Dovecot+Samba AD - authentication failure - SOLVED

Odhiambo Washington odhiambo at gmail.com
Thu Nov 26 13:57:19 EET 2020


On Tue, 24 Nov 2020 at 14:51, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:

>
> > On 24/11/2020 13:20 Odhiambo Washington <odhiambo at gmail.com> wrote:
> >
> >
> >
> >
> >
> > On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo at gmail.com>
> wrote:
> > > Hi,
> > >
> > > I have setup samba4 as AD and hoping to have dovecot authenticate
> users against it. I am facing challenges though and I am unable to figure
> it out.
> > > I could do with a third eye to help me spot what is wrong.
> > >
> > >
> > >
> > > root at adc0:/etc# doveadm auth test -x service=imap
> odhiambo at newideatest.local
> > > Password:
> > > passdb: odhiambo at newideatest.local auth failed
> > > extra fields:
> > >
> > > info.log:
> > >
> > > Nov 22 14:31:08 auth: Info: > >
> > >
> > > Here is my doveconf -n:
> > >
> > > https://paste.ubuntu.com/p/SPmrxZxHPx/
> > >
> > > My dovecot-ldap.cont.ext:
> > >
> > > uris = ldap://localhost/
> > > dn = "dovecot at newideatest.local"
> > > dnpass = "XXXXXXXX"
> > > sasl_bind = no
> > > tls = no
> > > ldap_version = 3
> > > deref = never
> > > scope = subtree
> > > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> > > auth_bind = yes
> > > user_filter =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> > > user_attrs =
> sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> > > pass_filter =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> > > pass_attrs = sAMAccountName=user,userPassword=password
> > >
> > > The use exists in the database:
> > >
> >
> >
> > For the record, this is what I finally came up with that worked -
> dovecot-ldap.conf.ext:
> >
> >
> > ##### BEGIN
> > uris = ldap://localhost/
> > dn = "dovecot at newideatest.local"
> > dnpass = "verystupid"
> > sasl_bind = no
> > tls = no
> > ldap_version = 3
> > deref = never
> > scope = subtree
> > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> > auth_bind = yes
>
> You probably would want to set this to 'no', it causes dovecot to rebind
> after authentication. This is not required when you can return password

from LDAP, it is only required when you have to do first a lookup and then
> authenticate as the user to verify password.
>

Hello Aki,

Thanks for looking at this.

In my case, when I change to "auth_bind = no", then this happens:

root at adc0:/etc/dovecot# telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+
STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
1 login odhiambo at newideatest.local XXXXXXX
1 NO [AUTHENTICATIONFAILED] Authentication failed.
1 logout

Auth succeeds though when I have it set to "yes".

My conf.d/auth-ldap.conf.ext contains:
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = static
args = uid=Debian-exim gid=Debian-exim home=/var/spool/virtual/%Ld/%Ln
}

How can I return the password from LDAP?
I'd be happy to know what I need to do so that I can use your suggestion.
This LDAP stuff is still quite some "greek" to me.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201126/0733c769/attachment.html>


More information about the dovecot mailing list