AD authentication with dovecot not working.

hkhk_exact10 via dovecot Wed, 10 Jul 2024 18:51:59 -0700

Hi All,

I am trying to setup AD auth with dovecot and have tried a lot of options
but still no success.


I am using a bind account for AD authentication and the users are not posix
accounts. I am not using the ssl cert as its not available, so disabling
it. I have used the similar settings with saslauthd+postfix and it worked,
not sure what am I doing wrong with configurations..

My configuration is as follows:

# dovecot --version
2.3.16 (7e2e900c1a)
# dovecot -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9
# Hostname: mail-centos.example.com
auth_mechanisms = plain login
first_valid_uid = 1000
listen = *
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}
service pop3-login {
  process_limit = 500
}
service submission-login {
  inet_listener submission {
    port = 587
  }
}
ssl_cert = </etc/ssl/example.com/server.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_key = # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

------------------
# cat /etc/dovecot/dovecot-ldap.conf.ext
uris = ldaps://10.1.85.11
dn =
CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com
dnpass = xxxxx
auth_bind = yes
tls_require_cert = never
debug_level = 1
ldap_version = 3
base = dc=example,dc=com
scope = subtree
deref = never
user_filter = (&(objectClass=user)(sAMAccountName=%u))

---------------

Error logs:
 dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests:
 dovecot[6600]: auth: Error:  * msgid 2,  origid 2, status RequestCompleted
 dovecot[6600]: auth: Error:    outstanding referrals 2, parent count 2
 dovecot[6600]: auth: Error:  * msgid 3,  origid 2, status InProgress
 dovecot[6600]: auth: Error:    outstanding referrals 0, parent count 2
 dovecot[6600]: auth: Error:  * msgid 5,  origid 2, status InProgress
 dovecot[6600]: auth: Error:    outstanding referrals 0, parent count 1
 dovecot[6600]: auth: Error:   ld 0x556695138d90 request count 3 (abandoned
0)
 dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue:
 dovecot[6600]: auth: Error:    Empty
 dovecot[6600]: auth: Error:   ld 0x556695138d90 response count 0
 dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid
-1 all 0
 dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90
NULL
 dovecot[6600]: auth: Error: ldap_int_select
 postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN
authentication failed: Connection lost to authentication server
 postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75] ehlo=2
starttls=1 auth=0/1 quit=1 commands=4/5


Attaching the detailed error logs.

---------
saslauthd settings which worked:
# cat /etc/saslauthd.conf
ldap_servers: ldaps://10.1.85.11
ldap_search_base: dc=wtg,dc=zone
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn:
CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com
ldap_password: xxxx
ldap_tls_reqcert: never


