Exchange LDAP in Thunderbird

I have struggled for a while to use our campus resources from my mac(s) at home and at work. In particular, I haven’t had much luck getting any email program to successfully auto-complete email addresses using LDAP. To clarify, the campus has an exchange server that is running Exchange 2007 (as near as I can tell). I know the server name, port, and have determined some other bits from various posts elsewhere. The single biggest issue is that the LDAP server has an expired certificate, so that was the final roadblock that I recently overcame.

It turns out that I had to create a security exception in order to get around an expired certificate (it was a self-signed certificate, so Thunderbird also complained even before it expired).

Thunderbird lets you manage certificates from the Preferences -> Advanced -> Certificates -> View Certificates dialog. Here it is possible to add exceptions. I had tried this before but when it didn’t work, I temporarily gave up. Recently I came across a mention of the fact that these exceptions are unique to the port number being used on the excepted server. Since I access LDAP via SSL (hence needing a certificate) on port 636, I simply added an exception for to the list in Thunderbird. Now, no more certificate errors, and LDAP works like a charm in the addressbook and auto-completion realms.

One further note, depending on the way the server stores information, you can trick Thunderbird into searching differently, and displaying results differently. This involves setting user preferences in the Config Editor (you may void your warranty ;-). The two I used are the LDAP autocomplete filtertemplate, and the displayname definition. For details, see the excellent post on LDAP in Thunderbird by Lincoln Ramsay.

Other hints on getting this all to work: the server and port are obviously important and can hopefully be discovered through your support personnel. The Base DN and Bind DN can be some black magic. For exchange, a good guess (and what worked for me) was to take the full domain of the server (everything after the first “.”) and put DC= in front of each. So would have a Base DN of DC=bar,DC=baz,DC=com. The Bind DN is really just your username, and may need a domain in front of it. Remember, exchange is windows stuff so it will be a windows domain. In my case, the domain is PACIFIC so my Bind DN was “PACIFIC\NetID” where NetID is my username.

Finally, another useful option is logging the ldap protocol traffic from Thunderbird. To enable an ldap log, simply create a text file (name it something like ldap.command) and fill it with the following shell script:

export NSPR_LOG_MODULES=ldap:5
export NSPR_LOG_FILE=ldap.log
/Applications/ &

Which will log traffic to ldap.log for later viewing.

UPDATE (10-4-10): I have found a new and improved way to access exchange LDAP from thunderbird (or any other standards-compliant client). Read more in my DavMail post.


3 thoughts on “Exchange LDAP in Thunderbird

  1. Pingback: Exchange LDAP in Thunderbird « The Daily Photon Mozilla Fennec

  2. Pingback: LDAP search of Active Directory « The Daily Photon

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s