[Samba] ADFS support?

Mueller mueller at tropenklinik.de
Wed Jun 1 06:48:15 UTC 2016

Postfix can query Samba4/ADS/Exchange for users and password without any problems.

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 

-----Ursprüngliche Nachricht-----
Von: Andrew Morgan [mailto:morgan at orst.edu] 
Gesendet: Mittwoch, 1. Juni 2016 08:13
An: Alex <mysqlstudent at gmail.com>
Cc: samba at lists.samba.org
Betreff: Re: [Samba] ADFS support?

On Tue, 31 May 2016, Alex wrote:

> Hi,
> Is it possible to query an Exchange server for its user list via ADFS 
> using samba?
> I'm interested in integrating this support with postfix on my fedora 
> system instead of having to maintain the list in Exchange and the list 
> as a map in postfix.
> I really don't know much about Exchange and whether/how this would 
> work. Is it secure?
> Is LDAPS an alternative? Is it secure?
> Thanks,
> Alex


ADFS (Active Directory Federation Services) is an SSO (Single Sign On) solution from Microsoft.  It speaks several federated authentication protocols, such as WS-Federation and SAML.

Perhaps you're thinking of querying AD (Active Directory).  AD is a Microsoft directory service used by many Microsoft products, such as Exchange, to store user, group, and computer objects.  All of your users with Exchange mailboxes will have user objects in AD, so you really want to query AD from Postfix (or some intermediate script).  Fortunately, AD speaks LDAP too, which is an IETF standard.

I don't know a lot about Postfix, but LDAP is a very common place to store users, so I expect that Postfix can talk to pretty much any LDAP server, including AD.

LDAPS is LDAP-over-SSL.  If you're using LDAP to authenticate users, then you should be using LDAPS.  If you are querying simple user information on an internal network, then plain LDAP is probably okay.  However, LDAPS is very easy to use, so I'd recommend it.  Why not use encryption if it's easy?

The LDAP (AD) attributes that contain email addresses are "mail" (the user's primary email address) and "proxyAddresses" (a list of all the user's email addresses).

I hope this helps!


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list