User Tools

Site Tools


active_directory

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
active_directory [2020/04/10 15:21] smyers119active_directory [2020/04/11 16:29] (current) smyers119
Line 1: Line 1:
 ====== Active Directory Integration ====== ====== Active Directory Integration ======
  
-This is the up to date process of integrating your eFa 4.0 with Active Directory.  +This is the up to date process of integrating your eFa 4.0 with Active Directory.
  
-===== Preparing your AD Server =====+===== AD Authentication Integration ===== 
 +This guide will go through the step's necessary for you to setup mailwatch to authenticate against a Secure Active Directory Server.  this makes administration easier and seamlessly allows your users to login to their quarantine folders. 
 +==== Preparing your AD Server ==== 
 +This will go over creating a bind user with least privilege and if exporting the root CA for LDAPS use. 
 +=== Creating Bind User === 
 +Everything I have ever read on best practice for creating a bind user account is creating a simple domain user and disabling interactive login.  That has never worked for me.  I also have to delegate one permission.  To do this, open Active Directory Users and Computers, right click on the domain, and select "Delegate Control..." Click "Next", then select the user that you are using for the LDAP bind and click "Next". The permission that they will need is on the next screen "Read all inetOrgPerson information."  After this step I am able to use the account for ldap binding. 
 +=== Setting up Secure LDAP === 
 +This is a important step.  If you don't use Secure LDAP then the password of the bind user is transmitted in plain text.  I am not going to go over how to create a PKI environment in windows.  There is already good guides on that.  I am going to assume you already have your PKI environment setup and you just need to export the root CA to the eFa appliance to complete the chain of trust.
  
-==== Creating Bind User ==== +  * Adding root Certificate to eFa
- +
-==== Setting up Secure LDAP ==== +
- +
-  * Creating Certificate +
- +
-  * Adding Certificate to eFa+
  
 +  * Verifying certificate trust
  
 +==== Config Changes in eFa ====
 +Editing the config in /var/www/html/mailscanner/conf.php (around line 70)
 +<file>
 +// LDAP settings for authentication
 +define('USE_LDAP', true);  
 +define('LDAP_HOST', 'ldaps://dc1.example.com'); 
 +define('LDAP_PORT', '636');
 +define('LDAP_DN', 'DC=example,DC=com');
 +define('LDAP_USER', 'example\user'); // If no email set: cn=admin,dc=example,dc=com <--THIS DID NOT WORK FOR ME
 +define('LDAP_PASS', 'secret');
 +define('LDAP_FILTER', 'mail=%s'); //%s will be replaced by username eg. 'mail=%', 'mail=SMTP:%s', 'sAMAccountName=%s'
 +define('LDAP_PROTOCOL_VERSION', 3);
 +</file>
  
active_directory.1586532100.txt.gz · Last modified: 2020/04/10 15:21 by smyers119