[COLUG] Postfix or LDAP question

Travis Sidelinger travis at ilive4code.net
Thu Feb 15 07:01:00 EST 2007 

I believe it is possible to use nss_ldap with AD.  You will need the 
posix scheme added to AD and posix attributes added for each user (UID, 
username, group, gecos, homedir, shell).  Also, I believe you'll need 
kerberos configured.  nss_ldap will get you name services and kerbose 
will cover authentication.  Seek a past colug posting by Steve Nordlund 
for setting up kerberos.  Building your /etc/ldap.conf and getting all 
this right will take some time.  If you're not an ldap guru, I'd rate 
this as fairly challenging.  Note, I have not done this with AD.

An easier approach would be to use winbind from the samba project.  This 
I have done and it's fairly easy and reliable.

If all you need is a list of users from AD, why not write a small script 
using the ldapsearch command like this?
Example:
ldapsearch -H 'ldaps://server.domain.tld:636' -D 
'cn=binddn,ou=domain,o=tld' -p "secret" -xW -b 'ou=domain,o=tld' \

'(objectclass=User)' sn giveName mail etc..


cn=binddn,ou=domain,o=tld is an account you will need to setup that 
should be locked down to only allowing this simple query.

Travis Sidelinger

William Yang wrote:
> Aaron Howard wrote:
>> I have set up a "Postfix + MailScanner + SpamAssassin + ClamAV" SMTP
>> mail gateway for a customer of mine but have a question I hoped
>> somebody might be able to help me with.
>>
>> Postfix is presently set to forward all mail destined for local
>> mailboxes to my customer's internal Exchange server and this works
>> fine.  The only issue is I have to have user accounts on the Postfix
>> box in order for it to think they're local before it will accept
>> e-mail from them.  That, in and of itself, is not so bad.  I can
>> easily create those user accounts on the Postfix box easily enough.
>>
>> What I'd like, however, is to set it up so it will stay in sync with
>> the Exchange server.  That is, if they add a new user, I'd want the
>> Postfix box to see it.  If they delete a mailbox, same thing.
>>
>> Is this more of an LDAP integration issue?
>
> Well, it depends.  You can always cache the results of some kind of 
> probe against the SMTP service.... but you may want to just pull the 
> information directly out of LDAP periodically and cache that, instead, 
> or query against as needed if you trust the connection to and the 
> processing power of the Exchange box.  ActiveDirectory's ldap key for 
> e-mail addresses when used with recent Microsoft Exchange is, as I 
> recall, 'mail'...
>
> Or, you can link against the LDAP service directly for usernames and 
> passwords (think something like nss_ldap).  I probably wouldn't do 
> that if you didn't have to, because it will also require component 
> changes to the AD system somewhere along the line: the problem is 
> simpler and more self-contained if you can minimize the reliance on AD.
>
>     -Bill

More information about the colug432 mailing list