Kasperian Moving Parts

kinda like Batman, but with a wife and 3 kids

LDAP, Microsoft Exchange, and KAddressBook or Thunderbird

My current employer uses Exhange 2003 as its current groupware solution. I have on-and-off-again been beating my head against the proverbial concrete wall in trying to get it to work nicely with LDAP and addressbooks other than Evolution or Outlook, for obvious reasons. Today, my geeky noggin’ has broken through the proverbial concrete wall and I now have both KDE’s kaddressbook and Thunderbird’s address book successfully using the Exchange server here at work.

Yay, me!

Two things I’ve found this morning that have helped my noggin’ and I’ll list them here for future reference for myself as well as in hopes of helping some other poor concrete/geek/proverbial/noggin’-banging soul.

First, I’ve found this post which lists a very helpful step-by-step approach for getting things almost working:

OK, here is how Mozilla/Thunderbird LDAP works with Exchange 2000-2003:

1. The default LDAP port for Active Directory is 3268 (not 389) so make sure you’ve got this port open thru the firewall, and make sure to configure it in your LDAP account settings in Mozilla/Thunderbird.

2. For Base DN, you MUST enter something like dc=yourdomain,dc=com (whereas Outlook Express lets you get away with putting NULL).

3. For Bind DN, you must enter a domain user which has permission to search the directory. You should enter it qualified by the NetBIOS domain name, for example: mydomain\username

4. For some reason, Thunderbird doesn’t always seem to recognize that it needs to log on before querying. The easiest, most reliable way I have found to force it is to go to the Offline tab in the Directory Server Properties and click the Download button. This function seems to “see” that Active Directory wants a logon, so Thunderbird will display the logon dialog to let you enter your domain credentials. For the username, specify exactly the same thing you put into Bind DN.

5. Results are returned asynchronously to the Thunderbird Address Book, so you might see “No matches found” immediately after clicking the Search button. Wait a few seconds, and your results should show up.

6. Mozilla and Thunderbird default to a Search Filter of (objectclass=*) which will return lots of useless (non-email address) entries from Active Directory. You can override this with something like (objectclass=person) on the Advanced tab of Directory Service Properties. Depending on what kinds of addresses are in your Active Directory, you may need to refine this filter more (for example, if you’ve got mail-enabled Public Folders which you want to display).

7. The Address Book UI in Thunderbird is just clumsy. You CANNOT search an LDAP directory by simply selecting it on the left hand side and then entering your search in the “Name or Email contains” textbox. You MUST click the Advanced button to define an LDAP search. After you find your desired address(es) in LDAP, you “should” be able to copy it to your local addresses but the stupid UI only lets you look at the Properties or add it to the recipient list for a new message (by clicking the Write button).

And then there’s this page that helped me finally get it all working:

You can add a new address book with the following properties:

General tab:

Name: …
Hostname:
Base DN: dc=company,dc=com
Port number: 389 (non-secure) or 636 (secure)
Bind DN: YOURWINDOWSLOGONDOMAIN\yourwindowslogonuser

Advanced tab:

Don’t return more than [ 100 ] results
Scope: Subtree
Search filter: (objectClass=person)

If your organisation is large you may have to change the Bind DN so it only returns your unit (e.g. ou=yourdept,dc=company,dc=com) as otherwise Thunderbird may decide to act a bit strange.

You can force a read by clicking the Download Now button on Offline tab, although you won’t see any contacts afterwards, you have to search in the Compose window.

If you still get no joy you can download and install Windows Server 2003 Service Pack 1 Support Tools and run ldp.exe against the exchange server. You don’t even need to install it if you decompress with WinRAR (or possibly WinZip) and look for the executable.

http://support.microsoft.com/kb/892777

That way you can find out the Bind DN and search filter. First use Connection > Connect against the server, then Connection > Bind with your user and password then use View > Tree with a blank string and you can find a tree view of your Base DN and go into departments and retrieve user data to find out their objectClass if it’s not person.

Finally in Tools > Options > Composition > Addressing tick Automatically add outgoing e-mail address to my [ Collected Addresses ] as it’s much faster than searching the server.

Granted, these are instructional in getting Thunderbird to work with Exchange, but the same applies to KDE’s kaddressbook.

