I would check manual binding first with ldap-client:
warning: unknown[10.1.70.75]: SASL LOGIN
authentication failed: Connection lost to authentication server
This is not normal and need to be clarified. Maybe the client reject the
local certificate or the AD server reject the source from some reason.
On 7/19/24 07:00, hkhk_exact10 via dovecot wrote:
Hi All,
Can anyone help me with this?
Regards,
Sandeep
On Thu, Jul 11, 2024 at 11:34 AM hkhk_exact10<hkhkex...@gmail.com> wrote:
Hi All,
I am trying to setup AD auth with dovecot and have tried a lot of options
but still no success.
I am using a bind account for AD authentication and the users are not
posix accounts. I am not using the ssl cert as its not available, so
disabling it. I have used the similar settings with saslauthd+postfix and
it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# dovecot --version
2.3.16 (7e2e900c1a)
# dovecot -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9
# Hostname: mail-centos.example.com
auth_mechanisms = plain login
first_valid_uid = 1000
listen = *
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
service pop3-login {
process_limit = 500
}
service submission-login {
inet_listener submission {
port = 587
}
}
ssl_cert = </etc/ssl/example.com/server.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_key = # hidden, use -P to show it
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
------------------
# cat /etc/dovecot/dovecot-ldap.conf.ext
uris =ldaps://10.1.85.11
dn =
CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com
dnpass = xxxxx
auth_bind = yes
tls_require_cert = never
debug_level = 1
ldap_version = 3
base = dc=example,dc=com
scope = subtree
deref = never
user_filter = (&(objectClass=user)(sAMAccountName=%u))
---------------
Error logs:
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests:
dovecot[6600]: auth: Error: * msgid 2, origid 2, status RequestCompleted
dovecot[6600]: auth: Error: outstanding referrals 2, parent count 2
dovecot[6600]: auth: Error: * msgid 3, origid 2, status InProgress
dovecot[6600]: auth: Error: outstanding referrals 0, parent count 2
dovecot[6600]: auth: Error: * msgid 5, origid 2, status InProgress
dovecot[6600]: auth: Error: outstanding referrals 0, parent count 1
dovecot[6600]: auth: Error: ld 0x556695138d90 request count 3
(abandoned 0)
dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue:
dovecot[6600]: auth: Error: Empty
dovecot[6600]: auth: Error: ld 0x556695138d90 response count 0
dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid
-1 all 0
dovecot[6600]: auth: Error: ldap_chkResponseList returns ld
0x556695138d90 NULL
dovecot[6600]: auth: Error: ldap_int_select
postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN
authentication failed: Connection lost to authentication server
postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75]
ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
Attaching the detailed error logs.
---------
saslauthd settings which worked:
# cat /etc/saslauthd.conf
ldap_servers:ldaps://10.1.85.11
ldap_search_base: dc=wtg,dc=zone
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn:
CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com
ldap_password: xxxx
ldap_tls_reqcert: never
Regards,
Sandeep
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org