[Dovecot] dovecot-ldap.conf for usernames/homes/UID/GID

Stroller stroller at stellar.eclipse.co.uk
Fri Jan 13 14:19:35 EET 2006


On 12 Jan 2006, at 05:30, Paul Matthews wrote:
>
> I’m running winbind to authenticate against Active Directory, I’ve  
> edited my
> ‘/etc/pam.d/dovecot’ pam module so to let my users login with there  
> Active
> directory password, but squirrel mail wont let them … I think, let  
> me stress
> the term, ‘think’ is has something to do with there home directories,
> because I have some local users as well, they can login no issues &  
> my users
> with the same usernames on unix and ADS can login with there ADS  
> passwords …
>
> Now I’m looking at the dovecot webmin module and I see that ‘Data  
> source for
> users, homes and Ids’ is set to use ‘Standard unix username  
> database’. There
> is now option of PAM like in ‘Password authentication source’.  
> Although I do
> see LDAP, using config file. Can I set that to query Active  
> directory ldap
> database and go there Data source for users, homes and Ids’?

Hi there,

This, and your subsequent messages, are missing some important  
information. Like what's written to the log files when a user tries  
to authenticate? There are a number of "verbose", "debugging" and  
"logging" options in dovecot.conf - you need to enable them & `tail - 
f` logfiles (I checked /var/log/messages & /var/log/mail when I had  
this problem).

LDAP is irrelevant - a complete clupea rubra - when authenticating  
using WinBind. Winbind is not the same as Active Directory, although  
confusingly it seems to allow Active Directory users to authenticate.  
I think this is because on Windows server, by default, Domain users  
are also AD users, and you're actually authenticating against the  
Domain (not the AD) when you authenticate using WinBind.

To authenticate using WinBind you'll need something like:

In /etc/dovecot.conf :
   passdb pam {
   args = "-session *"
   }

In /etc/pam.d/imap:
   #%PAM-1.0
   auth       required     /lib/security/pam_winbind.so
   account    required     /lib/security/pam_winbind.so

AD users need a store directory in which to keep their email -  
Dovecot will fail if they have no home directory. As I recall WinBind  
will return a suitable path for their home directory - the path where  
it'd expect them to be - but unless you have created that directory  
manually then Dovecot will crap out. IMHO the best way to resolve  
this is by using pam_mkhomedir - it'll create that home directory if  
it doesn't exist upon user authentication. I have implemented a  
system like this within the last 2 or 3 weeks and also had some  
problems with it. If you search my postings to the list you will see  
my configuration documented quite clearly and you should be able to  
see how I resolved my issues. I think you will be able to resolve all  
your issues by following them.

Stroller.





More information about the dovecot mailing list