
>> to ask here.
>>
>> I have setup a Samba4 as a domain controller on a Unix box.
>>
>> My next quest is to see if I can have Exim to authenticate users against
>> it.
>> I have 2 domains that I'd love to virtualize.
>> Ultimately I am looking for an SSO setup for all services.
>>
>> I am pretty sure there are members of this list who are running such
>> setups. I could not find (well, either Google or me) any
>> detailed documentation in one place.
>>
>> I am requesting you to kindly share me with any HOWTOs, if anyone has
>> documented their setup.
>>
>> Thanking you in advance.
>>
>>
> --
> Benoît Pélissier - Lan2Net
>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim samba4 active directory [ In reply to ]
Hi

I have :
Samba4 AD on debian10
Dovecot/exim4 on debian10

So this follow work on debian10 (debian9 to ;))

Samba4 AD :
follow this how to (i adapted this on my wiki):
https://dev.tranquil.it/samba/fr/samba_config_server/debian/server_prepare_debian.html

I create an user on AD

samba-tool user create dovecot
pdbedit --user=dovecot --modify --fullname="Serveur Dovecot"
--account-desc="The BEST way to make Dovecot work"
samba-tool user setpassword dovecot -U administrator

Dovecot :

apt-get install --assume-yes dovecot-core dovecot-imapd telnet
dovecot-ldap ldap-utils

# i use ~/Maildir
sed -i '/^mail_location/ s/mbox.*$/maildir:~\/Maildir/'
/etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf

groupadd -g 5000 vmail
useradd -u 5000 -g 5000 -s /bin/bash -d /home/vmail vmail
chown vmail /home

sed -i 's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/'
/etc/dovecot/conf.d/10-auth.conf

FQDN=HOME.LAN
LDAPUSER=dovecot
LDAPPASS='PASSWORDDOVECOTUSER'
IPAD=192.168.123.123
DOMAINE=HOME
SUFFIX=LAN

mv /etc/dovecot/dovecot-ldap.conf.ext
/etc/dovecot/dovecot-ldap.conf.ext.ORIGIN

cat <<EOF >/etc/dovecot/dovecot-ldap.conf.ext
uris = ldap://${IPAD}/
dn = "${LDAPUSER}@${FQDN}"
dnpass = "${LDAPPASS}"
sasl_bind = no
tls = no
ldap_version = 3
deref = never
scope = subtree
base = cn=Users,dc=${DOMAINE},dc=${SUFFIX}
auth_bind = yes
user_filter =
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
user_attrs =
sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
pass_filter =
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
pass_attrs = sAMAccountName=user,userPassword=password
EOF

sed -i "/^mail_location/amail_home = /home/sieve/%u\nmail_uid =
vmail\nmail_gid = vmail\nfirst_valid_uid = 107\nfirst_valid_gid =
8\ndisable_plaintext_auth = no" /etc/dovecot/conf.d/10-mail.conf

sed -i "/auth-userdb/amode = 0600\nuser = vmail\ngroup = vmail"
/etc/dovecot/conf.d/10-master.conf

sed -i -e '/UserDatabase.Static.txt/,$ s/^\([ ]*\)#/\1/' -e
'/UserDatabase.Static.txt/ s/^/#/' /etc/dovecot/conf.d/auth-ldap.conf.ext

/etc/init.d/dovecot restart

And Exim

aptitude install --assume-yes exim4-daemon-heavy openssl

sed -i '/dc_use_split_config/s/false/true/'
/etc/exim4/update-exim4.conf.conf

cat <<EOF >/etc/exim4/conf.d/main/15_exim4-ldap
LOCAL_AD_SERVERS = ${IPAD}::389
LOCAL_AD_BASE_DN = \${quote_ldap:CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
LOCAL_AD_BIND_DN =
\${quote_ldap:CN=${LDAPUSER},CN=Users,DC=${DOMAINE},DC=${SUFFIX}}
LOCAL_AD_PASS = "${LDAPPASS}"

