This is the up to date process of integrating your eFa 4.0 with Active Directory.
This guide will go through the step's necessary for you to setup mailwatch to authenticate against a Secure Active Directory Server. this makes administration easier and seamlessly allows your users to login to their quarantine folders.
This will go over creating a bind user with least privilege and if exporting the root CA for LDAPS use.
Everything I have ever read on best practice for creating a bind user account is creating a simple domain user and disabling interactive login. That has never worked for me. I also have to delegate one permission. To do this, open Active Directory Users and Computers, right click on the domain, and select “Delegate Control…” Click “Next”, then select the user that you are using for the LDAP bind and click “Next”. The permission that they will need is on the next screen “Read all inetOrgPerson information.” After this step I am able to use the account for ldap binding.
This is a important step. If you don't use Secure LDAP then the password of the bind user is transmitted in plain text. I am not going to go over how to create a PKI environment in windows. There is already good guides on that. I am going to assume you already have your PKI environment setup and you just need to export the root CA to the eFa appliance to complete the chain of trust.
Editing the config in /var/www/html/mailscanner/conf.php (around line 70)
// LDAP settings for authentication define('USE_LDAP', true); define('LDAP_HOST', 'ldaps://dc1.example.com'); define('LDAP_PORT', '636'); define('LDAP_DN', 'DC=example,DC=com'); define('LDAP_USER', 'example\user'); // If no email set: cn=admin,dc=example,dc=com <--THIS DID NOT WORK FOR ME define('LDAP_PASS', 'secret'); define('LDAP_FILTER', 'mail=%s'); //%s will be replaced by username eg. 'mail=%', 'mail=SMTP:%s', 'sAMAccountName=%s' define('LDAP_PROTOCOL_VERSION', 3);