Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (107/2)
Articles (282/26)
Apple (50/2)
Extended KB (3/1)
Ask AFP548 (16/42)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (53/6)
Odds and Ends (28/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you want push services for the iPhone on Mac OS X Server?
Yes! Expand the existing stuff!
Yes! Apple should add EAS support!
No! I just use another service that already has push.
Results
80 votes | 0 comments
Welcome to AFP548
Thursday, July 29 2010 @ 09:31 am MDT
   

Enabling Mail for AD Users on OS X Server

Monday, November 07 2005 @ 01:25 pm MST
Contributed by: MacTroll
Views: 5,989
ArticlesThis isn't the royal pain in the rear that it used to be.

With the Service Access Controls on 10.4 you won't need to edit anything in Active Directory.

The Problem

To enable a mail account for a user on OS X Server you need to go into Workgroup Manager and establish some basic mail settings for them. These get saved into an apple-user-mailattribute for the user in LDAP or NetInfo.

If you're getting your users from Active Directory, however, this isn't an easy thing to do as that attribute doesn't exist in AD. There are some ways to work around it, but they used to be not so easy.

You could use LDAP instead of the AD plugin and then use static mapping on the variable. It is also possible, in 10.4, to use the dsconfigad command to static map the information. Or you could go crazy and add that attribute to your AD schema and then enable as you like.

The Better Way

A little known fact of 10.4's Service Access Control Lists is that enabling a SACL for mail does an end run around the need for the custom mail attribute. In fact, enabling the SACL for mail eliminates any lookups for the attribute at all.

So, join to AD as normal, then in Server Admin use the SACLs to add a group to the Mail service and disable all others. Now these users will automatically be configured to have a mail account on that particular server without any need to change their directory entry. Other users, regardless of whether you have added mail information to them in WGM or not, will not have access to mail.

Also keep in mind that once you enable the SACL you won't be able to set any quotas or set up an e-mail account to forward instead of storing locally since the SACLs overrides all of the mail settings.
 

What's Related

Story Options

Advertising

Enabling Mail for AD Users on OS X Server | 8 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Enabling Mail for AD Users on OS X Server
Authored by: fherbert on Wednesday, November 09 2005 @ 03:01 pm MST
I have a couple of 10.3 servers setup to get their account information from the AD server and have never been ablet o get mail enabled for them on the 10.3 server. I am happy to "go crazy and add that attribute to your AD schema and then enable as you like". I have added the apple-user-mailattribute to my AD schema but always (as before) get the following error message in WGM.

Got Unexpected Error
Error ot type -14137 on line273 of UserMailPluginView.mm

and

Got Unexpected error
Error of type -14140 on line 3075 of PMMUGSearchController.mm

I don't suppose anyone has any instructions on how to do this???
Enabling Mail for AD Users on OS X Server
Authored by: morsta on Thursday, December 08 2005 @ 02:19 am MST
I followed the better way directions in the article, but I still canīt get webmail to
work with AD authentication. The IMAP log tells me that mail is not enabled for
the user. Iīve tried to enable mail for the user in WGM, but the setting jumps
back to disabled when i try to save.

help anyone?

BTW: the AD-OD integration paper made my life a lot easier :-)
Enabling Mail for AD Users on OS X Server
Authored by: sixty4k on Tuesday, January 10 2006 @ 01:43 pm MST
One hitch we've run across.

If you add a user to a group (in AD) after setting this up, they do not get recognized by the OSX server.

The fix we've found is to go to the access pane, remove the group in question, re-add it, and hit save.

I assume that just forces the server to update it's cache of group information. Hopefully there's a more elegant method of doing this that I haven't found yet. :)

Enabling Mail for AD Users on OS X Server
Authored by: Anonymous on Sunday, September 10 2006 @ 09:52 pm MDT

I set up my 10.4.7 server exactly as described and WGM still says "Email is
not enabled for this user" I refreshed lookupd and memberd and restarted
mail services too. No luck.

Questions:

1) I created a group in AD called "email" , then added my AD users into the
new "email" group, and then finally I added the "email" group to the ACLS
for email on my email server in Server Admin. That should work right?

2) Do I still need to populate the appropriate AD field for each users email
address via the Active Directory Users and Groups tool?

3) Where is this information documented in detail? Why doesnt Apple
provide information for this? Am I the only person on the planet that uses
AD and OS X Server?

 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.15 seconds