LDAP, Microsoft Exchange, and KAddressBook or Thunderbird
Friday May 5, 2006
My current employer uses Exhange 2003 as its current groupware solution. I have on-and-off-again been beating my head against the proverbial concrete wall in trying to get it to work nicely with LDAP and addressbooks other than Evolution or Outlook, for obvious reasons. Today, my geeky noggin’ has broken through the proverbial concrete wall and I now have both KDE’s kaddressbook and Thunderbird’s address book successfully using the Exchange server here at work.
Yay, me!
Two things I’ve found this morning that have helped my noggin’ and I’ll list them here for future reference for myself as well as in hopes of helping some other poor concrete/geek/proverbial/noggin’-banging soul.
First, I’ve found this post which lists a very helpful step-by-step approach for getting things almost working:
OK, here is how Mozilla/Thunderbird LDAP works with Exchange 2000-2003:
1. The default LDAP port for Active Directory is 3268 (not 389) so make sure you’ve got this port open thru the firewall, and make sure to configure it in your LDAP account settings in Mozilla/Thunderbird.
2. For Base DN, you MUST enter something like dc=yourdomain,dc=com (whereas Outlook Express lets you get away with putting NULL).
3. For Bind DN, you must enter a domain user which has permission to search the directory. You should enter it qualified by the NetBIOS domain name, for example: mydomain\username
4. For some reason, Thunderbird doesn’t always seem to recognize that it needs to log on before querying. The easiest, most reliable way I have found to force it is to go to the Offline tab in the Directory Server Properties and click the Download button. This function seems to “see” that Active Directory wants a logon, so Thunderbird will display the logon dialog to let you enter your domain credentials. For the username, specify exactly the same thing you put into Bind DN.
5. Results are returned asynchronously to the Thunderbird Address Book, so you might see “No matches found” immediately after clicking the Search button. Wait a few seconds, and your results should show up.
6. Mozilla and Thunderbird default to a Search Filter of (objectclass=*) which will return lots of useless (non-email address) entries from Active Directory. You can override this with something like (objectclass=person) on the Advanced tab of Directory Service Properties. Depending on what kinds of addresses are in your Active Directory, you may need to refine this filter more (for example, if you’ve got mail-enabled Public Folders which you want to display).
7. The Address Book UI in Thunderbird is just clumsy. You CANNOT search an LDAP directory by simply selecting it on the left hand side and then entering your search in the “Name or Email contains” textbox. You MUST click the Advanced button to define an LDAP search. After you find your desired address(es) in LDAP, you “should” be able to copy it to your local addresses but the stupid UI only lets you look at the Properties or add it to the recipient list for a new message (by clicking the Write button).
And then there’s this page that helped me finally get it all working:
You can add a new address book with the following properties:
General tab:
Name: …
Hostname:
Base DN: dc=company,dc=com
Port number: 389 (non-secure) or 636 (secure)
Bind DN: YOURWINDOWSLOGONDOMAIN\yourwindowslogonuserAdvanced tab:
Don’t return more than [ 100 ] results
Scope: Subtree
Search filter: (objectClass=person)If your organisation is large you may have to change the Bind DN so it only returns your unit (e.g. ou=yourdept,dc=company,dc=com) as otherwise Thunderbird may decide to act a bit strange.
You can force a read by clicking the Download Now button on Offline tab, although you won’t see any contacts afterwards, you have to search in the Compose window.
If you still get no joy you can download and install Windows Server 2003 Service Pack 1 Support Tools and run ldp.exe against the exchange server. You don’t even need to install it if you decompress with WinRAR (or possibly WinZip) and look for the executable.
http://support.microsoft.com/kb/892777
That way you can find out the Bind DN and search filter. First use Connection > Connect against the server, then Connection > Bind with your user and password then use View > Tree with a blank string and you can find a tree view of your Base DN and go into departments and retrieve user data to find out their objectClass if it’s not person.
Finally in Tools > Options > Composition > Addressing tick Automatically add outgoing e-mail address to my [ Collected Addresses ] as it’s much faster than searching the server.
Granted, these are instructional in getting Thunderbird to work with Exchange, but the same applies to KDE’s kaddressbook.
In general, I think the sticky wicket that really got things working for me was using Microsoft’s ldp.exe tool to browse the Exchange LDAP tree and see its innards. Specifically, I had to do this:
server: [active directory server]
base dn: CN=Users,DC=XXX,DC=XXX,DC=com (important to start with Users for me!!)
port: 389
bind dn: [windows domain]\[username]
search filter: (objectclass=*)
scope: subtree
The trick was, I think, that I had to provide a more specific base dn to the address books.
Hope this helps someone else out there, wherever your geeky proverbial concrete-bashing noggin’ may find you. =:)
You rock. Got Thunderbird to play nicely with Exchange and addresses are looking up perfectly. Thanks.
