LDAP integration - nightly

jabacz

I’m trying to use experimental LDAP authentication in nightly. Is there any description of the configuration dialog? E.g. what should be populated into “Username Field”, “Attribute Field” and how to use template.
Thanks

pro_fitty

I have been having some issues, on the same. Here is what I have so far:

Host:

You can use the IP Address of your AD/LDAP server, with some issues, or FQDN requires that you’ve setup the docker container to point to the shared DNS service of your network (not the internal docker one). If you’re not on docker, just make sure DNS is setup to resolve the FQDN (host.sumdomain.net for ex.). Use the docker-compose.yml file to add an entry above the 10 existing DNS settings “- 1.1.1.1”

Port:

636 for secure connection to AD (LDAPS://) or 389 for unsecured (LDAP://)

Use SSL:

enable it (slide right) if you chose 636 for the port value, or disable it (slide left) if you chose 389.

Use TLS:

This should be disabled if you are using SSL OR set port 389, enabled if you are using port 636,

Base DN:

This is the DN of your (AD/LDAP) domain; where the query should begin looking for your accounts (ex: OU=myusers,DC=mydom,DC=com).

Filter:

AD/LDAP objects must match this filter TRUE to be considered, for example: (&(objectCategory=person))

Attribute Field:

I HAVE NO FREAKING CLUE

Bind DN:
This is your distinguished name, for the account that mailcow will use to access your domain; for example: CN=myserviceaccount,OU=users,DC=mydomain,DC=com

Bind Password:

Password to the account you specified in the Bind DN field.

Attribute Mapping:

I don’t know if it’s right but I extended my AD schema of the user class property, with an attribute called “mailcowTemplate”. Set the value to my template, which is default.

Sync settings, you can probably figure out.

I hope this helps someone, somewhere and I hope someone helps me figure out the one I can’t seem to get!

nnoblast

What is Username field, Attribute Field and Attribute Mapping
How to make the system see users with samba (active Period full sync?)
I install nightly

siruscool

Hi,

@nnoblast with your settings from the sreenshot it is working! I am using an MS-server 2025 DC. I have activate tls and also the option ignore SSL errors.

You have to add a mailbox for an active directory user inside mailcow. You can generate a password for this user inside the mailcow ui. When you have succesfully add the user go to mailbox settings and select from the dropdown field “Identity Provider” -LDAP-. After that you can log in with your active directory user.

Current is the problem that mailcow does not create a mailbox when an user is logging in via ldap.

br michael

jrg73

Hi,
i’m currently testing the LDAP connection with the Nightly version: 54728bf7
Build: 2025-02-11 14:40:38
I also successfully use the connection to the LDAP server with another cloud system.
When I click on test wihtin the LDAP Settings, a message immediately appears that it was not successful and no connection attempt from mailcow can be seen on the LDAP server.
I’m using a newly installed Ubuntu 24.04
Does anyone have an idea? When regular synchronization is activated, nothing appears in the cronlog

solpy89

In my case, I am developing a script that synchronizes Active Directory/LDAP users and solves the problem of users not being created automatically. In the script I will use the Mailcow API and it will be inserted into the crontab to automate startup.

The annoyance is that I have to re-enter the LDAP configuration parameters in the script and I don’t extract them from Mailcow (but it’s a start).

@jrg73 To get the correct connection queries I used nextcloud, which has an excellent LDAP integration system and I configured MailCow with the same parameters.

siruscool

solpy89 could you please provide me the script for testing?

zx-spektorn

Hy everyone! Microsoft Active Directory 2019. After pre-adding the user from AD, LDAP authentication started working. Thanks @siruscool for this advice)
But I am tormented by a question. If I have a multi-domain Active Directory (example.com > br.example.com > eu.example.com…) how do I set up authentication on all subdomains?

DocFraggle

zx-spektorn If I have a multi-domain Active Directory (example.com > br.example.com > eu.example.com…) how do I set up authentication on all subdomains?

How do you do it with other services?
You could use an additional authentication layer like Keycloak, I think someone here has already done this. Or, if you want to stick with the LDAP integration, you would need to build an AD forest.
You can set up authentication across all domains by using forest-wide trusts and a service account with read access to all domains.

hub2rock

zx-spektorn can you share your conf ? It’s not working for me, even after creating users.

Thanks 😉

DocFraggle

hub2rock No, because I don’t use an AD 🙂

But if should work this way. I guess you have to look around in the Internet how to create a service account which has read access to all of your forest AD domains

solpy89

Hi all,

I fixed my rough script a bit into something more readable and functional.

I uploaded everything to GITHUB
Solpy89Git/sync_mailcow_ldap.git

For download:
git clone Solpy89Git/sync_mailcow_ldap.git

Attention, the script I made is only for linux environments (in my case Debian), however it should also work on the other distros.

Feel free to modify it as you like or share ideas and improvements (although I hope that the development team will soon give us more details even if for now they have done a great job!).

Read the README before doing things, I don’t want to feel guilty for any damage …

anyway I wrote everything in the readme, in case I remain at your disposal.

Solpy89

DerLinkman

The Release of LDAP/OIDC is planned for end of March 2025 in Release 2025-03.

Probably by the end of this week we’ll release the updated Docs explaining how to setup LDAP/OIDC with mailcow on mailcow’s end.

jdadrag

DerLinkman, this is the correct documentation link, right? https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-ldap/?h=ldap

Is the update still planned to be released at the end of this month?

I set up my mail cow server a week or two ago, but I don’t have the option from the documentation below.

To add or edit your Identity Provider configuration, log in to your mailcow UI as administrator, go to System > Configuration > Access > Identity Provider and select LDAP from the Identity Provider dropdown.

I have about 40 accounts I need to set up sooner than later. Will it be possible to change an email account from a local authentication to LDAP when the update is released without having to recreate the account?

esackbauer

jdadrag Will it be possible to change an email account from a local authentication to LDAP when the update is released without having to recreate the account?

Yes, you can change at any time which authentication to use for each user. This question is answered in this blog post:
https://mailcow.email/posts/2025/nightly-progress/

DerLinkman

jdadrag I set up my mail cow server a week or two ago, but I don’t have the option from the documentation below.

The patch is not live not in master branch it’s currently only live in nightly.

jdadrag Is the update still planned to be released at the end of this month?

A release is still planned for the last march week. yes.