Hello,
i've setup today our PMG with LDAP Connection and this was a little bit tricky. So i want to gave you here a little guide to help you by setting this up. It seems really complicated, but in the end its really easy.
What do I want to achieve?
- Login per LDAP for Users
- Remove disabled AD Users
- Only sync Users within a specified group BUT nested!
First at all, make sure your PMG is able to reach your Domain Controllers and all needed Ports are opened.
Your Users should already existing and have an E-Mail Address.
For a better understanding of how my strings are structured i will explain a little more about our Setup.
Best practise to setup an Active-Directory is to use an real existing TLD, therefore add a subdomain named "ad.domain.de".
My Realm is: dc=ad,dc=domain,dc=de
In my experience, i have a "best practise" Setup for orangize the AD Structure. If you work a little more with Active-Directory, perhaps you will thank me for this in a few years
I will leave all the default Stuff at it is and will create my own Users, Groups and OUs.
The Groupname "SG_PMG_USER" looks a little crypted, but its easy to understand. The Prefix "SG_" stands for "Security Group", "PMG" for Proxmox Mail Gateway (or any other Service) and "USER" should reflected only the User Rights, not administrative.
How these freaky LDAP Filter is Working?
In general you could check these Page for an general understanding for the String itself: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
I will only explain the little "Magic" here:
(userAccountControl=512): This value means, the account is active and not disabled
(memberOf:1.2.840.113556.1.4.1941:=cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de): This means, every user who has a membership in the Group "SG_PMG_USER" should snyced to PMG, the String "1.2.840.113556.1.4.1941" in Front means, LDAP should check nested Groups too. So i have Group "SG_Management" who is a member of "SG_PMG_USER" in the Group "SG_PMG_USER" is no User direclty, its only another Group.
For more infos about the ID "1.2.840.113556.1.4.1941" see this Page: https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax
So thats my current Structure:
Step 1.
Login to PMG, now go to "Configuration" > "User Management", now you will find in the upper Navi the Button "LDAP", here you can click on "Create".
Step 2.
Now we will fill the Form:
Profile Name: Here you can use any String you want
Protocol: LDAP (otherwise you have LDAPS etc.)
Server: 127.0.0.1 (IP of the first DC)
Server: 127.0.0.2 (IP of the second DC)
Port: Default (leave if, otherwise you have another Port)
User name: pmg (i recommend to add an "Service Account" which named "pmg", with NO groupmembership)
Password: **** (the Password of the PMG User)
Enable: Yes
Base DN:
Base DN for Groups:
EMail attribute name(s): mail
Account attribute name: sAMAccountName
LDAP filter:
Group Objectclass: Leave it blank
Comment: Here you can enter what you want.
Step 3.
Now click on "OK" and check they will find the Group and Users.
Step 4.
If you now configured "Configuration" > "Spam Detector" > "Quarantine" > "Authentication method" to "LDAP or Ticket", your users are able to login under https://pmg01.domain.de:8006/quarantine
Let me know, if you have an feedback or questions about this Tutorial.
i've setup today our PMG with LDAP Connection and this was a little bit tricky. So i want to gave you here a little guide to help you by setting this up. It seems really complicated, but in the end its really easy.
What do I want to achieve?
- Login per LDAP for Users
- Remove disabled AD Users
- Only sync Users within a specified group BUT nested!
First at all, make sure your PMG is able to reach your Domain Controllers and all needed Ports are opened.
Your Users should already existing and have an E-Mail Address.
For a better understanding of how my strings are structured i will explain a little more about our Setup.
Best practise to setup an Active-Directory is to use an real existing TLD, therefore add a subdomain named "ad.domain.de".
My Realm is: dc=ad,dc=domain,dc=de
In my experience, i have a "best practise" Setup for orangize the AD Structure. If you work a little more with Active-Directory, perhaps you will thank me for this in a few years
I will leave all the default Stuff at it is and will create my own Users, Groups and OUs.
The Groupname "SG_PMG_USER" looks a little crypted, but its easy to understand. The Prefix "SG_" stands for "Security Group", "PMG" for Proxmox Mail Gateway (or any other Service) and "USER" should reflected only the User Rights, not administrative.
How these freaky LDAP Filter is Working?
In general you could check these Page for an general understanding for the String itself: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
I will only explain the little "Magic" here:
(userAccountControl=512): This value means, the account is active and not disabled
(memberOf:1.2.840.113556.1.4.1941:=cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de): This means, every user who has a membership in the Group "SG_PMG_USER" should snyced to PMG, the String "1.2.840.113556.1.4.1941" in Front means, LDAP should check nested Groups too. So i have Group "SG_Management" who is a member of "SG_PMG_USER" in the Group "SG_PMG_USER" is no User direclty, its only another Group.
For more infos about the ID "1.2.840.113556.1.4.1941" see this Page: https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax
So thats my current Structure:
Code:
ad.domain.de
- Global
-- accounts
--- admin
--- disabled
--- guest
--- service
--- user
-- computers
--- clients
--- servers
-- groups
--- distribution
--- mailbox
--- printer
--- security
--- shares
--- software
Step 1.
Login to PMG, now go to "Configuration" > "User Management", now you will find in the upper Navi the Button "LDAP", here you can click on "Create".
Step 2.
Now we will fill the Form:
Profile Name: Here you can use any String you want
Protocol: LDAP (otherwise you have LDAPS etc.)
Server: 127.0.0.1 (IP of the first DC)
Server: 127.0.0.2 (IP of the second DC)
Port: Default (leave if, otherwise you have another Port)
User name: pmg (i recommend to add an "Service Account" which named "pmg", with NO groupmembership)
Password: **** (the Password of the PMG User)
Enable: Yes
Base DN:
Code:
ou=user,ou=accounts,ou=global,dc=ad,dc=domain,dc=de
Code:
cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de
Account attribute name: sAMAccountName
LDAP filter:
Code:
(&(objectClass=person)(userAccountControl=512)(memberOf:1.2.840.113556.1.4.1941:=cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de))
Comment: Here you can enter what you want.
Step 3.
Now click on "OK" and check they will find the Group and Users.
Step 4.
If you now configured "Configuration" > "Spam Detector" > "Quarantine" > "Authentication method" to "LDAP or Ticket", your users are able to login under https://pmg01.domain.de:8006/quarantine
Let me know, if you have an feedback or questions about this Tutorial.
Last edited: