samba - Jun 2016 - ADFS support?

Hi,

Is it possible to query an Exchange server for its user list via ADFS
using samba?

I'm interested in integrating this support with postfix on my fedora
system instead of having to maintain the list in Exchange and the list
as a map in postfix.

I really don't know much about Exchange and whether/how this would
work. Is it secure?

Is LDAPS an alternative? Is it secure?

Thanks,
Alex

On Tue, 31 May 2016, Alex wrote:
> Hi,
>
> Is it possible to query an Exchange server for its user list via ADFS
> using samba?
>
> I'm interested in integrating this support with postfix on my fedora
> system instead of having to maintain the list in Exchange and the list
> as a map in postfix.
>
> I really don't know much about Exchange and whether/how this would
> work. Is it secure?
>
> Is LDAPS an alternative? Is it secure?
>
> Thanks,
> Alex
Alex,

ADFS (Active Directory Federation Services) is an SSO (Single Sign On) 
solution from Microsoft.  It speaks several federated authentication 
protocols, such as WS-Federation and SAML.

Perhaps you're thinking of querying AD (Active Directory).  AD is a 
Microsoft directory service used by many Microsoft products, such as 
Exchange, to store user, group, and computer objects.  All of your users 
with Exchange mailboxes will have user objects in AD, so you really want 
to query AD from Postfix (or some intermediate script).  Fortunately, AD 
speaks LDAP too, which is an IETF standard.

I don't know a lot about Postfix, but LDAP is a very common place to store 
users, so I expect that Postfix can talk to pretty much any LDAP server, 
including AD.

LDAPS is LDAP-over-SSL.  If you're using LDAP to authenticate users, then 
you should be using LDAPS.  If you are querying simple user information on 
an internal network, then plain LDAP is probably okay.  However, LDAPS is 
very easy to use, so I'd recommend it.  Why not use encryption if it's 
easy?

The LDAP (AD) attributes that contain email addresses are "mail" (the 
user's primary email address) and "proxyAddresses" (a list of all
the
user's email addresses).

I hope this helps!

 	Andy

Postfix can query Samba4/ADS/Exchange for users and password without any
problems.



EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 




-----Ursprüngliche Nachricht-----
Von: Andrew Morgan [mailto:morgan at orst.edu] 
Gesendet: Mittwoch, 1. Juni 2016 08:13
An: Alex <mysqlstudent at gmail.com>
Cc: samba at lists.samba.org
Betreff: Re: [Samba] ADFS support?

On Tue, 31 May 2016, Alex wrote:
> Hi,
>
> Is it possible to query an Exchange server for its user list via ADFS 
> using samba?
>
> I'm interested in integrating this support with postfix on my fedora 
> system instead of having to maintain the list in Exchange and the list 
> as a map in postfix.
>
> I really don't know much about Exchange and whether/how this would 
> work. Is it secure?
>
> Is LDAPS an alternative? Is it secure?
>
> Thanks,
> Alex
Alex,

ADFS (Active Directory Federation Services) is an SSO (Single Sign On) solution
from Microsoft.  It speaks several federated authentication protocols, such as
WS-Federation and SAML.

Perhaps you're thinking of querying AD (Active Directory).  AD is a
Microsoft directory service used by many Microsoft products, such as Exchange,
to store user, group, and computer objects.  All of your users with Exchange
mailboxes will have user objects in AD, so you really want to query AD from
Postfix (or some intermediate script).  Fortunately, AD speaks LDAP too, which
is an IETF standard.

I don't know a lot about Postfix, but LDAP is a very common place to store
users, so I expect that Postfix can talk to pretty much any LDAP server,
including AD.

LDAPS is LDAP-over-SSL.  If you're using LDAP to authenticate users, then
you should be using LDAPS.  If you are querying simple user information on an
internal network, then plain LDAP is probably okay.  However, LDAPS is very easy
to use, so I'd recommend it.  Why not use encryption if it's easy?

The LDAP (AD) attributes that contain email addresses are "mail" (the
user's primary email address) and "proxyAddresses" (a list of all
the user's email addresses).

I hope this helps!

 	Andy

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba