Results 1 to 10 of 10

Thread: [RESOLVED] Can't get AD Distribution Groups working

  1. #1

    [RESOLVED] Can't get AD Distribution Groups working

    Mail server: Postfix 2.3.3-2 on CentOS 5
    ADS DC: Windows Server 2003 Standard in 2003 Native mode
    Zarafa: Product version: 0,6,20 File version: 11804

    I'm currently testing the Community Edition (at home) in preparation for a full scale test at work. The only thing I don't have working is delivery to ADS Distribution and/or Security groups. My queries work using ldapsearch to return the correct members, and delivery to the users directly works, but running a delivery report or test delivery from dagent returns unable to resolve email address or Unknown user.

    Code:
    [root@mail1 zarafa]# zarafa-dagent -v tjandcj@mydomain.com
    Starting delivery for user tjandcj@mydomain.com
    Access denied or Unknown user 'tjandcj@mydomain.com', error code: 0x80040111
    
    [root@mail1 zarafa]# zarafa-dagent -v -R tjandcj@mydomain.com
    Starting delivery for user tjandcj@mydomain.com
    Unable to resolve email address 'tjandcj@mydomain.com'
    And Postfix is attempting to deliver to dagent properly
    Code:
    Final-Recipient: rfc822; tjandcj@mydomain.com
    Action: deliverable
    Status: 2.0.0
    Diagnostic-Code: X-Postfix; delivery via zarafa: delivers to command:
        /usr/bin/zarafa-dagent
    My zarafa-admin queries return users and groups properly:
    Code:
    [root@mail1 zarafa]# zarafa-admin -l
    User list for Default(7):
            username                fullname
            ---------------------------------------------
            SYSTEM          SYSTEM
            misst           xxxxxxx xxxxxxxxxx
            grizzly2ksports         xxxxxxx xxxxxxxxxx
            Administrator
            akelm           xxxxxxx xxxxxxxxxx
            jandmkelm               xxxxxxx xxxxxxxxxx
            cgrey           xxxxxxx xxxxxxxxxx
    
    [root@mail1 zarafa]# zarafa-admin -L
    Group list for Default(3):
            groupname
            -------------------------------------
            Everyone
            Corwin and Theresa Grey
            tjandcj
    Code:
    ldapsearch -x -H ldaps://ads-dc1.mydomain.com -b dc=mydomain,dc=com -D cgrey@mydomain.com -w xxxxxxx '(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,dc=mydomain,DC=com)(memberof=CN=Zarafa Query,OU=Custom Groups,DC=mydomain,DC=com))' member
    Code:
    # extended LDIF
    #
    # LDAPv3
    # base <dc=mydomain,dc=com> with scope subtree
    # filter: (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,dc=mydomain,DC=com)(memberof=CN=Zarafa Query,OU=Custom Groups,DC=mydomain,DC=com))
    # requesting: member
    #
    
    # Corwin and Theresa Grey, Custom Groups, mydomain.com
    dn: CN=Corwin and Theresa Grey,OU=Custom Groups,DC=mydomain,DC=com
    member: CN=Theresa Grey,OU=Custom Users,DC=mydomain,DC=com
    member: CN=Corwin Grey,OU=Custom Users,DC=mydomain,DC=com
    
    # tjandcj, Custom Groups, mydomain.com
    dn: CN=tjandcj,OU=Custom Groups,DC=mydomain,DC=com
    member: CN=Theresa Grey,OU=Custom Users,DC=mydomain,DC=com
    member: CN=Corwin Grey,OU=Custom Users,DC=mydomain,DC=com
    
