Synchronizing User Accounts with Active Directory

In addition to adding users manually as described in chapter User Management, MailStore can synchronize its internal user database with the Active Directory of your company.

During synchronization, user information and email addresses are gathered from Active Directory and recorded in MailStore; no changes are made to Active Directory.

Accessing Active Directory Integration

Log on to MailStore Client as administrator. Click on Administrative Tools > Users and Privileges and then on Directory Services. In the Integration area change Directory Service Type to Active Directory.

Specifying Connection Settings

Before the synchronization can be started, MailStore requires information on how to connect to the Active Directory server.

• Server (optional)
  Name or IP address of an Active Directory server. If the MailStore Server machine is member of the Active Directory, this setting is detected automatically.
• Base-DN (optional)
  Base DN of your Active Directory. Often the Base DN can be derived from the Active Directory domain name. For example, if the Active Directory domain name is company.local the Base DN usually is dc=company,dc=local. The Base DN can also be selected by clicking the button left of the text field if access to the Active Directory is available. If the MailStore Server machine is member of the Active Directory, this setting is detected automatically.
• Authentication
  Define how the MailStore Server service should identify itself to the Active Directory:
  
  
  • Standard Authentication - As long as the MailStore Server is not installed on an Active Directory server, using standard authentication is required. Fill out the User Name and Password fields when using standard authentication; enter the user name in UPN notation, e.g. [email protected]
  • Windows Authentication - Is the MailStore Server installed on an Active Directoy server, the MailStore Server service already has enough privileges to authenticate itself to the Active Directory using Windows authentication.

Executing the Synchronization

Under User Database Synchronization, after the connection settings have been specified (as described above), the MailStore user list can be synchronized with the Active Directory user list.

The following options are available:

• Synchronize Microsoft Exchange users only
  Clear this checkbox only if all Active Directory users are to be created in MailStore as well.
• Synchronize only members of a group
  Clear this Checkbox and select a group name, if you want only members of that Active Directory group to be synchronized with you Mailstore Server.

Click on Test Settings to see what would happen during actual synchronization. To start, click on Synchronize Now.

Automating the Synchronization with ADS_SYNC

To automate the synchronization, the command ads-sync can be used in MailStore's Management Shell. Information about how to use and automatically execute management shell commands is available in chapter The MailStore Management Shell.

ads-sync has the following parameters:

--server=<ldap-server>

Indicates the LDAP-Server (Active Directory) to be contacted

--domain=<netbiosdomain>

Indicates the NETBIOS domain name (prior to Windows 2000)

--user=<username>

Indicates the user to be used in the LDAP connection

--pass=<password>

Indicates the password to be used in the LDAP connection

--allow-create

Use the allow-create switch if new users are to be created in MailStore. If this switch is not set, only the information of already existing users will be updated.

Login with Windows Credentials

By default, each MailStore user has a password exclusively for MailStore which the administrator can specify during creation of a new user account. In MailStore Client's Administrative Tools, the respective user can later change his or her password.

Alternatively, if Active Directory is available, MailStore can be configured to allow users to log on to MailStore Server through MailStore Client using their Active Directory password.

Procedure for Users Created During Synchronization with Active Directory

If the MailStore users were created using Active Directory Synchronization, as described in the previous section, no further action is required. In this case, MailStore has already specified all necessary settings automatically.

Procedure for Manually Created Users

If MailStore users who were created manually are to be able to log on using their Active Directory password, please proceed as follows:

• Configure the Active Directory Integration as described in chapter Synchronizing User Accounts with Active Directory.
• Verify that the names of the MailStore users match those of the corresponding Active Directory users.
• In the User Properties window under Authentication, select LDAP (Active Directory).

Background Information: How MailStore Proceeds Internally when Using LDAP Authentication

The following section describes how MailStore proceeds during LDAP authentication. This description is addressed to users interested in technical details.

• The user logs on; access data is sent to MailStore Server.
• MailStore Server verifies that this is a user for whom LDAP-Authentication is configured.
• MailStore establishes a secure LDAP connection to the Active Directory Server configured in Active Directory Integration. MailStore uses a user name consisting of the Domain (NetBIOS), also specified under Active Directory Integration, and the MailStore user name (DOMAIN\user).
• If the connection can be opened, MailStore Server searches for the user name (sAMAccountName) under Base DN which is configured in Active Directory Integration. If the name is found, MailStore Server regards the access data as being correct.
• If the LDAP authentication was successful, the user is logged on to MailStore Server as usual.

MailStore Client Single Sign-On

For information on using the single sign-on functionality in Active Directory environments, please refer to the article MailStore Client Deployment.