[turba] Using imp and turba with an Exchange 2000 mail server
Stoilis Giannis
giannis at stoilis.gr
Wed Mar 19 12:08:11 PST 2003
Hello,
I am in the process of writing a guide for installing Horde with IMP and turba
for use with an Exchange 2000 mail server.
I have some "technical" problems, that I have resolved, somewhat, clumpsy... I
would like your contributions on the following text, so that there will be a
detailed step-by-step guide afterwards, for any other users attempting to to do
the same thing.
Since I have found little information regarding exchange and horde, I guess
that not so many people use this combination. I hope that this guide will solve
most, if not all, problems. The Outlook web interface that Exchange server
provides is unacceptable. It is slow, buggy, bloated and very bandwidth
consuming.
So, if, after reading the text, you think you can do things better than me, by
all means, tell me how.
Using imp & turba with Windows 2000 Exchange server
In my corporation, the root active directory domain is called domain.gr, and
has 3 active directory subdomains under that, sub1, sub2 and sub3. When using
just the username for authentication, Exchange 2000 Server ALWAYS assumes that
the user belongs in the root active directory domain, so it tries to validate
it there.
If using subdomains, one workaround is to use the
form "USERNAME at SUBDOMAIN.DOMAIN". So, if my
username is "stoilis" and I belong to the sub1 domain, I would use the username:
"stoilis at sub1.domain.gr".
***WARNING***: If my logon account is "stoilis at sub1.domain.gr", it DOESN'T mean
that my e-mail address is that one. It all depends on your Exchange 2000
configuration. Your e-mail could be "stoilis at domain.gr"
The old Windows NT authentication method can also be used, so the username
could also be: "SUBDOMAIN\USERNAME". For example, I would use: ?sub1\stoilis?.
OK, we know how to logon now. But can we send emails? Sadly, now... IMP assumes
that the default email address of the user is actually the username+the mail
domain specified in the config file.
Assume that you have used the "sub1\stoilis"
method for logging in. When trying to send an e-mail, my "From" address would
be "sub1\stoilis at domain.gr". Nice, huh? How about when using
the "stoilis at sub1.domain.gr"? IMP is smart enough to notice the "@" in the
username, so it leaves it alone. BUT, every user in my organization has
a "@domain.gr" e-mail, regardless of where they authenticate. Unfortunately,
since there is a "@" in our username, IMP ignores maildomain. So, we have a
problem.
I thought of an ugly solution. First all, I would use a diferent
horde+imp+turba installation for every domain in my organization. Then, I would
tweek horde/imp/config/conf.php imp_get_vinfo function in every installation to
always return the username plus the authentication domain. For example:
function imp_get_vinfo ($type = 'username') {
global $conf, $imp, $server;
if ($type == 'username') {
return $imp['user'].'@sub1.domain.gr';
} elseif ($type == "vdomain") {
return $vdomain;
} else {
return new PEAR_Error('invalid type: ' . $type);
}
}
Don?t forget to activate the above function.
Then, I would twek IMP so that the default ?From? is what I choose. For example
in ?horde/imp/lib/Identity/IMP.php? there is a function called getFromAddress.
At some point, it goes like this:
if (empty($val)) {
$val = $imp['user'];
$val=strrev(strchr(strrev($imp['user']),'@')).'domain.gr';
}
replace it with your domain, and you should be OK.
My servers.php configuration file:
$servers['mail'] = array(
'name' => 'mail',
'server' => 'mailserver.domain.gr',
'protocol' => 'imap',
'port' => 143,
'folders' => '',
'namespace' => '',
'maildomain' => 'domain.gr',
'realm' => '',
'preferred' => ''
);
Locate the Global Catalog of the Active Directory
First of all, the LDAP service that can be used to retrieve addressbook
information is actualy the Global Catalog of the Active Directory. Usually,
there is only one Global Catalog for an entire organisation. Don?t assume that
your Exchange Server is also the Global Catalog Server, unless it is the first
domain controller of the domain or you have manually changed the roles. The
port number is 3268.