Sweet!! So glad to hear that it worked for someone else!! I couldn’t get over how difficult it was to get this to work!! =:)
Rock on, Open Source desktop!! =:)
Hmm. It only works when I utilize accounts that has administrative permissions over the domain. I want to let normal users utilize the directory….:-
[…] (copied from the MovingPart.net) Filed under Allgemein having Leave a Comment […]
Thanks man… I got TB work with evil exchange server now….
Sigh. At last. With your help, I finally have Kontact accessing our company’s Exchange address book. As you said, the ldp.exe was key in figuring out the proper parameters used by our company.
Thank you !!!!!!!!!!
Awesome. =:) Glad to hear it helped!! =:) I dream of the day when we’ll get openchange support in kontact, but until then, hacks that let me work around the problems are better than nothing at all. =:)
definitely appreciate the work you are doing with this…one question though that I don’t see anyone addressing on any sites out there…how do you get the list of contacts from the ldap server to populate the thunderbird (or any other client) address list without having to do a search (much like the functionality in outlook to exchange where you see the Global Address Book without a search)? Thanks for any help…
Hi Sean! =:)
Thanks! Um, yeah, you’re right… I haven’t seen anything in Linux that can pull this off. I always just do a search.
Hi, Jason. I stumbled upon this page and thought I could possibly pick your brain. I tried following these steps to get my Active Directory address book to show in Thunderbird, to no avail. It works in Outlook, but not Thunderbird, using the same exact paramaters. Is there anything distinctly different between setting up the LDAP in Outlook as opposed to Thunderbird that you know of? I tried to several different Port numbers; I tried the many different search parameters; I tried changing the Bind DN. None of those worked. Any help would be greatly appreciated. Thank you in advance!
Hi Keith!
The biggest piece of the puzzle for me was the bind DN. Mine _had_ to be:
base dn: CN=Users,DC=XXX,DC=XXX,DC=com (important to start with Users for me!!)
You can learn what this is in your environment by using the microsoft ldap querying tool I referenced above.
HTH! =:)
I finally got it! The biggest help was using the ADAM Tool from Microsoft. Follow this link and use the tool. Open the excel file copy the DN field in cell A1 and paste all of it into the base dn field except for your username. Excellent!
https://help.ubuntu.com/community/ThunderbirdExchange
yeah…
Thanks for this – I’ve been struggling with getting thunderbird addressbook to work for ages and your notes made the difference.
Our IT department weren’t interested in helping out and the trick for me was using the ADAM tool referenced by Eddie above which showed me I’d been using the wrong hostname to the one I thought was used. After that, and with your remaining instructions the rest was gravy and I can now kiss outlook goodbye. Yay
@Banther: Awesome!! Glad to hear it!!! =:)
Thanks for giving me the key to get connected to our Exchange LDAP from Linux. Defining the Bind DN was the key. Reading your About Me section got me to send a response. I work with SIL/Wycliffe in Papua New Guinea doing audio recordings and administering a Linux server.
Has anyone tried configuring the AIX daemon using mksecldap that accesses an Active Directory on a Windows box? I keep getting invalid Bind DN etc etc
Hi @Dan!! =:) Glad to hear it helped!! =:)
@Chris Bland: No, sorry. That sounds horrible. =:/
can anyone by chance tell me if there would be any reason this process would not work on a mac?
tia
d-_-b
thanks – the Microsoft tool to display the LDAP tree was what I needed. The company’s LDAP I was trying to integrate used non-standard element names – so in addition to the other details, that was a missing link.
As mentioned elsewhere, Thunderbird does not appear to do the LDAP search within the email but I can at least search within that addressbook and find people…
thanks to all who contributed!
You rock! As noted by others above, the MS LDAP tool gave me everything I needed to get set up and it’s now all working in Thunderbird!!
Thanks!
I used Softerra’s free LDAP Browser (which has a better interface than Microsoft’s) to figure out the Thunderbird settings for mailstreet.net’s LDAP server. Thanks for the great article.
Thank you for keeping this up here. The MS LDAP browser is *very* important. In my case, the DN settings for our campus AD server are *not* related to the computer name/domain. At least as far as the actual user accounts are concerned.
Wondering why it only seemed to have aliases and computers in the full domain. Grr.
Great post – finally got Exchange LDAP working in Thunderbird.
Great post, see here for more details to get the calendar working 100% with the latest exchange server:
http://www.high-on-it.co.za/2011/01/complete-how-to-setup-thunderbird-31x.html
Hi Friends,
I have tried all steps but unfortunately i failed to connect to Address book. It give different error at different at different time.
We are using Exchange 2010 and want to link it with TB through Imap.
Mails are working perfectly fine but failed to sync address book,
Have any one done this with Exchnage 2010 environment.
Thanks for advise, the ldp utill is really helpful!