Re: [Dovecot] Samba4 and user auth
Hi Pavel Thankx for your explanations. Also in my scenario Samba, Postfix and Dovecot are running on the same machine. I will try your config and then see if it works. But again kind regards and thankx to you and all others who came back to me with suggestions how to find the right config. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [1] Am 2013-07-01 13:05, schrieb Pavel Herrmann: > Hi > > On Monday 01 July 2013 12:36:39 Carsten Laun-De Lellis wrote: > >> Hi Pavel Thankx for your reply. When you were setting up your ldap query >> what kind of password crypto did you specify plain ntlm gssapi or anything >> else? The password field in your query is userPassword or am I wrong here? > > the password field is hidden (only the user can see it) by default, and not > stored as a unix-friendly value (anything a crypt() would understand) > what I use is auth_bind (which uses user-supplied password to bind to the > LDAP > directory). > > what it means is that on every login there are 2 lookups (first one using > your > "service" DN to find the user DN, second one with your user DN to check the > password) > > that also means that you need a password format that your LDAP can understand > (mostly a plaintext password, or NTLM if your mail server is a Samba domain > member). As long as you only offer IMAP/SSL I dont think plaintext (as in > "auth_mechanisms = plain") is an issue, security wise. > > as far as the service account (the one that is used to look up users) goes, I > am using the default option (setting "dn" and "dnpass" variables), which I > think is a simple bind. it is possible that it only works because Samba4 and > dovecot run on the same machine. > > Pavel Herrmann > I will try it again. --- Mit freundlichem Gruß Carsten Laun-De Lellis > Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 > 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net > http://www.linkedin.com/in/carstenlaundelellis [1][1] Am 2013-07-01 11:24, > schrieb Pavel Herrmann: Hi On Friday 28 June 2013 07:17:39 Carsten Laun-De > Lellis wrote: Hi all I am trying to set up an email Server with a Samba4 AD > as user Directory. Does anybody know a good how-to to setup user auth against > AD ? Or could anyone tell me how to do it? I am having an email Server up and > running with openldap but want to change to Samba4 AD, because of the > openchange Integration. I would appreciate any help on this topic.> I have an > AD/Samba4 auth for dovecot, it works the same as any LDAP would (with > authenticated lookups and auth_bind) I would suggest you try it, and ask if > there are any issues. Pavel Herrmann Links: -- [1] http://www.linkedin.com/in/carstenlaundelellis [1] Links: -- [1] http://www.linkedin.com/in/carstenlaundelellis
Re: [Dovecot] Samba4 and user auth
Hi On Monday 01 July 2013 12:36:39 Carsten Laun-De Lellis wrote: > Hi Pavel > > Thankx for your reply. > > When you were setting up your ldap query what kind of password crypto > did you specify plain ntlm gssapi or anything else? The password field > in your query is userPassword or am I wrong here? the password field is hidden (only the user can see it) by default, and not stored as a unix-friendly value (anything a crypt() would understand) what I use is auth_bind (which uses user-supplied password to bind to the LDAP directory). what it means is that on every login there are 2 lookups (first one using your "service" DN to find the user DN, second one with your user DN to check the password) that also means that you need a password format that your LDAP can understand (mostly a plaintext password, or NTLM if your mail server is a Samba domain member). As long as you only offer IMAP/SSL I dont think plaintext (as in "auth_mechanisms = plain") is an issue, security wise. as far as the service account (the one that is used to look up users) goes, I am using the default option (setting "dn" and "dnpass" variables), which I think is a simple bind. it is possible that it only works because Samba4 and dovecot run on the same machine. Pavel Herrmann > > I will try it again. > --- > > Mit freundlichem Gruß > > Carsten Laun-De Lellis > > Hauptstrasse 13 > D-67705 Trippstadt > > Phone: +49 6306 992140 > Fax: +49 6306 992142 > Mobile: +49 151 27530865 > email: carsten.delel...@delellis.net > > http://www.linkedin.com/in/carstenlaundelellis [1] > > Am 2013-07-01 11:24, schrieb Pavel Herrmann: > > Hi > > > > On Friday 28 June 2013 07:17:39 Carsten Laun-De Lellis wrote: > >> Hi all I am trying to set up an email Server with a Samba4 AD as user > >> Directory. Does anybody know a good how-to to setup user auth against AD > >> ? Or could anyone tell me how to do it? I am having an email Server up > >> and running with openldap but want to change to Samba4 AD, because of > >> the openchange Integration. I would appreciate any help on this topic.> > > I have an AD/Samba4 auth for dovecot, it works the same as any LDAP would > > (with authenticated lookups and auth_bind) > > > > I would suggest you try it, and ask if there are any issues. > > > > Pavel Herrmann > > Links: > -- > [1] http://www.linkedin.com/in/carstenlaundelellis
Re: [Dovecot] Samba4 and user auth
Hi On Friday 28 June 2013 07:17:39 Carsten Laun-De Lellis wrote: > Hi all > > I am trying to set up an email Server with a Samba4 AD as user > Directory. > > Does anybody know a good how-to to setup user auth against AD ? Or could > anyone tell me how to do it? > > I am having an email Server up and running with openldap but want to > change to Samba4 AD, because of the openchange Integration. > > I would appreciate any help on this topic. I have an AD/Samba4 auth for dovecot, it works the same as any LDAP would (with authenticated lookups and auth_bind) I would suggest you try it, and ask if there are any issues. Pavel Herrmann
[Dovecot] Samba4 and user auth
Hi all I am trying to set up an email Server with a Samba4 AD as user Directory. Does anybody know a good how-to to setup user auth against AD ? Or could anyone tell me how to do it? I am having an email Server up and running with openldap but want to change to Samba4 AD, because of the openchange Integration. I would appreciate any help on this topic. -- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [1] Links: -- [1] http://www.linkedin.com/in/carstenlaundelellis
