If I had time I would be all over this - but IMHO the main problem is that
Dovecot != Exchange. Even in small environments - unless I'm out of date,
there's no calendar, tasks or contact lists within Dovecot.
Your next best best is to use something like Horde that would allow you to
auth via ActiveSync (on Outlook 2013 clients) and manage everything else
that the users will want, with Dovecot as the mail backend.
Though I believe there could be licensing issues if you're looking to do it
for free. I think, by license, you still need CALs for each ActiveSync
client (if you're in the US).
Auth-Wise it'd be a whole different animal. I'm not sure if there's
anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba
would accept the username via GSSAPI and I suppose you could pass that to
HordeAuth.
I hate Exchange - I have a nagging 45 second delay on OWA logins ever since
I had to setup multiple NICs to get Outlook to stop complaining about
certs, and today while trying to fix that issue, AD decided to stop
replicating one of my trusted domains (and began rejecting auths for linked
mailboxes from that domain) and in short I really just hate that
environment with every fiber of my being and would love to see a decent
free Exchange replacement on *nix.
Rick
Quoting Mark Foley <mfo...@ohprs.org>:
More experimentation ...
I tried removing userdb and passdb from the dovecot NTLM config. That
didn't
work. I then tried adding a static userdb as follows:
userdb {
driver = static
# allow_all_users = yes
args = gid=100 home=/home/HPRS/%n
}
(Interestingly, when I uncommented "allow_all_users" I got an
"unsupported
setting" [or something like that], even though that was in there from the
beginning and is shown in the example wiki
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)
Anyway, in both tests my error messages were the same:
Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758)
Sep 08 18:38:16 auth: Debug: client in: AUTH 1 NTLM
service=imap session=vPWqBUQfeADAqAA6 lip=192.168.0.2
rip=192.168.0.58 lport=143 rport=56184
Sep 08 18:38:16 auth: Debug: client passdb out: CONT 1
Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>):
user not authenticated: NT_STATUS_LOGON_FAILURE
Sep 08 18:38:18 auth: Debug: client passdb out: FAIL 1
Notice that my userid (mark or mark@ohprs) is nowhere to be found.
Whereas when
I specified the userdb passwd at least it had a user id in the error
log. From
my previous test with userdb passwd amd passdb shadow:
Sep 05 16:45:19 auth: Debug: client passdb out: OK 1
user=mark@hprs original_user=mark@HPRS
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND
998899713
The "Info: ntml" log entry has ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>),
whereas
the previous test "Info shadow" log entry has Info:
shadow(mark@hprs,192.168.0.58).
Of course I have no passdb specified which is right for NTML ... or is
it?
I feel like this should be obvious to someone familiar with Dovecot.
Once again,
it's difficult for me to believe no on on planet Earth (who also happens
to
subscribe to this list) had ever done Dovecot/ntlm from Outlook before.
Help!!! If I can't get this last bit sorted out I'll be forced back to
Server
2012 and Exchange.
Thanks, --Mark
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 07 Sep 2015 21:28:23 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Comments interspersed with yours ...
--Mark
-----Original Message-----
Date: Sun, 06 Sep 2015 20:00:11 -0500
From: Rick Romero <r...@havokmon.com>
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Hmm. I would expect to see 'm...@hprs.com'. Whatever your full
domain
name is.
Full user@domain would be mark@hprs.local
It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
mapping. Your AD users shouldn't be in there when all is said and
done.
I was thinking this too. I don't know why NTLM would need a userdb at
all. It
should just use something like ntlm_auth (which is configured in
auth_winbind_helper).
What if I simply removed the userdb? What would you recommend for
userdb, passdb?
Well, at when I did a Samba4 install as a DC it still behaved like a
Samba3
member, and there were no AD users in the local unix passwd files.
What does wbinfo -u provide? It should list all your users -
especially
because it's an DC. Whatever wbinfo -u shows, you may need to adjust
another config file to match waht Dovecot is receiving.
$ wbinfo -u
Administrator
Guest
krbtgt
dns-mail
mark
sogo
**arr
**ress
**mith
**nee
**ris
**atterson
**armaine
**tkeson
**mmitoh
These are all the AD users (most obfuscated for a bit of security). I am
testing
with user mark.
I assume /etc/nsswitch.conf has been modified to use Samba?
Unless the Samba provision did something to nnswitch, I've done nothing;
nor
have I seen anything in the Samba or dovecot wikis suggesting changes.
Remember
also that the Samba4 AD/DC works perfectly with redirected folders and
users
logging on to any Windows workstations, and works perfectly with things
wanting
"Windows Authentication" like SQLserver, so the "Windows Authentication"
does
work at some level. My /etc/nsswitch.conf is:
passwd: compat
group: compat
hosts: files dns
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
Sorry I haven't done this, but it doesn't seem like anyone else has
either
- so I'm just shooting in the dark here trying to get you steered in the
right direction...
