Paolo Basenghi wrote:
I don't know if there are any howto in the net, but I had it configured and working, so I will give you some little tips.
I tested this configuration on Fedora Core 3 and SuSE Prof. 9.2, with dovecot 0.99
Create a Linux user named "vmail" or similar (all virtual mailboxes will be in a dir. under this user's home or under a directory owned by this user).
Postfix side: you must use virtual mailbox delivery (one Linux user "vmail", multiple virtual mailboxes), see the Postfix distribution readme files (README_VIRTUAL if I remember well).
Dovecot side: use pam as password database and use static as user database (with same uid and gid as Postfix virtual mailbox user).
Pam side: in /etc/pam.d add/modify a "dovecot" file containing:
auth required pam_krb5.so no_user_check account required pam_permit.so
- Last: you must verify that you have installed Kerberos 5 clients and libraries, then edit your /etc/krb5.conf like this (CASE SENSITIVE!):
[libdefaults] clockskew = 300 default_realm = YOUR.AD.DOMAIN # default_etypes = des-cbc-crc # default_etypes_des = des-cbc-crc # dns_lookup_realm = false # dns_lookup_kdc = false
[realms] your.ad.domain = { kdc = your_dc_server.your.ad.domain default_domain = YOUR.AD.DOMAIN kpasswd_server = your_dc_server.your.ad.domain }
[domain_realm] .your.ad.domain = YOUR.AD.DOMAIN
[logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false }
You can test Kerberos authentication with the command "kinit username@YOUR.AD.DOMAIN"
Good luck!
Hi Paolo,
Thank you for you quick reply, atm i'm trying with postfix + dovecot +ad with no luck. Yes i'm using the virtual user for postfix vmail:vmail. however I'm getting authentication errors. I duno If PAM is *must* in my case (i'm not using pam right now). when I tries to connect with mail client "thunderbird" I also get login failure. Here is the portion from dove-ldap.conf ....
hosts = xxx.abc.edu.pk (domain name crypted(changed) for security reason) :P dn = cn=abc,cn=Users,dc=abc,dc=edu,dc=pk
dnpass = xxxx
ldap_version = 3
base = dc=abc,dc=edu,dc=pk
deref = never
scope = subtree #user_attrs = uid,,,,, (i'm trying with different settings for user_attrs here) #user_attrs = uid,homeDirectory,,uid,, #user_filter = (&(objectClass=posixAccount)(uid=%u)) user_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u)) # Password checking attributes in order: # Virtual user name (user@domain) # Password, may optionally start with {type}, eg. {crypt} pass_attrs = uid,userPassword
# Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u))
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT default_pass_scheme = PLAIN user_global_uid = 1009 user_global_gid = 1003
I can see that I can't get any error while starting dovecot, however while trying to login via mail client it fails to authenticate.
Note: is PAM is *MUST* for postfix + dovecot + Active directory ?
Thanks and regards
Askar