    # search reference
    ref: ldaps://ForestDnsZones.mydomain.com/DC=ForestDnsZones,DC=mydomain,DC=com
    
    # search reference
    ref: ldaps://DomainDnsZones.mydomain.com/DC=DomainDnsZones,DC=mydomain,DC=com
    
    # search reference
    ref: ldaps://mydomain.com/CN=Configuration,DC=mydomain,DC=com
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 6
    # numEntries: 2
    # numReferences: 3
    My ldap.cfg:
    Code:
    ldap_host = ads-dc1.mydomain.com
    ldap_port = 636
    ldap_protocol = ldaps
    ldap_bind_user = CN=Corwin Grey,OU=Custom Users,DC=mydomain,DC=com
    ldap_bind_passwd = xxxxxxxxxxxxxxxxxx
    
    ldap_user_search_base = dc=mydomain,dc=com
    ldap_user_scope = sub
    ldap_user_search_filter = (&(objectClass=person)(objectCategory=CN=Person,CN=Schema,CN=Configuration,dc=mydomain,DC=com)(memberOf=CN=Zarafa Query,OU=Custom Groups,DC=mydomain,DC=com))
    ldap_user_unique_attribute = objectSid
    ldap_user_unique_attribute_type = binary
    
    ldap_group_search_base = dc=mydomain,dc=com
    ldap_group_scope = sub
    ldap_group_search_filter = (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,dc=mydomain,DC=com)(memberof=CN=Zarafa Query,OU=Custom Groups,DC=mydomain,DC=com))
    ldap_group_unique_attribute = objectSid
    ldap_group_unique_attribute_type = binary
    
    ldap_company_search_base = dc=mydomain,dc=com
    ldap_company_scope = base
    ldap_company_search_filter = (&(objectClass=zarafaCompany(objectCategory=CN=Company,CN=Schema,CN=Configuration,dc=mydomain,DC=com))
    ldap_company_unique_attribute = objectSid
    ldap_company_unique_attribute_type = binary
    
    ldap_fullname_attribute = cn
    ldap_fullname_attribute = displayName
    ldap_loginname_attribute = sAMAccountName
    ldap_emailaddress_attribute = mail
    ldap_user_certificate_attribute = userCertificate
    ldap_authentication_method = bind
    ldap_groupname_attribute = cn
    ldap_groupmembers_attribute = member
    ldap_groupmembers_attribute_type = dn
    ldap_companyname_attribute = cn
    ldap_server_charset = utf-8
    
    ldap_isadmin_attribute = adminCount
    ldap_nonactive_attribute = zarafaSharedStoreOnly
    ldap_quotaoverride_attribute = zarafaQuotaOverride
    ldap_warnquota_attribute = zarafaQuotaWarn
    ldap_softquota_attribute = zarafaQuotaSoft
    ldap_hardquota_attribute = zarafaQuotaHard
    ldap_userdefault_quotaoverride_attribute = zarafaUserDefaultQuotaOverride
    ldap_userdefault_warnquota_attribute = zarafaUserDefaultQuotaWarn
    ldap_userdefault_softquota_attribute = zarafaUserDefaultQuotaSoft
    ldap_userdefault_hardquota_attribute = zarafaUserDefaultQuotaHard
    ldap_company_view_attribute = zarafaViewPrivilege
    ldap_company_view_attribute_type = text
    ldap_company_view_relation_attribute =
    ldap_company_admin_attribute = zarafaAdminPrivilege
    ldap_company_admin_attribute_type = uid
    ldap_company_admin_relation_attribute =
    ldap_company_system_admin_attribute = zarafaSystemAdmin
    ldap_company_system_admin_attribute_type = uid
    ldap_company_system_admin_relation_attribute =
    ldap_quota_userwarning_recipients_attribute = zarafaQuotaUserWarningRecipients
    ldap_quota_userwarning_recipients_attribute_type = text
    ldap_quota_userwarning_recipients_relation_attribute =
    ldap_quota_companywarning_recipients_attribute = zarafaQuotaCompanyWarningRecipients
    ldap_quota_companywarning_recipients_attribute_type = text
    ldap_quota_companywarning_recipients_relation_attribute=
    ldap_quota_multiplier = 1048576
    ldap_user_sendas_attribute = zarafaSendAsPrivilege
    ldap_user_sendas_attribute_type = text
    ldap_user_sendas_relation_attribute =

  2. #2
    Senior Member
    Join Date
    Nov 2007
    Posts
    298

    Re: Can't get AD Distribution Groups working

    zarafa-dagent requires the Zarafa username to whom the email should be delivered, you cannot pass a groupname to it because it cannot resolve that as user.
    When you send an email from Zarafa the groupmembers will be resolved in the zarafa-spooler which makes sure each individual user of the group will receive the email.

