- Архива авторизуется с Active Directory при помощи служебного аккаунта (далее будет инструкция по созданию такого аккаунта)
- MailArchiva ищет пользователя в Active Directory используя логин
- MailArchiva сопоставляет (авторизует) логин пользователя и предоставленный пароль
- MailArchiva назначает роль согласно логину и настроенным правам
- MailArchiva извлекает почтовый ящик пользователя из атрибута LDAP, заданных в поле для поиска
Field | Description | Example |
DNS IP Address | IP address of your DNS server | 192.168.0.1 |
Active Directory Adddress | The fully qualified domain name of Active Directory | active.business.local |
Base DN | The distinguished name of the location in AD where Архива should start | dc=company,dc=com |
Service Account Login | The FQDN of the service computer in AD. | service$@business.local |
Service Account Password | The service computer password | |
Mail Attribute | The mail attribute where the user’s email addresses are obtained | ProxyAddresses |
Email Value | The regular expression used to extract the email value from the mail attribute. | SMTP:(*.) |
Bind Attribute | The attribute used to search for the user using login username in AD’s LDAP. Leave this as is, unless you want users to be able to login using email address, or some other attribute. | SAMAccountName |
NTLM Authentication | When NTLM authentication is enabled,Архива will perform single-sign-on authentication with the users session. | Disabled |
In order to authenticate with Active Directory, Архива requires that a new computer account is created in Active Directory and that a password to the account is set. While it is possible to create a new Computer using Active Directory Users And Computers, there is currently no way from the GUI to set passwords on Computer accounts. For this purpose, a VBS script called ADSetupWizard.vbs is included with the server distributable. The script, when executed with Domain Administrator privileges, will automatically create a Computer in Active Directory and set a pasword on the Computer account. It will also output the AD configuration settings that are appropriate for your setup.
The procedure for configuring Active Directory authentication is as follows:
1. Included with the Архива server distributable is VBS script called ADSetupWizard.vbs.
2. Login to any computer nearby to (and including..) the Архива server as a Domain Administrator. Copy the ADSetupWizard.vbs script from the above location to the local machine and run it.
3. Follow the Wizard instructions to create new “service” Computer account in Active Directory and a set a password on the service account.
4. When the Wizard completes, take note of the settings needed to define the AD settings in Архива.
5. Open the Архива Configuration console, select the Logins menu on the left. Choose Active Directory authentication and enter the settings outputted by the AD Wizard.
6. Next, click the New Role Assignment button to create a mapping between a role in Архива and an Active Directory attribute.
Note: If the ADSetupWizard.vbs script generates the error “AccessDenied 80070005”, it may be necessary to temporarily disable Windows UAC on the machine where the script is executed.
Note: If you experience problems running the ADSetupWizard.vbs script, as an alternative, you can create a computer manually in using Active Directory Users and Computers. Thereafter, run the SetComputerPassword.vbs script (located in the same location as ADSetupWizard script) to set the computer password.
Note: Microsoft requires that the user assigned the impersonation rights should not also have administrator rights assigned.
When assigning roles to Active Directory users, it is necessary to select a role, select an LDAP attribute and enter a match criterion.
Field | Description |
Role | Role to be assigned |
LDAP Attribute | LDAP attribute to use for the role assignment |
Match Criterion | A value that is compared against a corresponding LDAP attribute in Active Directory for an authenticating use |
To complete the attribute and match criterion fields, it is useful to understand how roles are assigned to users during console authentication. A user in Active Directory has a set of LDAP attributes associated with it. These attributes are essentially properties about the user (e.g. account name, user group, etc.). During console authentication, once the user has been identified, the value of the attribute selection is retrieved from Active Directory. This value is compared against the value entered in the match criterion field. If there is a match, the selected role is assigned to the user.
To assign a role to a Windows user, select “SAMAccountName” as the LDAP attribute and enter the user’s name in the match criterion field. To assign a role to all users within a user group, select “memberOf” in the attribute field and enter the distinguished name of the user group in Active Directory (e.g. “CN=Enterprise Admins, CN=Users, DC=company, DC=com”).
Note: The match criterion field also accepts regular expressions for complex pattern matching requirements.
LDAP Attribute | Match Criterion Value |
---|---|
memberOf | Active Directory user group CN=Enterprise Admins,CN=Users,DC=company,DC=com |
userPrincipalName | jdoe@company.com |
SAMaccountName | Jdoe |
distinguishedName | CN=John Doe,CN=Users,DC=company,DC=com |
In specifying the match criterion field, it is useful to lookup the LDAP attribute name andvalues associated with a user. This is done by clicking the Lookup button and entering auser's username (e.g. admin@company.com) and a password. A simple way to assign a role to an individual user is to copy one of the values of any of the attributes described above and paste them into the match criterion field.
There is likely to be an error in your configuration if the Lookup dialog does not return any LDAP attribute values. Once all role assignments are configured, execute a Test Login to ensure that your Kereberos settings, LDAP settings and user roles have been configured correctly. If problems are encountered, please refer to Authentication Failed Steps.
If you are unable to get AD authentication working in your environment, it is possible to authenticate with AD using password-based LDAP authentication instead. To do this, select LDAP authentication, enter the mail attribute to be “proxyAddresses” and “SAMAccountName” to be the bind attribute. You will also need to clear out the default login name suffix in the Logins section. Refer to LDAP Authentication for more information.
Multi-Domain Authentication Tip: if your organization has multiple domains, Архива must be configured to connect to AD’s Global Catalog Server running on port 3268. To do this, change your Active Directory server FQDN to the equivalent of company.com:3268. Set the base DN to be empty.