Dovecot+Samba AD - authentication failure - SOLVED

Aki Tuomi aki.tuomi at open-xchange.com
Tue Nov 24 13:51:22 EET 2020 

> On 24/11/2020 13:20 Odhiambo Washington <odhiambo at gmail.com> wrote:
> 
> 
> 
> 
> 
> On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo at gmail.com> wrote:
> > Hi,
> > 
> > I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out.
> > I could do with a third eye to help me spot what is wrong.
> > 
> > 
> > 
> > root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local
> > Password:
> > passdb: odhiambo at newideatest.local auth failed
> > extra fields:
> > 
> > info.log:
> > 
> > Nov 22 14:31:08 auth: Info: > > 
> > 
> > Here is my doveconf -n:
> > 
> > https://paste.ubuntu.com/p/SPmrxZxHPx/
> > 
> > My dovecot-ldap.cont.ext:
> > 
> > uris = ldap://localhost/
> > dn = "dovecot at newideatest.local"
> > dnpass = "XXXXXXXX"
> > sasl_bind = no
> > tls = no
> > ldap_version = 3
> > deref = never
> > scope = subtree
> > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> > auth_bind = yes
> > user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> > user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> > pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> > pass_attrs = sAMAccountName=user,userPassword=password
> > 
> > The use exists in the database:
> > 
> 
> 
> For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:
> 
> 
> ##### BEGIN
> uris = ldap://localhost/
> dn = "dovecot at newideatest.local"
> dnpass = "verystupid"
> sasl_bind = no
> tls = no
> ldap_version = 3
> deref = never
> scope = subtree
> base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> auth_bind = yes

You probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password from LDAP, it is only required when you have to do first a lookup and then authenticate as the user to verify password.

> 
> #user_filter = (mail=%u)
> #pass_filter = (mail=%u)
> #pass_attrs = mail=%u,= userPassword=password
> 
> user_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> pass_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> pass_attrs = userPassword=password
> 
> user_attrs = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/
> 
> default_pass_scheme = CRYPT
> ##### END
> 
> Also to add:
> 1. If you use the commented out filters, the authentication is very fast
> 2. If you use the uncommented ones, it's a bit slow.
> 
> Choose your poison, as YMMV.
> 
> Adios.
> 
> 
> 
> -- 
> 
> Best regards,
> Odhiambo WASHINGTON,

Regards,

Aki

More information about the dovecot mailing list