Regards,
Sandeep

dovecot[6600]: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS write 
client hello
dovecot[6600]: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS write 
client hello
dovecot[6600]: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS write 
client hello
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server hello
dovecot[6600]: auth: Error: TLS trace: SSL_connect:TLSv1.3 read encrypted 
extensions
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server 
certificate request
dovecot[6600]: auth: Error: TLS certificate verification: depth: 0, err: 20, 
subject: /CN=, issuer: /DC=com/DC=example/CN=example-Root-CA-1
dovecot[6600]: auth: Error: TLS certificate verification: Error, unable to get 
local issuer certificate
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server 
certificate
dovecot[6600]: auth: Error: TLS trace: SSL_connect:TLSv1.3 read server 
certificate verify
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read finished
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write change 
cipher spec
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write client 
certificate
dovecot[6600]: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write finished
dovecot[6600]: auth: Error: anonymous rebind via ldap_sasl_bind("")
dovecot[6600]: auth: Error: ldap_sasl_bind
dovecot[6600]: auth: Error: ldap_send_initial_request
dovecot[6600]: auth: Error: ldap_send_server_request
dovecot[6600]: auth: Error: ldap_result ld 0x556695138d90 msgid 6
dovecot[6600]: auth: Error: wait4msg ld 0x556695138d90 msgid 6 (timeout 100000 
usec)
dovecot[6600]: auth: Error: wait4msg continue ld 0x556695138d90 msgid 6 all 1
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Connections:
dovecot[6600]: auth: Error: * host: DomainDnsZones.exmple.zone  port: 0
dovecot[6600]: auth: Error: * from: IP=10.1.88.81:33182
dovecot[6600]: auth: Error:   refcnt: 2  status: Connected
dovecot[6600]: auth: Error:   last used: Wed Jul 10 19:49:20 2024
dovecot[6600]: auth: Error:   rebind in progress
dovecot[6600]: auth: Error:     queue is empty
dovecot[6600]: auth: Error:
dovecot[6600]: auth: Error: * host: sand.exmple.zone  port: 0
dovecot[6600]: auth: Error: * from: IP=10.1.88.81:50348
dovecot[6600]: auth: Error:   refcnt: 2  status: Connected
dovecot[6600]: auth: Error:   last used: Wed Jul 10 19:49:20 2024
dovecot[6600]: auth: Error:   rebind in progress
dovecot[6600]: auth: Error:     queue is empty
dovecot[6600]: auth: Error:
dovecot[6600]: auth: Error: * host: 10.1.85.11  port: 636  (default)
dovecot[6600]: auth: Error: * from: IP=10.1.88.81:33170
dovecot[6600]: auth: Error:   refcnt: 4  status: Connected
dovecot[6600]: auth: Error:   last used: Wed Jul 10 19:49:20 2024
dovecot[6600]: auth: Error:
dovecot[6600]: auth: Error:
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests:
dovecot[6600]: auth: Error:  * msgid 2,  origid 2, status InProgress
dovecot[6600]: auth: Error:    outstanding referrals 2, parent count 0
dovecot[6600]: auth: Error:  * msgid 4,  origid 4, status InProgress
dovecot[6600]: auth: Error:    outstanding referrals 0, parent count 0
dovecot[6600]: auth: Error:  * msgid 6,  origid 6, status InProgress
dovecot[6600]: auth: Error:    outstanding referrals 0, parent count 0
dovecot[6600]: auth: Error:   ld 0x556695138d90 request count 3 (abandoned 0)
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue:
dovecot[6600]: auth: Error:    Empty
dovecot[6600]: auth: Error:   ld 0x556695138d90 response count 0
dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid 6 all 1
dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90 NULL
dovecot[6600]: auth: Error: read1msg: ld 0x556695138d90 msgid 6 all 1
dovecot[6600]: auth: Error: ldap_find_request_by_msgid: msgid 2, lr 
0x55669522e220 lr->lr_refcnt = 3
dovecot[6600]: auth: Error: read1msg: ld 0x556695138d90 msgid 2 message type 
search-result
dovecot[6600]: auth: Error: read1msg: ld 0x556695138d90 0 new referrals
dovecot[6600]: auth: Error: read1msg:  mark request completed, ld 
0x556695138d90 msgid 2
dovecot[6600]: auth: Error: ldap_return_request: lrx 0x55669522e220, lr 
0x55669522e220
dovecot[6600]: auth: Error: ldap_return_request: lrx->lr_msgid 2, 
lrx->lr_refcnt is now 2, lr is still present
dovecot[6600]: auth: Error: wait4msg ld 0x556695138d90 0 s 99961 us to go
dovecot[6600]: auth: Error: wait4msg continue ld 0x556695138d90 msgid 6 all 1
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Connections:
dovecot[6600]: auth: Error: * host: DomainDnsZones.exmple.zone  port: 0
dovecot[6600]: auth: Error: * from: IP=10.1.88.81:33182
dovecot[6600]: auth: Error:   refcnt: 2  status: Connected
dovecot[6600]: auth: Error:   last used: Wed Jul 10 19:49:20 2024
dovecot[6600]: auth: Error:   rebind in progress
dovecot[6600]: auth: Error:     queue is empty

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

AD authentication with dovecot not working.

Reply via email to