Rick
Yeah, I can't seem to find a soul on the planet who has actually done
this. If I
get it figured out I'll post with a suggestion to Timo to wiki-ize it.
I'm a bit puzzled that no one appears to have done this. I would think
that a
Samba4 AD/DC in a office environment with lots of Windows workstations
running
Outlook would be about the most common environment there is; especially
now that
Small Business Server is no longer sold and Server Essentials does not
support
Exchange. What are all the SBS/Exchange/Outlook small businesses doing?
Limping
along with SBS2008/11, or putting their email in Outlook.com? Seems like
the
Samba4/dovecot/Outlook combo would be an ideal migration.
I appreciate your help.
Quoting Mark Foley <mfo...@ohprs.org>:
More info ...
My dovecot error log shows:
Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM
service=imap
Sep 05 16:45:19 auth: Debug: client passdb out: OK 1
user=mark@hprs original_user=mark@HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713
10219
1 f56352c207cb8f6dea4d264b2c0f8dc1
session_pid=10220
request_auth_token
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND
998899713
whereas the successful 'plain login' config'ed mechanism (before adding
NTLM
config) have:
Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210):
lookup
The failed ntlm look-up is looking up user mark@hprs in shadow, which it
doesn't
find. Is there a way to strip the "@hprs" bit from the user so it can
find the
correct entry in /etc/shadow? That might fix the problem.
--Mark
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Sat, 05 Sep 2015 17:12:50 -0400
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Rick et al,
The link you gave was a start, but is targeted for Samba3 and is
assuming a
probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot,
and
includes setting up kerberos.
I'm using a Samba4 AD/DC with integrated kerberos (so I don't think
there is any
setup I can do there). Nevertheless I've followed the instructions
otherwise;
specifically adding to 10-auto.conf the following recommended lines:
auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth
mechanisms = plain ntlm login
(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth
has
global r/w privilege.
I did not specify the static userdb since these users are configued in
/etc/passwd and I thought that would work; example given in link (could
that be
an issue?):
userdb static {
args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
allow_all_users=yes
}
This didn't work. Also, existing, working Outlook connections using
'logon'
(i.e. the userID and PW are configured in Outlook) stopped working.
I changed a test Outlook client to check the 'Request login using Secure
Password Authentication (SPA)' and also checked: More Settings >
Outgoing Server
My outgoing server (SMTP) requires authentication' and 'Use same
settings as
my incoming mail server'. Note that on the "Change Account" dialog
(where the
SPA checkbox is) the 'User Name' and 'Password' retained their values
and were
not grayed out as I would have expected if using AD authentication.
After doing the above and clicking 'Test Account Settings' I was
re-promted to
enter a password - also not expected. At bottom are the Dovecot log
message I
received after doing the 'Test Account Settings'.
Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC
should be
a very common implementation. Has someone done this successfully?
Immediately below is my doveconf -n and below that the dovecot log
messages.
doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
dovecot log after doing 'Test Account Settings' in Outlook:
Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219)
Sep 05 16:45:19 auth: Debug: client in: AUTH 1
NTLM
service=imap session=HXssGAYf0ADAqAA6
lip=192.168.0.2
rip=192.168.0.58 lport=143 rport=52944
Sep 05 16:45:19 auth: Debug: client passdb out: CONT 1
Sep 05 16:45:19 auth: Debug: client passdb out: OK 1
user=mark@hprs original_user=mark@HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713
10219 1 f56352c207cb8f6dea4d264b2c0f8dc1
session_pid=10220 request_auth_token
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND
998899713
Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219
id=1) (internal failure, 1 successful auths): user=<mark@hprs>,
method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220,
session=<HXssGAYf0ADAqAA6>
Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 05 16:46:22 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 05 16:46:22 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487)
Sep 05 16:46:22 auth: Debug: client in: AUTH 1
NTLM
service=imap session=IlvqGwYf0wDAqAA6
lip=192.168.0.2
rip=192.168.0.58 lport=143 rport=52947
Sep 05 16:46:22 auth: Debug: client passdb out: OK 1
user=mark@hprs original_user=mark@HPRS
Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641
13487 1 bac5f6531f9d4c3316f93bd4c4a63ddd
session_pid=13491 request_auth_token
Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from
directory: /usr/local/lib/dovecot/auth
Sep 05 16:46:22 auth-worker(13492): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:46:22 auth-worker(13492): Info:
shadow(mark@hprs,192.168.0.58): unknown user
Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND
3030384641
Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487
id=1) (internal failure, 1 successful auths): user=<mark@hprs>,
method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491,
session=<IlvqGwYf0wDAqAA6>
Thanks --Mark
-----Original Message-----
Date: Thu, 03 Sep 2015 06:53:19 -0500
From: Rick Romero <r...@havokmon.com>
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Hi Mark,
I haven't done it, but I've played with the scenario enough to have an
idea.
