Dovecot & AD (was: Dovecot 2 LDAP "unknown user")

Thu, 10 Nov 2016 06:56:49 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 5 Nov 2016, Peter Fraser wrote:


1. I need to make sure the user logon name in AD and the samAccountname
   are exactly the same, case and all. It seems postfix
   uses the samAccountname and Dovecot the User logon name.
2. I also noticed that if the Display name for a user in AD is blank,
   that user cannot log in using telnet <server ip> 110.


OK, this is something interesting


and dovecot-ldap.conf.ext reads as follows

#Custom Settings
hosts = ip address
ldap_version = 3
scope = subtree
deref = never
base = cn=users,dc=domain,dc=com
dn = cn=administrator,cn=users,dc=domain,dc=com
dnpass = password
auth_bind = yes
auth_bind_userdn = %n
ldap_version = 3
scope = subtree
user_attrs = home=/home/vmail/%u,=uid=vmail,=gid=vmail
pass_attrs = uid=%n,userPassword=password
#pass_attrs=uid=user, userpassword=password
user_filter = (&(objectclass=person)(samaccountname=%n))
pass_filter = (&(objectclass=inetorgperson)(mail=%u))


Check out your 1. and pass_filter
"postfix uses samAccountname" <-> pass_filter uses "mail" to identify an user. 

So I suggest you use:
pass_filter = (&(objectclass=inetorgperson)(|(mail=%u)(samaccountname=%n)(cn=%n)))
Note: add all LDAP attributes to the LDAP query, that identify exactly one user (never more than one). If cn is not unique, use something you think is appropriate. Some examples in the net use userPrincipalName, ... Also, search the net for "dovecot active directory" and you'll find that some exclude entries with certain userAccountControl strings. That way Dovecot finds the user regardless of what s/he enters as username. You could even use something like (mail=%n...@example.com) 

pass_attrs=samaccountname=user, userpassword=password

This will return samaccountname as new username for userdb queries.

user_filter = (&(objectclass=person)(samaccountname=%n))
Finally, this query must find the user's data. Because pass_attrs mangle the "user" information of Dovecot to be samaccountname, this attribute must be present. If postfix delivers to this user, too, you are done. Otherwise use a similiar approach as with pass_filter. 
Dovecot LDA and LMTP do not use pass_filter, but only user_filter.
- -- Steffen Kaiser 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWCSKXnz1H7kL/d9rAQI2Wgf+OIFn5vssn1giLEocVSpZDvirLHLe4c1m
br+PBzklJ2OtM4gYjVdcSkgOmuDGOoeIOcxZQIZwmz7413oCjmA8jloUzzYhj6Q6
6CSLHlBWMqtsnQC8+bITuEWBO+ygXT4A5HdEiJANT/oq+Jq1PXq6gN4W3CVwaq+4
f0b+H+Ejk9Xf8jjnpsvhL4SeS71fc7QwmcDZ3syxutQhWgu/urkAUqu3B0R9PD2r
FOxJS+q4lF4JTni4vlWrqtuUeK9Mv675vLq1Uw8c+jLdlBgD5QKKsFNy3LTokMEm
qU1g7uSISl16AmZ6arIk2ZEtBMpYlFYhxct/EMbjfgeKZ75zG9g6Fw==
=S+La
-----END PGP SIGNATURE-----

Reply via email to