Setup LDAP/AD

From Roaring Penguin
Jump to: navigation, search

CanIt can integrate with Microsoft's Active Directory (AD) or generic implementations of LDAP to accomplish multiple things:

  • Validate recipient email addresses
  • Find the appropriate stream for valid recipient
  • Allow multiple email addresses to use the same stream (aliases)
  • Allow for user authentication with the LDAP credentials

There is a simple wizard for setting up LDAP (as well as IMAP and POP3) from the Setup->User Lookups page. There is more information than provided here if you click the Online Documentation link from whichever page you need more information about.

After clicking "Add a New User Lookup" and naming the lookup, you will be asked which "Method" that lookup will use. There are pre-built options for each of Active Directory and Generic LDAP, each with the option of logging in with an email address or username + the domain name. These options should work with a default configuration.

On the following page, the first 4 boxes should be the only ones that need to be filled in. Those require:

LDAP server(s): The hostname or IP of your LDAP server(s)

Base DN: The "Base DN" of your LDAP tree that the domain directory is located in. Usually something like "DC=example,DC=com" for example.com

Bind DN: A user that you will provide CanIt in order to be able to log in and run queries. This can be a new or existing user and does not need any special priviledges

Bind Password: The password for the above user

All other settings will likely work unless you have implemented specific setting on your LDAP server.

Once you complete the wizard, you can return to the main User Lookups page in order to Test the lookup. The streaming test will test the first 3 of the purposes at the top of this page and the authentication test will test the last.

If you get a "could not bind" error, it is likely that your Base DN or Bind DN are not set up correctly. Using the "attempt to guess Bind DN" option will suggest alternative configurations.

Once the Lookup has been tested successfully, you need to actually tell CanIt to use it. This is done in 2 places. Again, the first, Setup->Domain Mappings, accomplishes the first 3 purposes and Setup->Authentication Mappings accomplishes the last. This makes it so that you can use LDAP for streaming without needing to enable authentication.

Once you have LDAP set in Domain Mappings, any Setup->Verification Server entry for that domain would be redundant, so you can remove them.