Hi Mark,
Just to let you know that we are running dovecot with AD. (and I guess:
*many* people are running that combination)
It worked without issues, we are using in dovecot-ldap.conf.ext:
> auth_bind = yes
this user/passwd filter:
= (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass = top_secret
And not the 3268 port, but regular 389.
Hope that helps.
MJ
On 12/04/2017 01:38 AM, Mark Foley wrote:
Unfortunately, I tried for weeks to figure out passdb ldap without success. I
guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The
dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says
is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP
fields are
available in port 3268. Use whatever works.
http://technet.microsoft.com/en-us/library/cc978012.aspx
I have not been able to find an example of someone using Dovecot and ldap with
AD.
However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I
wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required
parameters back
to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except
pointing to my
checkpassword executable.
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
The one issue I have with this at the moment is that dovecot runs checkpassword
for every user,
smartphone or otherwise:
Dec 03 18:56:32 auth-worker(14903): Info:
shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the
next passdb
Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine
original_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1
586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine
-> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001
HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000
home=/home/HPRS/charmaine
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7
auth_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI,
rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
Notice after the "shadow" auth fails it says, "unknown user - trying the next
passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also
succeeds. Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My
mechanisms are:
auth_mechanisms = plain login gssapi
THX, --Mark
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tu...@dovecot.fi>
To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org
with passdb ldap i guess.
---Aki Tuomi
Dovecot oy
-------- Original message --------
From: Mark Foley <mfo...@ohprs.org>
Date: 03/12/2017 21:18 (GMT+02:00)
To: dovecot@dovecot.org
Subject: Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link:
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:
passdb pam {
}
used for authenticating Android. Problem #1 is that Slackware does not ship
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but
I'm not sure I
should try configuring PAM on the AD/DC.
Is there some otherway I can get authentication using domain credentials
besides pam? the phone
can send user and password.
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 15:22:56 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tu...@dovecot.fi>
To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org
Actually you are authenticating gssapi clients from ad and everyone else from
shadow. maybe you need to configure pam module?
---Aki TuomiDovecot oy
-------- Original message --------
From: Mark Foley <mfo...@ohprs.org>
Date: 03/12/2017 06:03 (GMT+02:00)
To: dovecot@dovecot.org
Subject: Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with
domain credentials
using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt
authentication via
shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain
members so if the
shadow authentication fails, no other methods are tried and no connection is
made.
What can I do with my dovecot config to fix this?
doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
Thanks, Mark