In general, I think the sticky wicket that really got things working for me was using Microsoft’s ldp.exe tool to browse the Exchange LDAP tree and see its innards. Specifically, I had to do this:

server: [active directory server]
base dn: CN=Users,DC=XXX,DC=XXX,DC=com (important to start with Users for me!!)
port: 389
bind dn: [windows domain]\[username]
search filter: (objectclass=*)
scope: subtree

The trick was, I think, that I had to provide a more specific base dn to the address books.

Hope this helps someone else out there, wherever your geeky proverbial concrete-bashing noggin’ may find you. =:)

27 Replies to “LDAP, Microsoft Exchange, and KAddressBook or Thunderbird”

  • Sigh. At last. With your help, I finally have Kontact accessing our company’s Exchange address book. As you said, the ldp.exe was key in figuring out the proper parameters used by our company.

    Thank you !!!!!!!!!!

  • definitely appreciate the work you are doing with this…one question though that I don’t see anyone addressing on any sites out there…how do you get the list of contacts from the ldap server to populate the thunderbird (or any other client) address list without having to do a search (much like the functionality in outlook to exchange where you see the Global Address Book without a search)? Thanks for any help…

  • Hi, Jason. I stumbled upon this page and thought I could possibly pick your brain. I tried following these steps to get my Active Directory address book to show in Thunderbird, to no avail. It works in Outlook, but not Thunderbird, using the same exact paramaters. Is there anything distinctly different between setting up the LDAP in Outlook as opposed to Thunderbird that you know of? I tried to several different Port numbers; I tried the many different search parameters; I tried changing the Bind DN. None of those worked. Any help would be greatly appreciated. Thank you in advance!

  • Hi Keith!

    The biggest piece of the puzzle for me was the bind DN. Mine _had_ to be:

    base dn: CN=Users,DC=XXX,DC=XXX,DC=com (important to start with Users for me!!)

    You can learn what this is in your environment by using the microsoft ldap querying tool I referenced above.

    HTH! =:)

  • I finally got it! The biggest help was using the ADAM Tool from Microsoft. Follow this link and use the tool. Open the excel file copy the DN field in cell A1 and paste all of it into the base dn field except for your username. Excellent!

  • Thanks for this – I’ve been struggling with getting thunderbird addressbook to work for ages and your notes made the difference.
    Our IT department weren’t interested in helping out and the trick for me was using the ADAM tool referenced by Eddie above which showed me I’d been using the wrong hostname to the one I thought was used. After that, and with your remaining instructions the rest was gravy and I can now kiss outlook goodbye. Yay

  • Thanks for giving me the key to get connected to our Exchange LDAP from Linux. Defining the Bind DN was the key. Reading your About Me section got me to send a response. I work with SIL/Wycliffe in Papua New Guinea doing audio recordings and administering a Linux server.

  • Has anyone tried configuring the AIX daemon using mksecldap that accesses an Active Directory on a Windows box? I keep getting invalid Bind DN etc etc

  • thanks – the Microsoft tool to display the LDAP tree was what I needed. The company’s LDAP I was trying to integrate used non-standard element names – so in addition to the other details, that was a missing link.

    As mentioned elsewhere, Thunderbird does not appear to do the LDAP search within the email but I can at least search within that addressbook and find people…

    thanks to all who contributed!

  • You rock! As noted by others above, the MS LDAP tool gave me everything I needed to get set up and it’s now all working in Thunderbird!!

    Thanks!

  • I used Softerra’s free LDAP Browser (which has a better interface than Microsoft’s) to figure out the Thunderbird settings for mailstreet.net’s LDAP server. Thanks for the great article.

  • Thank you for keeping this up here. The MS LDAP browser is *very* important. In my case, the DN settings for our campus AD server are *not* related to the computer name/domain. At least as far as the actual user accounts are concerned.

    Wondering why it only seemed to have aliases and computers in the full domain. Grr.

  • Hi Friends,
    I have tried all steps but unfortunately i failed to connect to Address book. It give different error at different at different time.
    We are using Exchange 2010 and want to link it with TB through Imap.

    Mails are working perfectly fine but failed to sync address book,
    Have any one done this with Exchnage 2010 environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.