Navigation:  Accounts Menu > Account Settings >

Active Directory

Print this Topic Previous pageReturn to chapter overviewNext page

Using the Active Directory options located at Accounts » Account Settings » Active Directory, MDaemon can be configured to monitor Active Directory and automatically create, edit, delete and disable MDaemon accounts when their associated accounts are altered in Active Directory.

Creating Accounts

When set to monitor Active Directory, MDaemon will query for changes at a designated interval and then create a new MDaemon user account whenever it finds that a new Active Directory account has been added. This new MDaemon user account will be created using the full name, logon, mailbox, description, and enabled/disabled state found within Active Directory.

By default, new MDaemon accounts created as a result of Active Directory monitoring will be added to MDaemon's Default Domain. Alternatively, you can choose to have those accounts added to the domain found within the account's "UserPrincipalName" Active Directory attribute. When using this option, if an account requires a domain that doesn't yet exist within MDaemon, a new Extra Domain will be created automatically.

Deleting Accounts

MDaemon can be configured to take one of the following actions when an account is deleted from Active Directory: do nothing, delete the associated MDaemon account, disable the associated MDaemon account, or freeze the associated MDaemon account (i.e. the account can still receive mail but the user can't collect it or access it).

Updating Accounts

When MDaemon detects changes to Active Directory accounts, it will automatically update the associated properties in the matching MDaemon account.

Synchronizing MDaemon with Active Directory

A "Perform full AD scan now" option is available to cause MDaemon to query the Active Directory database and then create or modify MDaemon user accounts as necessary. When an Active Directory account is found that matches an already existing MDaemon account, the MDaemon account will be linked to it. Then, any future changes made to the Active Directory accounts will be propagated to the MDaemon accounts automatically.

Dynamic Authentication

Accounts created by MDaemon's Active Directory feature will be setup for Dynamic Authentication by default. With Dynamic Authentication, MDaemon has no need to store the account's password within its own user database. Instead, the account holder will use his or her Windows login/password credentials and MDaemon will pass those to Windows for authentication of the associated account.

To use Dynamic Authentication with Active Directory, a Windows domain name must be present in the space provided on the Monitoring. This is the Windows domain that MDaemon will use when attempting to authenticate accounts. In most cases, MDaemon will detect this Windows domain name automatically and fill it in for you. However, you can use an alternate domain in this option if you choose, or you can use "NT_ANY" if you wish to allow authentication across all of your Windows domains instead of limiting it to a specific one. If you leave this option blank then MDaemon will not use Dynamic Authentication when new accounts are created. Instead it will generate a random password, which you will have to edit manually before users will be able to access their mail accounts.

Persistent Monitoring

Active Directory monitoring will continue to work even when MDaemon is shut down. All Active Directory changes will be tracked and then MDaemon will process them once it restarts.

Active Directory File Security

It is worth noting that MDaemon's Active Directory features do not alter the Active Directory schema files in any way — all monitoring is one-way from Active Directory to MDaemon. MDaemon will not alter your directory.

Active Directory Template

Whenever MDaemon adds or makes changes to accounts due to Active Directory monitoring and scanning, it will use an Active Directory template ("/app/ActiveDS.dat") to link certain Active Directory attribute names to MDaemon's account fields. For example, MDaemon links the Active Directory attribute "cn" to MDaemon's "FullName" field by default. These links, however, are not hard-coded. You can easily edit this template with Notepad if desired and alter any of the default field mappings. For example, "FullName=%givenName% %sn%" could be used as a replacement for the default setting: "FullName=%cn%". See ActiveDS.dat for more information.