Hi Mark,
I haven't done it, but I've played with the scenario enough to have an
idea.
What you want to do is have Outlook auth via NTLM to Dovecot.
First that means having the machine be a domain member (usually via Samba)
in order to properly process NTLM/Kerberos handshake - which it appears you
have.
Second that means having Dovecot know how to accept NTLM authentication
(SPA) to pass to the Samba backend.
A 'Dovecot NTLM' search led me here:
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
What's not on the page that I'd expect to see, are the compile-time
requirements for inclucing samba/kerberos libs within Dovecot. If it
doesn't 'just work' with the config changes in the wiki, you may need to
recompile with the right features.
Also - check the permissions of the ntlm_auth program. That's caused many
issues with Radius installs, IIRC.
Hope that helps!
Rick
Quoting Mark Foley <mfo...@ohprs.org>:
This can't be that hard. I think I've enabled LDAP in Dovecot just by
including
dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
now have
the configuration shown below. Two questions:
1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
accounts still have the ID and password set in "Logon Information".
Checking
"Require logon using Secure Password Authentication (SPA)" doesn't work.
All I
can seem to find on the Internet is how to configure address books using
LDAP.
2. Should I remove "passdb { drive = shadow } from the dovecot
configuration?
Anybody?
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
verbose_ssl = yes
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
From dovecot-boun...@dovecot.org Wed Sep 2 13:32:13 2015
Return-Path: <dovecot-boun...@dovecot.org>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
(2011-06-06) on
mail.hprs.local
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.0 tests=none
autolearn=unavailable
version=3.3.2-_revision__1.14__
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot@dovecot.org>
List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=subscribe>
Errors-To: dovecot-boun...@dovecot.org
Sender: "dovecot" <dovecot-boun...@dovecot.org>
Status: R
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