What you want to do is have Outlook auth via NTLM to Dovecot.
First that means having the machine be a domain member (usually via
Samba)
in order to properly process NTLM/Kerberos handshake - which it appears
you
have.
Second that means having Dovecot know how to accept NTLM authentication
(SPA) to pass to the Samba backend.
A 'Dovecot NTLM' search led me here:
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
What's not on the page that I'd expect to see, are the compile-time
requirements for inclucing samba/kerberos libs within Dovecot. If it
doesn't 'just work' with the config changes in the wiki, you may need to
recompile with the right features.
Also - check the permissions of the ntlm_auth program. That's caused
many
issues with Radius installs, IIRC.
Hope that helps!
Rick
Quoting Mark Foley <mfo...@ohprs.org>:
This can't be that hard. I think I've enabled LDAP in Dovecot just by
including
dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
now have
the configuration shown below. Two questions:
1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
accounts still have the ID and password set in "Logon Information".
Checking
"Require logon using Secure Password Authentication (SPA)" doesn't work.
All I
can seem to find on the Internet is how to configure address books using
LDAP.
2. Should I remove "passdb { drive = shadow } from the dovecot
configuration?
Anybody?
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
verbose_ssl = yes
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
From dovecot-boun...@dovecot.org Wed Sep 2 13:32:13 2015
Return-Path: <dovecot-boun...@dovecot.org>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
(2011-06-06) on
mail.hprs.local
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.0 tests=none
autolearn=unavailable
version=3.3.2-_revision__1.14__
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot@dovecot.org>
List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=subscribe>
Errors-To: dovecot-boun...@dovecot.org
Sender: "dovecot" <dovecot-boun...@dovecot.org>
Status: R
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
From dovecot-boun...@dovecot.org Thu Sep 3 07:53:44 2015
Return-Path: <dovecot-boun...@dovecot.org>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
(2011-06-06) on
mail.hprs.local
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham
version=3.3.2-_revision__1.14__
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
Date: Thu, 03 Sep 2015 06:53:19 -0500
From: Rick Romero <r...@havokmon.com>
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw
X-VFEmail-AntiSpam: Notify ad...@vfemail.net of any spam, and include
VFEmail headers
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Description: Plaintext Message
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot@dovecot.org>
List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=subscribe>
Errors-To: dovecot-boun...@dovecot.org
Sender: "dovecot" <dovecot-boun...@dovecot.org>
Status: R
Hi Mark,
I haven't done it, but I've played with the scenario enough to have an
idea.
What you want to do is have Outlook auth via NTLM to Dovecot.
First that means having the machine be a domain member (usually via
Samba)
in order to properly process NTLM/Kerberos handshake - which it appears
you
have.
Second that means having Dovecot know how to accept NTLM authentication
(SPA) to pass to the Samba backend.
A 'Dovecot NTLM' search led me here:
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
What's not on the page that I'd expect to see, are the compile-time
requirements for inclucing samba/kerberos libs within Dovecot. If it
doesn't 'just work' with the config changes in the wiki, you may need to
recompile with the right features.
Also - check the permissions of the ntlm_auth program. That's caused
many
issues with Radius installs, IIRC.
Hope that helps!
Rick
Quoting Mark Foley <mfo...@ohprs.org>:
This can't be that hard. I think I've enabled LDAP in Dovecot just by
including
dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
now have
the configuration shown below. Two questions:
1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
accounts still have the ID and password set in "Logon Information".
Checking
"Require logon using Secure Password Authentication (SPA)" doesn't work.
All I
can seem to find on the Internet is how to configure address books using
LDAP.
2. Should I remove "passdb { drive = shadow } from the dovecot
configuration?
Anybody?
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
verbose_ssl = yes
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
From dovecot-boun...@dovecot.org Wed Sep 2 13:32:13 2015
Return-Path: <dovecot-boun...@dovecot.org>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
(2011-06-06) on
mail.hprs.local
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.0 tests=none
autolearn=unavailable
version=3.3.2-_revision__1.14__
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot@dovecot.org>
List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=subscribe>
Errors-To: dovecot-boun...@dovecot.org
Sender: "dovecot" <dovecot-boun...@dovecot.org>
Status: R
I've been using Dovecot 2.2.15 as the IMAP server for Outlook
(2010/2013) on
Windows workstations for over 6 months with no problems. Dovecot is
hosted on
the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver =
shadow.
What I'd like to do now is use the "Windows Authenticated" login so I
don't have
to have separate passwords for users logging into the Windows AD
workstations
and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various
attempts
have not been successful.
Here is my current config:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark Foley
