Victor Duchovni wrote:
On Fri, Sep 03, 2010 at 02:45:41PM -0500, Seann wrote:My current issue with Postfix is that I am not able to get the LDAP account mapping to work correctly with my Active Directory security settings.Postfix supports LDAP servers that offer: - No authentication, allowing anonymous queries - Simple password authentication (possibly via TLS). - Client cert authentication (via TLS).My AD LDAP system requires strong authentication, by means of SASL signing of the LDAP connections, as outlined in this document: http://support.microsoft.com/kb/935834.The Postfix LDAP driver does not support LDAP SASL mechanisms other than "simple".I can't get Postfix to connect VIA SSL (Which is my usual work around since it seems only Samba does this, by way of client ldap sasl wrapping = sign in the configuration).Postfix supports TLS connections to LDAP, either "LDAP" inside SSL ("ldaps") or STARTTLS over LDAP.# Server config server_host = ldap://DC.domain.netIf you are not using an SSL-specific LDAP port, you need to use "start_tls = yes" to enable TLS over LDAP.search_base = CN=Users,DC=domain,DC=net version = 3 start_tls = no query_filter = (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) result_attribute = samaccountname result_format = %s/Mail/ bind = yes bind_dn = CN=admin,CN=Users,DC=domain,DC=net bind_pw = p...@s$w0rd tls_cert = /etc/pki/tls/certs/server.crt tls_key = /etc/pki/tls/private/server.key tls_ca_cert_file = /etc/pki/tls/certs/ca_domain.crt tls_require_cert = no tls_random_file = /dev/urandomSo, what happens when you enable TLS?
When start_tls = yes, my error is:Sep 2 09:46:03 server postfix/postmap[4650]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
When I use the LDAPS URI, I get this:Sep 2 09:46:55 server postfix/postmap[4659]: warning: dict_ldap_connect: Unable to bind to server ldaps://AD.domain.net:636 as CN=admin,CN=Users,
DC=domain,DC=net: -1 (Can't contact LDAP server) With normal LDAP, no SASL wrapping requirement it works without an issue. ~Seann
smime.p7s
Description: S/MIME Cryptographic Signature