  3. #3

    Re: Can't get AD Distribution Groups working

    Quote Originally Posted by ivdoorn
    zarafa-dagent requires the Zarafa username to whom the email should be delivered, you cannot pass a groupname to it because it cannot resolve that as user.
    When you send an email from Zarafa the groupmembers will be resolved in the zarafa-spooler which makes sure each individual user of the group will receive the email.
    I'm aware of that. My problem is that we have numerous distribution groups which receive email from outside. In Exchange, these groups have email addresses. With the ADS extension installed, I can't find a way to assign a recipient email to a group so that outside delivery to these groups can be done. We have hundreds of distribution groups, many with inheritance from other groups. This is part of what I'm trying to test at work.

  4. #4

    Re: Can't get AD Distribution Groups working

    Does anyone have any assistance for this? I need to test this in preparation for our doing a test at work, and this is the only feature I can't seem to get working. There is no where to attach an email to a distribution group, so my postini ldap query returns nothing.

  5. #5
    Senior Member
    Join Date
    Nov 2007
    Posts
    298

    Re: Can't get AD Distribution Groups working

    The most easy way would be creating non-active users for such groups. They can have an email address, and you can either set rules to forward the mail to the group members, or make it a shared store which means you only have to assign rights to the group members to look into the shared store.

  6. #6

    Re: Can't get AD Distribution Groups working

    Quote Originally Posted by ivdoorn
    The most easy way would be creating non-active users for such groups. They can have an email address, and you can either set rules to forward the mail to the group members, or make it a shared store which means you only have to assign rights to the group members to look into the shared store.

    That really isn't practical. We have 150 users, and probably have 300 distribution groups. We also have extremely tight security requirements (internal, and federal) regarding user accounts which are not active users on the system. I don't understand why the distribution groups setup is so difficult and even with the AD Extension installed I have no mail attribute on the groups.

  7. #7
    Senior Member
    Join Date
    May 2006
    Location
    Delft
    Posts
    1,935

    Re: Can't get AD Distribution Groups working

    Hi Cjgrey,

    I understand your issue. The groups which are available in Zarafa are more internal used groups, so for sending emails to internal groups and set security permissions on specific groups.

    Email aliases like support@.., sales@.. are currently configurable with the aliases section per user.
    Most customers are add a specific alias to multiple users or create a non-active user where different have access to.

    There is indeed no Zarafa MMC plugin at the moment for groups, although the mail attribute is available in the Group objectclass. But you need to change the attribute with adsiedit which is of course not nicest to do this.

    To deliver email to this groups, Postfix should have an extra configuration section so it can resolve all members of a specific group emailaddress.

    We also have extremely tight security requirements (internal, and federal) regarding user accounts which are not active users on the system
    So, are there external addresses in these distribution groups?


    Regards,

    Milo

  8. #8

    Re: Can't get AD Distribution Groups working

    Quote Originally Posted by milo
    To deliver email to this groups, Postfix should have an extra configuration section so it can resolve all members of a specific group emailaddress.

    We also have extremely tight security requirements (internal, and federal) regarding user accounts which are not active users on the system
    So, are there external addresses in these distribution groups?
    Hi Milo,

    Yes, we have a large number of distribution groups under Exchange, with quite a few inherited groups which have external email addresses. Here is a partial example from our department.

    IT Department is a distribution (and security group) which contains only other groups. It has an SMTP address and can receive email directly from outside. IT Manager is also a distribution group, which has direct members, as well as it being smtp deliverable as well. Some of the groups (such as the Specialists and Analysts) are not directly external SMTP deliverable, but only internally. This example is a portion of our department, which is one of the least complex of the department. Because we are a government agency, and no email is 'personal', we have transitioned almost entirely to role based email addresses and email boxes so that as a person retires, is replaced, or their role becomes shared between multiple people, we only have to add the individual user to the correct distribution group. We utilized shared mailboxes this way as well (every individual in 'Credit' has their own 'personal' mailbox store they access via OWA, but there is a shared 'Customer Credit Mailbox' store which they open as their primary mailbox in outlook.