.ifdef LOCAL_AD_SERVERS
ldap_default_servers = LOCAL_AD_SERVERS
ldap_start_tls = false
ldap_require_cert = never
.endif
EOF

chmod 644 /etc/exim4/conf.d/main/15_exim4-ldap

cat <<EOF >/etc/exim4/conf.d/router/898_exim4-config_ldap
.ifdef LOCAL_AD_SERVERS

user_ad_aliases:
debug_print = "R: user_ad_aliases for \$local_part@\$domain"
driver = redirect
domains = +local_domains
data = \${lookup ldapm {user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN?mail?sub?(memberOf=\${lookup
ldapdn{user=LOCAL_AD_BIND_DN pass=LOCAL_AD_PASS
ldap:///LOCAL_AD_BASE_DN??sub?(mail=\${quote_ldap:\$local_part@\$domain})}})}}

.endif
EOF

chmod 644 /etc/exim4/conf.d/router/898_exim4-config_ldap

cat <<EOF >/etc/exim4/conf.d/router/899_dovecot
dovecot:
debug_print = "R: dovecot for \$local_part@\$domain"
driver = accept
domains = +local_domains
transport = dovecot_virtual_delivery
cannot_route_message = Unknown user
EOF

chmod 644 /etc/exim4/conf.d/router/899_dovecot

cat <<EOF >/etc/exim4/conf.d/transport/35_exim4-config_dovecot
dovecot_virtual_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -d \$local_part@\$domain -f
\$sender_address
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = vmail
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
EOF

chmod 644 /etc/exim4/conf.d/transport/35_exim4-config_dovecot

cat <<EOF >/etc/exim4/conf.d/auth/10_exim4-config_dovecot
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = \$auth1

dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = \$auth1
EOF

chmod 644 /etc/exim4/conf.d/auth/10_exim4-config_dovecot

/etc/init.d/exim4 restart

cat <<EOF >/tmp/10-master.tmp
unix_listener auth-client {
mode = 0600
user = Debian-exim
}

EOF

sed -i $'/Postfix smtp-auth/{e cat /tmp/10-master.tmp\n}'
/etc/dovecot/conf.d/10-master.conf

cat <<EOF >/etc/dovecot/conf.d/25-custom-stats.conf
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0600
}

unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}
EOF

chmod 644 /etc/dovecot/conf.d/25-custom-stats.conf

/etc/init.d/dovecot restart

Good night !

Benoît

Le 20/11/2020 à 22:52, Odhiambo Washington via Exim-users a écrit :
> Hi Benoît,
>
> Thanking you in advance for your help with this. I will be waiting for your
> reply.
>
> On Sat, 21 Nov 2020, 00:46 Benoît, <bpelissier@lan2net.fr> wrote:
>
>> Hi,
>>
>> I will do mail tomorrow to explain it. I do it with exim and dovecot-lda
>> delivery.
>>
>> Le 20 novembre 2020 08:08:19 GMT+01:00, Odhiambo Washington via Exim-users
>> <exim-users@exim.org> a écrit :
>>>
>>> Hello good people,
>>>
>>> My Google-fu having failed me miserably, I am only left with one option -
>>> to ask here.
>>>
>>> I have setup a Samba4 as a domain controller on a Unix box.
>>>
>>> My next quest is to see if I can have Exim to authenticate users against
>>> it.
>>> I have 2 domains that I'd love to virtualize.
>>> Ultimately I am looking for an SSO setup for all services.
>>>
>>> I am pretty sure there are members of this list who are running such
>>> setups. I could not find (well, either Google or me) any
>>> detailed documentation in one place.
>>>
>>> I am requesting you to kindly share me with any HOWTOs, if anyone has
>>> documented their setup.
>>>
>>> Thanking you in advance.
>>>
>>>
>> --
>> Benoît Pélissier - Lan2Net
>>