LDAP authentication
Unfortunately, the Global catalog authentication has only one style,
the ?DOMAIN\USERNAME?. But we have already logged in with
the ?USERNAME at SUBDOMAIN.DOMAIN? before. What can be done one?
One solution is to create one user, that would be used for every LDAP query.
Then, your sources.php file would contain this::
$cfgSources['domain.gr'] = array(
'title' => 'domain.gr',
'type' => 'ldap',
'params' => array(
'server' => 'pdc.domain.gr',
'encoding' => 'utf8',
'readonly' => true,
'port' => 3268,
'bind_dn' => 'domain\imp',
'bind_password' => ?secret?,
[snip]
Mind the "utf8" options. Active directory uses only utf8 encoding.
International users should be careful with that.
If you want every user fetching his own data, you would need a way to extract
the username. I use this function:
$string=Auth::getAuth();
$separat="@";
$string=substr($string,0,strlen($string)-strlen(strstr($string,$separat)));
$uid='domain\\'.$string;
So, the parameters would be:
'bind_dn' => $uid,
'bind_password' => Auth::getCredential('password'),
Put it in source.php above and decleration.
Are we there yet?
No. Unfortunately, Exchnage only stores the LDAP query that can be used to
fetch our data, it doesn?t store the adressbook data themselves. Although this
may sound cool, turba doesn?t support it.
After playing aroung with my LDAP Forest, I decided to hack it again. I can
make turba fetch me every user that has the ?@domain.gr? symbol in the email
field. This would return every true email account. True, but TOO true...
Unofortunately, there are several email accounts that don?t actually belong to
users but to system services. So, we need to weed the out. Take a look at my
configuration now
$cfgSources['domain.gr'] = array(
'title' => 'domain.gr',
'type' => 'ldap',
'params' => array(
'server' => 'pdc.domain.gr',
'encoding' => 'utf8',
'readonly' => true,
'port' => 3268,
'root' => 'cn=Users,dc=domain,dc=gr',
'bind_dn' => $uid,
'bind_password' => Auth::getCredential('password'),
'version' => '3',
'filter' => '&(mail=*domain.gr)(!(mail=globalevents at domain.gr))'
),
[snip]
Be sure to set the ?root? entry correctly. Can you see the globalevents mail
account? We don?t need to include it in our addressbook. I can?t tell you what
is useless, you need to find it out yourselves. If you want to exclude the
email address garbage at domain.gr, then your filter would be something like this:
'filter' => '&(mail=*domain.gr)(!(mail=globalevents at domain.gr)
(mail=garbage at domain.gr))'
SUBDOMAINS
We need to define a seperate source for every subdomain. All that changes is
the ?root? property. Check this out:
$cfgSources['sub1.domain.gr'] = array(
'title' => 'sub1.domain.gr',
'type' => 'ldap',
'params' => array(
'server' => 'pdc.domain.gr',
'encoding' => 'utf8',
'readonly' => true,
'port' => 3268,
'root' => 'cn=Users,,dc=sub1,dc=domain,dc=gr',
'bind_dn' => $uid,
'bind_password' => Auth::getCredential('password'),
'version' => '3',
'filter' => '&(mail=*domain.gr)'
),
[snip]
Get it?
PUBLIC FOLDERS
Anyone familiar with Exchange, should know that Public Folders can be
associated with an e-mail address. We can create a different source for these,
just by changing our root to:
'root' => 'cn=Microsoft Exchange System Objects,dc=domain,dc=gr'
This container has a LOT of useless email accounts, so be carefull to include
every one in your filters. My filters are:
'filter' => '&(mail=*domain.gr)(!(|(mail=globalevents at domain.gr
(mail=internal at domain.gr)(mail=newsletter at domain.gr)(mail=OABVersion2 at domain.gr)
(mail=OfflineAddressBook*@domain.gr)(mail=Schema at domain.gr)
(mail=PublicFolder*@domain.gr)(mail=Schedule*@domain.gr)))'
Edit it to match your installation.
More information about the turba
mailing list