Re: [Samba] Samba4 AD delegation to read userPassword attribute
Running the environment you described (beside openchange). I guess you need acl:read=false in your smb.conf. achim~ Am 14.01.2013 23:29, schrieb Christian Hailer: Hello Samba group, I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? Fedora 17, latest updates applied Samba: Version 4.1.0pre1-GIT-813bd03 dovecot-2.1.10-4.fc17.i686 At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: ... searchResDone resultCode: operationsError (1) matchedDN: Operation unavailable without authentication ... I defined the properties in dovecot-ldap.conf like this: --- uris = ldaps://192.168.0.1:636 dn = cn=ldap,ou=USER,dc=example,dc=de dnpass = somepassword base = dc=example,dc=de scope = subtree deref = never user_attrs = sAMAccountName=uid,primaryGroupID=gid user_filter = (sAMAccountName=%u) pass_attrs = mail=user,userPassword=password pass_filter = (sAMAccountName=%u) --- So trying to authenticate to Dovecot with a telnet connection telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login someuser somepassword results in the error message result: mail=someu...@example.de; userPassword missing A tcpdump shows the following searchRequest: --- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) dc=example,dc=de wholeSubtree ... Filter: (sAMAccountName=someuser) filter: equalityMatch (3) equalityMatch attributeDesc: sAMAccountName assertionValue: someuser attributes: 2 items AttributeDescription: mail AttributeDescription: userPassword --- As a result I get: --- Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) CN=someuser, OU=USER,DC=example,DC=de [1 result] ... searchResEntry objectName: CN=someuser, OU=USER,DC=example,DC=de attributes: 1 item PartialAttributeList item mail type: mail vals: 1 item AttributeValue: someu...@exchange.de --- So unfortunately the userPassword attribute is missing. Now, I remembered the Control Delegation Wizard from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. I delegated the appropriate permissions to the ldap user used in dovecot-ldap.conf above, but the behaviour did not change, the userPassword attribute won't be delivered to the ldap user. Is anybody out there who ran into the same problem? Best regards, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD delegation to read userPassword attribute
Originalnachricht Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute Von: Christian Hailer chri...@amusing.de An: Achim Gottinger ac...@ag-web.biz Cc: Hi Achim, thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the ldap user... I tried to bind with the domain administrator account, there it doesn't work too. Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere... Thanks in advance, Christian Achim Gottinger ac...@ag-web.biz schrieb: Running the environment you described (beside openchange). I guess you need acl:read=false in your smb.conf. achim~ Am 14.01.2013 23:29, schrieb Christian Hailer: Hello Samba group, I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? Fedora 17, latest updates applied Samba: Version 4.1.0pre1-GIT-813bd03 dovecot-2.1.10-4.fc17.i686 At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: ... searchResDone resultCode: operationsError (1) matchedDN: Operation unavailable without authentication ... I defined the properties in dovecot-ldap.conf like this: --- uris = ldaps://192.168.0.1:636 dn = cn=ldap,ou=USER,dc=example,dc=de dnpass = somepassword base = dc=example,dc=de scope = subtree deref = never user_attrs = sAMAccountName=uid,primaryGroupID=gid user_filter = (sAMAccountName=%u) pass_attrs = mail=user,userPassword=password pass_filter = (sAMAccountName=%u) --- So trying to authenticate to Dovecot with a telnet connection telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login someuser somepassword results in the error message result: mail=someu...@example.de; userPassword missing A tcpdump shows the following searchRequest: --- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) dc=example,dc=de wholeSubtree ... Filter: (sAMAccountName=someuser) filter: equalityMatch (3) equalityMatch attributeDesc: sAMAccountName assertionValue: someuser attributes: 2 items AttributeDescription: mail AttributeDescription: userPassword --- As a result I get: --- Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) CN=someuser, OU=USER,DC=example,DC=de [1 result] ... searchResEntry objectName: CN=someuser, OU=USER,DC=example,DC=de attributes: 1 item PartialAttributeList item mail type: mail vals: 1 item AttributeValue: someu...@exchange.de --- So unfortunately the userPassword attribute is missing. Now, I remembered the Control Delegation Wizard from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. I delegated the appropriate permissions to the ldap user used in dovecot-ldap.conf above, but the behaviour did not change, the userPassword attribute won't be delivered to the ldap user. Is anybody out there who ran into the same problem? Best regards, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD delegation to read userPassword attribute
