[Dovecot] [SOLVED] Re: Is it possible to authenticate against Active Direcotry using the whole e-mail?
Patrick Domack
patrickdk at patrickdk.com
Wed Oct 7 15:23:29 EEST 2009
That would of been my next guess, to see if you could lookup the
proper user, then attempt a login via that. Just causes extra ldap
traffic.
Quoting ????????? ??????????? <dimkar at thessaloniki.gr>:
> Hi
> I just solved it
> using authentcation binds
> auth_bind = yes
> pass_attrs = mail=user
> pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u))
>
> Active Directory, as far as I know, by no means exposes users
> passwords to third party applications or services.
>
> Thanks in advance
> Dimitrios
>
>
>
>
>
> O/H ????????? ??????????? ??????:
>> O/H Patrick Domack ??????:
>>> Yes, it's possible to do this. But not possible using auth_bind.
>>> You are going have to login using an administrator account, then
>>> do an ldap search for the email address, then authenicate against
>>> it. Using auth_bind requires you to know the username before you
>>> login.
>>>
>>> http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups
>>>
>>> Just need to change passfilter to do a ?proxy_email? or what it's
>>> called for ad
>>>
>>
>> Hi,
>> many thanks for your reply.
>>
>> Active Direcotry doesn't return the userPassword in
>>
>> pass_attrs = uid=user, userPassword=password
>>
>> so the password supplied by the user can't be validated.
>>
>>
>>
>> I used this configuration
>>
>> auth_bind = no
>> pass_attrs = mail=user, userPassword=password
>> pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u))
>> default_pass_scheme = MD5
>>
>> and although the ldap query located the user it complains with the
>> following:
>>
>> No password returned (and no nopassword)
>>
>> Any ideas?
>> Dimitrios
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> Quoting ????????? ??????????? <dimkar at thessaloniki.gr>:
>>>
>>>> Hi all!
>>>>
>>>> Is it possible to authenticate against Active Directory, using
>>>> the whole e-mail address and not
>>>> the user part (%n), so that if you support mutiple domains, all
>>>> users should authenticate with their e-mail addresses.
>>>>
>>>> I use
>>>> auth_bind_userdn = DOMAIN \ %u
>>>> but somehow the *mail* attribute of Active/LDAP should be employed.
>>>>
>>>>
>>>> thanks in advance
>>>> Dimitrios Karapiperis
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
> --
> ????????? ??????????? ????. ??. ????????
>
> ???????? ?????????? - ?. ????????????
> ????? ???????????? - ?/??? ?????????? & ???????
> 2310 - 257844 fax 2310 - 244965
>
>
More information about the dovecot
mailing list