Active Directory

Using the Active Directory options located at Accounts » Account Settings » Active Directory, MDaemon can be configured to monitor Active Directory and automatically create, edit, delete and disable MDaemon accounts when their associated accounts are altered in Active Directory. Further, it can also be set to keep all public contact records updated with the most recent information stored in Active Directory. Common fields like an account's postal address, phone numbers, business contact information, and so on can be populated into the public contact records and updated any time they are changed in Active Directory.

Creating Accounts

When set to monitor Active Directory, MDaemon will query for changes at a designated interval and then create a new MDaemon user account whenever it finds that a new Active Directory account has been added. This new MDaemon user account will be created using the full name, logon, mailbox, description, and enabled/disabled state found within Active Directory.

By default, new MDaemon accounts created as a result of Active Directory monitoring will be added to MDaemon's Default Domain. Alternatively, you can choose to have those accounts added to the domain found within the account's "UserPrincipalName" Active Directory attribute. When using this option, if an account requires a domain that doesn't yet exist within MDaemon, a new domain will be created automatically.

Deleting Accounts

MDaemon can be configured to take one of the following actions when an account is deleted from Active Directory: do nothing, delete the associated MDaemon account, disable the associated MDaemon account, or freeze the associated MDaemon account (i.e. the account can still receive mail but the user can't collect it or access it).

Updating Accounts

When MDaemon detects changes to Active Directory accounts, it will automatically update the associated properties in the matching MDaemon account.

Synchronizing MDaemon with Active Directory

A "Perform full AD scan now" option is available to cause MDaemon to query the Active Directory database and then create or modify MDaemon user accounts as necessary. When an Active Directory account is found that matches an already existing MDaemon account, the MDaemon account will be linked to it. Then, any future changes made to the Active Directory accounts will be propagated to the MDaemon accounts automatically.

Active Directory Authentication

Accounts created by MDaemon's Active Directory feature will be setup for Active Directory (AD) Authentication by default. With AD Authentication, MDaemon has no need to store the account's password within its own user database. Instead, the account holder will use his or her Windows login/password credentials and MDaemon will pass those to Windows for authentication of the associated account.

To use AD Authentication with Active Directory, a Windows domain name must be present in the space provided on the Monitoring. This is the Windows domain that MDaemon will use when attempting to authenticate accounts. In most cases, MDaemon will detect this Windows domain name automatically and fill it in for you. However, you can use an alternate domain in this option if you choose, or you can use "NT_ANY" if you wish to allow authentication across all of your Windows domains inste of limiting it to a specific one. If you leave this option blank then MDaemon will not use AD Authentication when new accounts are created. Instead it will generate a random password, which you will have to edit manually before users will be able to access their mail accounts.

Persistent Monitoring

Active Directory monitoring will continue to work even when MDaemon is shut down. All Active Directory changes will be tracked and then MDaemon will process them once it restarts.

Active Directory File Security

It is worth noting that MDaemon's Active Directory features do not alter the Active Directory schema files in any way — all monitoring is one-way from Active Directory to MDaemon. MDaemon will not alter your directory.

Active Directory Template

Whenever MDaemon adds or makes changes to accounts due to Active Directory monitoring and scanning, it will use an Active Directory template ("/app/ActiveDS.dat") to link certain Active Directory attribute names to MDaemon's account fields. For example, MDaemon links the Active Directory attribute "cn" to MDaemon's "FullName" field by default. These links, however, are not hard-coded. You can easily edit this template with Notepad if desired and alter any of the default field mappings. For example, "FullName=%givenName% %sn%" could be used as a replacement for the default setting: "FullName=%cn%". See ActiveDS.dat for more information.

Updating the Public Address Books

Active Directory monitoring can be used to periodically query Active Directory and keep all public contact records in MDaemon updated with the most recent information. Common fields like an account's postal address, phone numbers, business contact information, and so on will be populated into their public contact record, and this data will be updated any time it is changed in Active Directory. To enable this feature, use the "Monitor Active Directory and update public address book(s)" option located at: Active Directory » Monitoring.

Numerous contact record fields can be monitored using this feature. For a complete list of which public contact record fields can be mapped to Active Directory attributes, see the ActiveDS.dat file. This file has several new mapping templates which allow you to specify one or more Active Directory attributes from which to populate a particular contact record field (for example, %fullName% for the fullname field, %streetAddress% for the street address field, and so on).

MDaemon must match an account's email address to some attribute within Active Directory in order to know which contact record to update. If it can't find such a match it does nothing. By default MDaemon will try to construct an email address using the data taken from the attribute mapped to the Mailbox template (see ActiveDS.dat) to which MDaemon will internally append the default domain name, just as it would when actually creating and deleting accounts based on Active Directory data. However, you can uncomment the "abMappingEmail" template inside ActiveDS.dat and tie it to any Active Directory attribute you wish (like %mail%, for example). However, please note that the value of this attribute must contain an email address that will be recognized as a valid local user account.

This feature will create the contact records on the fly if they don't already exist and it will update contact records that do exist. Further, please note that it will overwrite any changes you make outside of Active Directory. Contact record fields that are not mapped are left unaltered. Therefore any existing data that is not subject to this process will not be altered or lost. Finally, MDaemon accounts that are set to private are not subject to having their contact records created or updated.

See: