> On 24/11/2020 13:20 Odhiambo Washington <odhia...@gmail.com> wrote: > > > > > > On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhia...@gmail.com> wrote: > > Hi, > > > > I have setup samba4 as AD and hoping to have dovecot authenticate users > > against it. I am facing challenges though and I am unable to figure it out. > > I could do with a third eye to help me spot what is wrong. > > > > > > > > root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local > > Password: > > passdb: odhiambo@newideatest.local auth failed > > extra fields: > > > > info.log: > > > > Nov 22 14:31:08 auth: Info: > > > > > > Here is my doveconf -n: > > > > https://paste.ubuntu.com/p/SPmrxZxHPx/ > > > > My dovecot-ldap.cont.ext: > > > > uris = ldap://localhost/ > > dn = "dovecot@newideatest.local" > > dnpass = "XXXXXXXX" > > sasl_bind = no > > tls = no > > ldap_version = 3 > > deref = never > > scope = subtree > > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > > auth_bind = yes > > user_filter = > > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) > > user_attrs = > > sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ > > pass_filter = > > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) > > pass_attrs = sAMAccountName=user,userPassword=password > > > > The use exists in the database: > > > > > For the record, this is what I finally came up with that worked - > dovecot-ldap.conf.ext: > > > ##### BEGIN > uris = ldap://localhost/ > dn = "dovecot@newideatest.local" > dnpass = "verystupid" > sasl_bind = no > tls = no > ldap_version = 3 > deref = never > scope = subtree > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > auth_bind = yes
You probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password from LDAP, it is only required when you have to do first a lookup and then authenticate as the user to verify password. > > #user_filter = (mail=%u) > #pass_filter = (mail=%u) > #pass_attrs = mail=%u,= userPassword=password > > user_filter = > (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > pass_filter = > (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > pass_attrs = userPassword=password > > user_attrs = > =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/ > > default_pass_scheme = CRYPT > ##### END > > Also to add: > 1. If you use the commented out filters, the authentication is very fast > 2. If you use the uncommented ones, it's a bit slow. > > Choose your poison, as YMMV. > > Adios. > > > > -- > > Best regards, > Odhiambo WASHINGTON, Regards, Aki
