mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions:
Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right? Your dn is: dn = cn=search_dovecit,cn=users,dc=company,dc=com Mine (original) is: dn = cn=user_for_bind,cn=Users,dc=dom Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need in order to make this work? Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs here, or is that litterally what you have there? My dnpass (original) is: dnpass = ************ your example is: dnpass = top_secret Again, are the assigned values meta-syntax (meta-syntax in configs is not obvious to me unless it is bold, underlined, italicized and colored ... or uses brackets or some other convention)? If meta, what is actually supposed to go there? With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from my installed original. You don't mention the user_attrs/pass_attrs settings. Is this because you use the originals or because you have commented them out? My current settings are: user_attrs = quotaFieldAD=quota_rule=*:storage=%$MB pass_attrs = userPassword=password My auth_mechanisms are: auth_mechanisms = plain login gssapi Is this sufficient for ldap? Thanks for your help --Mark btw - I have been running Dovecot with AD for years, but for local Domain users authenticating via GSSAPI. Remote users (e.g. smartPhones) don't have that mechanism that I'm aware of. Currently they are authenticated via shadow, but I'd like to remove AD users from /etc/passwd. On Mon, 4 Dec 2017 09:04:57 +0100 mj <li...@merit.unu.edu> wrote > > Hi Mark, > > Just to let you know that we are running dovecot with AD. (and I guess: > *many* people are running that combination) > > It worked without issues, we are using in dovecot-ldap.conf.ext: > > > auth_bind = yes > > this user/passwd filter: > > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > > > dn = cn=search_dovecit,cn=users,dc=company,dc=com > > dnpass = top_secret > > And not the 3268 port, but regular 389. > > Hope that helps. > > MJ > > > > On 12/04/2017 01:38 AM, Mark Foley wrote: > > Unfortunately, I tried for weeks to figure out passdb ldap without success. > > I guess I'm just > > not knowledgeable enough about how to use ldap and Active Directory. The > > dovecot wiki > > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it > > says is: > > > > Active Directory > > > > When connecting to AD, you may need to use port 3268. Then again, not all > > LDAP fields are > > available in port 3268. Use whatever works. > > http://technet.microsoft.com/en-us/library/cc978012.aspx > > > > I have not been able to find an example of someone using Dovecot and ldap > > with AD. > > > > However, I have had some success with CheckPassword > > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I > > wrote to do > > ntlm_auth, I am able to authenticate the smartPhone user and pass the > > required parameters back > > to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except > > pointing to my > > checkpassword executable. > > > > passdb { > > driver = checkpassword > > args = /user/util/bin/checkpassword > > } > > userdb { > > driver = prefetch > > } > > > > The one issue I have with this at the moment is that dovecot runs > > checkpassword for every user, > > smartphone or otherwise: > > > > Dec 03 18:56:32 auth-worker(14903): Info: > > shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying > > the next passdb > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: > > /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: > > Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 > > user=charmaine original_user=charmaine@HPRS.LOCAL > > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 > > 586863e54c57c999ee5731906a59257c session_pid=14907 > > request_auth_token > > Dec 03 18:56:32 auth-worker(14903): Debug: > > passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup > > Dec 03 18:56:32 auth-worker(14903): Debug: > > passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed > > charmaine -> HPRS\charmaine > > Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 > > HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 > > home=/home/HPRS/charmaine > > auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 > > auth_user=charmaine@HPRS.LOCAL > > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, > > rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, > > session=<oy/YWXhfAtXAqAA0> > > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) > > > > Notice after the "shadow" auth fails it says, "unknown user - trying the > > next passdb", which is > > checkpassword (which apparently succeeds), then it goes on to gssapi which > > also succeeds. Is > > there a way to only have it do checkpassword if all shadow and gssapi fail? > > My mechanisms are: > > > > auth_mechanisms = plain login gssapi > > > > THX, --Mark > > > > --Mark > > > > -----Original Message----- > > Date: Sun, 03 Dec 2017 22:28:53 +0200 > > Subject: Re: Howto authenticate smartPhone via Active Directory > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org > > > > with passdb ldap i guess. > > > > ---Aki Tuomi > > Dovecot oy > > > > -------- Original message -------- > > From: Mark Foley <mfo...@ohprs.org> > > Date: 03/12/2017 21:18 (GMT+02:00) > > To: dovecot@dovecot.org > > Subject: Re: Howto authenticate smartPhone via Active Directory > > > > Yes, you are right. This link: > > https://www.redips.net/linux/android-email-postfix-auth/#section2 > > shows: > > > > passdb pam { > > } > > > > used for authenticating Android. Problem #1 is that Slackware does not > > ship with PAM and the > > AD/DC Samba4 does not use it. It is used on Slackware for a domain member, > > but I'm not sure I > > should try configuring PAM on the AD/DC. > > > > Is there some otherway I can get authentication using domain credentials > > besides pam? the phone > > can send user and password. > > > > --Mark > > > > -----Original Message----- > >> Date: Sun, 03 Dec 2017 15:22:56 +0200 > >> Subject: Re: Howto authenticate smartPhone via Active Directory > >> From: Aki Tuomi <aki.tu...@dovecot.fi> > >> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org > >> > >> Actually you are authenticating gssapi clients from ad and everyone else > >> from shadow. maybe you need to configure pam module? > >> ---Aki TuomiDovecot oy > >> > >> -------- Original message -------- > >> From: Mark Foley <mfo...@ohprs.org> > >> Date: 03/12/2017 06:03 (GMT+02:00) > >> To: dovecot@dovecot.org > >> Subject: Howto authenticate smartPhone via Active Directory > > > >> I have a Samba4 Active Directory server. Dovecot authenticates AD Users > >> with domain credentials > >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > >> authentication via > >> shadow first and. failing that, it does authenticate via GSSAPI. > >> > >> Smartphones connect to Dovecot via port 143 and SSL. They are not domain > >> members so if the > >> shadow authentication fails, no other methods are tried and no connection > >> is made. > >> > >> What can I do with my dovecot config to fix this? > >> > >>> doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 4.4.88 x86_64 Slackware 14.2 > >> auth_debug = yes > >> auth_debug_passwords = yes > >> auth_gssapi_hostname = $ALL > >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >> auth_mechanisms = plain login gssapi > >> auth_use_winbind = yes > >> auth_username_format = %n > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = > >> </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark > > >
