Problem w/ Dovecot authentication against AD
Aki Tuomi
aki.tuomi at dovecot.fi
Wed Sep 13 14:53:34 EEST 2017
You need to disable referral following in /etc/ldap/ldap.conf (or
whatever applies to your system)
Aki
On 13.09.2017 14:34, Garry Glendown wrote:
> Hi,
>
> I had to start using Dovecot on a machine as the new OS does not come
> with Cyrus IMAP anymore. After multiple problems, I managed to get
> everything working, including LDAP authentication against the (old)
> Novell LDAP server.
> Anyway, the authentication is supposed to be migrated to the new Windows
> AD. For other tools, I successfully migrated the config to use AD, but
> somehow Dovecot does not work as it should.
>
> I've been going back and forth, trying everything I could think of, but
> still can't get it to work.
>
> Here's the excerpt from the config file:
>
> hosts = 10.10.10.210
> uris = ldap://10.10.10.210:389
> dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net
> dnpass = PASSWORD
> tls = no
> debug_level = -1
> auth_bind = yes
> ldap_version = 3
> base = DC=srv,dc=SLD,dc=net
> deref = never
> scope = subtree
> user_attrs = sAMAccountName=user
> user_filter = (&(sAMAccountName=%n)(objectclass=person))
> pass_attrs = sAMAccountName=user
> pass_filter = (&(sAMAccountName=%n)(objectclass=person))
> iterate_attrs = mail=user
> iterate_filter = (objectclass=person)
> default_pass_scheme = PLAIN
>
> The problem might be caused by the referal-info sent by the AD, which I
> can see both in the results dovecot gets (checked with tcpdump), as well
> as in ldapsearch ... apart from the actual search result, I always get
> three additional results:
>
> #
> refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
>
> #
> refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
>
> # refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
>
> From what I can see in the pcap as well as some of the logs, dovecot
> binds to the AD, sends out the LDAP query correctly, gets the lookup
> result with the user queried plus the above three referrals, then
> unbinds from the (named) bind, attempts a simple bind without dn/dnpass
> (multiple times), and finally sends three additional search requests
> under the search bases
>
> cn=Configuration,DC=srv,DC=SLD,DC=net
> DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
> DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
>
> These three requests are denied by the AD as they are not permitted
> without a successful prior bind.
> Dovecot then fails the auth process.
>
> Is there a way to stop Dovecot from using the referals? Openldap seems
> to have an option to disable referals, but Dovecot does not allow that
> option in its LDAP config, and having the option set in the global
> ldap.conf doesn't seem to help any, either. Is there possibly a way to
> disable the referal information on the AD side?
>
> Thanks, Garry
>
More information about the dovecot
mailing list