eFa project Wiki

User Tools

Site Tools

Trace: active_directory
active_directory

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
active_directory [2020/04/11 16:04] smyers119active_directory [2020/04/11 16:29] (current) smyers119
Line 8: Line 8:
 This will go over creating a bind user with least privilege and if exporting the root CA for LDAPS use. This will go over creating a bind user with least privilege and if exporting the root CA for LDAPS use.
 === Creating Bind User === === Creating Bind User ===
-Everything I have ever read on best practice for creating a bind user account is using a simple domain user and disabling interactive login.  That has never worked for me.  I also have to delegate one permission.  To do this, open Active Directory Users and Computers, right click on the domain, and select "Delegate Control..." Click "Next", then select the user that you are using for the LDAP bind and click "Next". The permission that they will need is on the next screen "Read all inetOrgPerson information."  After this step I am able to use the account for ldap binding.+Everything I have ever read on best practice for creating a bind user account is creating a simple domain user and disabling interactive login.  That has never worked for me.  I also have to delegate one permission.  To do this, open Active Directory Users and Computers, right click on the domain, and select "Delegate Control..." Click "Next", then select the user that you are using for the LDAP bind and click "Next". The permission that they will need is on the next screen "Read all inetOrgPerson information."  After this step I am able to use the account for ldap binding.
 === Setting up Secure LDAP === === Setting up Secure LDAP ===
 +This is a important step.  If you don't use Secure LDAP then the password of the bind user is transmitted in plain text.  I am not going to go over how to create a PKI environment in windows.  There is already good guides on that.  I am going to assume you already have your PKI environment setup and you just need to export the root CA to the eFa appliance to complete the chain of trust.
  
   * Adding root Certificate to eFa   * Adding root Certificate to eFa
Line 16: Line 17:
  
 ==== Config Changes in eFa ==== ==== Config Changes in eFa ====
 +Editing the config in /var/www/html/mailscanner/conf.php (around line 70) 
 +<file> 
 +// LDAP settings for authentication 
 +define('USE_LDAP', true);   
 +define('LDAP_HOST', 'ldaps://dc1.example.com');  
 +define('LDAP_PORT', '636'); 
 +define('LDAP_DN', 'DC=example,DC=com'); 
 +define('LDAP_USER', 'example\user'); // If no email set: cn=admin,dc=example,dc=com <--THIS DID NOT WORK FOR ME 
 +define('LDAP_PASS', 'secret'); 
 +define('LDAP_FILTER', 'mail=%s'); //%s will be replaced by username eg. 'mail=%', 'mail=SMTP:%s', 'sAMAccountName=%s' 
 +define('LDAP_PROTOCOL_VERSION', 3); 
 +</file>
  
active_directory.1586621069.txt.gz · Last modified: 2020/04/11 16:04 by smyers119