    I have helped set up a similar structure for a number of other organizations which has simplified their personal transition issues, and we are not the only government entity we work with which uses and relies upon heavily upon SMTP enabled distribution groups.

    Code:
    IT Department: (smtp:itdept@xxxxxxxx.org)
     IS Department (smtp:isdept@xxxxxxxx.org)
      IT Specialists
       Mike (mike.xxxxxx@xxxxxxxx.org)
       Corwin (corwin.xxxxx@xxxxxxxxx.org)
      IT Analysts
       David (david.xxxxxx@xxxxxxxxx.org)
       Rick (rick.xxxxxxx@xxxxxxxxx.org)
     IT Manager (smtp:itmanager@xxxxxxxx.org)
      Rob (rob.xxxxxxxx@xxxxxxxxx.org)
     IS Supervisor (smtp:issupervisor@xxxxxxxx.org
      Ged (Ged.xxxxxxxx@xxxxxxxxx.org)
     IT Construction Coordinator (smtp:itconstruction@@xxxxxxxxx.org)
      Gary (gary.xxxxxxxx@xxxxxxxxx.org)
     IT Technical Support Specialist
      Alice (alice.xxxxxx@xxxxxxxxx.org)
    
    Commissioners [smtp:commissioners@xxxxxxxxxx.org]
     District #1 [smtp:district1@xxxxxxxx.org]
       Tom (smtp:tom@xxxxxxxxxxxxxx.org)
     District #2 [smtp:district2@xxxxxxxxxxx.org]
       Russ (smtp:russ@xxxxxxxxx.org)
     District #3 [cmtp:district3@xxxxxxxxxx.org]
       Truman (smtp:truman@xxxxxxxxxxx.org)

  9. #9
    Senior Member
    Join Date
    May 2006
    Location
    Delft
    Posts
    1,935

    Re: Can't get AD Distribution Groups working

    HI Corwin,

    I'm currently doing a test setup with Postfix and ADS to make distribution groups external available.

    At the moment it's currently not possible to hide groups from the Global Address Book, but this feature is on the roadmap for 2009.

    We utilized shared mailboxes this way as well (every individual in 'Credit' has their own 'personal' mailbox store they access via OWA, but there is a shared 'Customer Credit Mailbox' store which they open as their primary mailbox in outlook.
    I understand the reason for this setup, but for so far i haven't seen at one of our customer a configuration like this.

    I will let you know soon the results of the test setup with the distribution groups.

    Regards,

    Milo Oostergo

  10. #10

    Re: Can't get AD Distribution Groups working

    Hi Milo,

    Quote Originally Posted by milo
    I'm currently doing a test setup with Postfix and ADS to make distribution groups external available.
    Good to hear.

    Quote Originally Posted by milo
    At the moment it's currently not possible to hide groups from the Global Address Book, but this feature is on the roadmap for 2009.
    Actually I achieved this indirectly by modifying the ldap group query to include groups which are a member of the AD group 'Zarafa Query'. This allowed me to filter out all of the builtin and administrative groups. Obviously (to me) the preferred filter would be to only show groups which are Zarafa enabled (similar to Exchange enabled groups which have Exchange attributes).

    Corwin

Similar Threads

  1. Active directory groups not working [Solved]
    By gondolin in forum Administration and Integration
    Replies: 1
    Last Post: 23-01-2012, 07:40 PM
  2. [Solved] OpenLDAP and distribution groups
    By ebogaard in forum Administration and Integration Archives
    Replies: 6
    Last Post: 11-03-2011, 03:35 PM
  3. Distribution groups with public folder copy
    By kitserve in forum Administration and Integration Archives
    Replies: 4
    Last Post: 23-12-2010, 06:49 PM
  4. Add Groups/Distribution List To Global Address Book
    By hugh8888 in forum Installation and Configuration Archives
    Replies: 1
    Last Post: 20-08-2009, 06:06 AM
  5. 6.30.0 beta3; NO groups except Everyone working in webaccess
    By brenno in forum Beta Feedback Archives
    Replies: 2
    Last Post: 06-05-2009, 03:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •