Active directory problems.

[ajh123]

Hello everyone, I have set up a new Stalwart mail server and I would like to know what would a correct Active Directory LDAP configuration look like.

My current config is, but some of it is incorrect, I assume my filters are incorrect:

directory.domain_controler.attributes.class = "objectClass"
directory.domain_controler.attributes.description = "description"
directory.domain_controler.attributes.email = "mail"
directory.domain_controler.attributes.email-alias = "mailAlias"
directory.domain_controler.attributes.groups = "memberOf"
directory.domain_controler.attributes.name = "sAMAccountName"
directory.domain_controler.attributes.secret = "userPassword" # AD does not have a password field in LDAP.
directory.domain_controler.base-dn = "CN=Users,DC=example,DC=internal"
directory.domain_controler.bind.auth.dn = "[email protected]" # fix from #374 
directory.domain_controler.bind.auth.enable = true
directory.domain_controler.bind.dn = "CN=queries,CN=Users,DC=example,DC=internal"
directory.domain_controler.bind.secret = "PASSWORD" # not the actual password
directory.domain_controler.cache.entries = 500
directory.domain_controler.cache.ttl.negative = "10m"
directory.domain_controler.cache.ttl.positive = "1h"
directory.domain_controler.filter.domains = "(&(|(objectClass=person))(|(mail=*@?)(mailAlias=*@?)))"
directory.domain_controler.filter.email = "(&(|(objectClass=person))(|(mail=?)(mailAlias=?)(mailList=?)))"
directory.domain_controler.filter.expand = "(&(|(objectClass=person))(mailList=?))"
directory.domain_controler.filter.name = "(&(|(objectClass=person))(sAMAccountName=?))"
directory.domain_controler.filter.verify = "(&(|(objectClass=person))(|(mail=*?*)(mailAlias=*?*)))"
directory.domain_controler.timeout = "15s"
directory.domain_controler.tls.allow-invalid-certs = true # My LDAP/AD server uses a self signed cert
directory.domain_controler.tls.enable = true
directory.domain_controler.type = "ldap"
directory.domain_controler.url = "ldaps://x.x.x.x" # IP I use is correct

Additionally, Stalwart mail does not show any errors, it just doesn't show any accounts listed in the directory.

Also, running ldapsearch -H ldaps://x.x.x.x -D "CN=queries,CN=Users,DC=example,DC=internal" -w PASSWORD -b "CN=Users,DC=example,DC=com" -s sub "(&(objectClass=person))" does return a list of my users.

I've also used the fix from #374 but that doesn't help me here.

[mdecimus]

Hi,

Please try upgrading to version 0.10.0, then set the log level to trace and check the logs to see if there is any useful information regarding the issue you're having.

[ajh123]

Hello, I have the logs now:

logs.txt

I think I've found the problem, the logs say:

2024-09-22T09:28:41Z TRACE LDAP bind operation (store.ldap-bind) details = "[email protected]@example.internal"

It looks like Bind Auth DN is using the user's full mail address rather then just their username, with a correct config the logs should say:

2024-09-22T09:28:41Z TRACE LDAP bind operation (store.ldap-bind) details = "[email protected]"

I have a public domain example.com but my AD uses example.internal. Since the Bind Auth DN is using a combination of both domains, the user cannot login.

Since, the LDAP login is not successfull the mail account is not created, hence why there are no accounts in the management page.

Does Stalwart mail support this scenario?

[mdecimus]

Stalwart will use as the Bind Auth DN what is entered in the username field while logging in. You can use any value you like as long Stalwart is able to obtain the email address for the account (you can configure which attribute contains the email address(es)).