[Dovecot] dovecot-ldap.conf for usernames/homes/UID/GID
Stroller
stroller at stellar.eclipse.co.uk
Fri Jan 13 14:19:35 EET 2006
On 12 Jan 2006, at 05:30, Paul Matthews wrote:
>
> I’m running winbind to authenticate against Active Directory, I’ve
> edited my
> ‘/etc/pam.d/dovecot’ pam module so to let my users login with there
> Active
> directory password, but squirrel mail wont let them … I think, let
> me stress
> the term, ‘think’ is has something to do with there home directories,
> because I have some local users as well, they can login no issues &
> my users
> with the same usernames on unix and ADS can login with there ADS
> passwords …
>
> Now I’m looking at the dovecot webmin module and I see that ‘Data
> source for
> users, homes and Ids’ is set to use ‘Standard unix username
> database’. There
> is now option of PAM like in ‘Password authentication source’.
> Although I do
> see LDAP, using config file. Can I set that to query Active
> directory ldap
> database and go there Data source for users, homes and Ids’?
Hi there,
This, and your subsequent messages, are missing some important
information. Like what's written to the log files when a user tries
to authenticate? There are a number of "verbose", "debugging" and
"logging" options in dovecot.conf - you need to enable them & `tail -
f` logfiles (I checked /var/log/messages & /var/log/mail when I had
this problem).
LDAP is irrelevant - a complete clupea rubra - when authenticating
using WinBind. Winbind is not the same as Active Directory, although
confusingly it seems to allow Active Directory users to authenticate.
I think this is because on Windows server, by default, Domain users
are also AD users, and you're actually authenticating against the
Domain (not the AD) when you authenticate using WinBind.
To authenticate using WinBind you'll need something like:
In /etc/dovecot.conf :
passdb pam {
args = "-session *"
}
In /etc/pam.d/imap:
#%PAM-1.0
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
AD users need a store directory in which to keep their email -
Dovecot will fail if they have no home directory. As I recall WinBind
will return a suitable path for their home directory - the path where
it'd expect them to be - but unless you have created that directory
manually then Dovecot will crap out. IMHO the best way to resolve
this is by using pam_mkhomedir - it'll create that home directory if
it doesn't exist upon user authentication. I have implemented a
system like this within the last 2 or 3 weeks and also had some
problems with it. If you search my postings to the list you will see
my configuration documented quite clearly and you should be able to
see how I resolved my issues. I think you will be able to resolve all
your issues by following them.
Stroller.
More information about the dovecot
mailing list