Am 15.01.2013 20:02, schrieb Christian Hailer: Hi Achim, thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the ldap user... I tried to bind with the domain administrator account, there it doesn't work too. Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere... I use different configs for passdb and userdb for Dovecot. Dovecot stores all mail's as user vmail.vmail(999:999) in /var/lib/vmail/[username]/mail here so you might have to modify the user_attrs mappings. With these separate config for userdb and passdb, auth_bind works for passdb and pass_attrs are not necessary. dovecot-ldap.conf passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } dovecot-ldap-passdb.conf.ext --- hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de ldap_version = 3 base = cn=Users,dc=example,dc=de pass_filter = ((objectClass=person)(cn=%u)(mail=*)) --- dovecot-ldap-userdb.conf.ext --- hosts = localhost dn = cn=ldap,cn=Users,dc=example,dc=de dnpass = password ldap_version = 3 base = cn=Users,dc=example,dc=de user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail user_filter = ((objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD delegation to read userPassword attribute
PERFECT! It works!!! Thank you very much!!! Best regards, Christian -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Achim Gottinger Gesendet: Dienstag, 15. Januar 2013 21:42 An: samba@lists.samba.org Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute Am 15.01.2013 20:02, schrieb Christian Hailer: Hi Achim, thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the ldap user... I tried to bind with the domain administrator account, there it doesn't work too. Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere... I use different configs for passdb and userdb for Dovecot. Dovecot stores all mail's as user vmail.vmail(999:999) in /var/lib/vmail/[username]/mail here so you might have to modify the user_attrs mappings. With these separate config for userdb and passdb, auth_bind works for passdb and pass_attrs are not necessary. dovecot-ldap.conf passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } dovecot-ldap-passdb.conf.ext --- hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de ldap_version = 3 base = cn=Users,dc=example,dc=de pass_filter = ((objectClass=person)(cn=%u)(mail=*)) --- dovecot-ldap-userdb.conf.ext --- hosts = localhost dn = cn=ldap,cn=Users,dc=example,dc=de dnpass = password ldap_version = 3 base = cn=Users,dc=example,dc=de user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail user_filter = ((objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD delegation to read userPassword attribute
Hello Samba group, I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? Fedora 17, latest updates applied Samba: Version 4.1.0pre1-GIT-813bd03 dovecot-2.1.10-4.fc17.i686 At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: ... searchResDone resultCode: operationsError (1) matchedDN: Operation unavailable without authentication ... I defined the properties in dovecot-ldap.conf like this: --- uris = ldaps://192.168.0.1:636 dn = cn=ldap,ou=USER,dc=example,dc=de dnpass = somepassword base = dc=example,dc=de scope = subtree deref = never user_attrs = sAMAccountName=uid,primaryGroupID=gid user_filter = (sAMAccountName=%u) pass_attrs = mail=user,userPassword=password pass_filter = (sAMAccountName=%u) --- So trying to authenticate to Dovecot with a telnet connection telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login someuser somepassword results in the error message result: mail=someu...@example.de; userPassword missing A tcpdump shows the following searchRequest: --- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) dc=example,dc=de wholeSubtree ... Filter: (sAMAccountName=someuser) filter: equalityMatch (3) equalityMatch attributeDesc: sAMAccountName assertionValue: someuser attributes: 2 items AttributeDescription: mail AttributeDescription: userPassword --- As a result I get: --- Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) CN=someuser, OU=USER,DC=example,DC=de [1 result] ... searchResEntry objectName: CN=someuser, OU=USER,DC=example,DC=de attributes: 1 item PartialAttributeList item mail type: mail vals: 1 item AttributeValue: someu...@exchange.de --- So unfortunately the userPassword attribute is missing. Now, I remembered the Control Delegation Wizard from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. I delegated the appropriate permissions to the ldap user used in dovecot-ldap.conf above, but the behaviour did not change, the userPassword attribute won't be delivered to the ldap user. Is anybody out there who ran into the same problem? Best regards, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba