Hi,
I have no success in using AD with dovecot.
The little checkpassword script I cooked up that uses ldapsearch to lookup a user DN (with an authenticated bind) and then ldapsearch with an authenticated bind for that DN again works well.
Approach 1: use a service account to bind to AD, lookup the user DN, and bind to that DN. It fails. The LDAP config looks like:
hosts = dc2.office.on2it.net ldap_version = 3 base = dc=office,dc=on2it,dc=net scope=subtree auth_bind = yes dn = CN=DovecotSvc,OU=Svcs,DC=office,DC=on2it,DC=net dnpass = suppressed
pass_attrs = sAMAccountName=user pass_filter = (&(objectClass=person)(sAMAccountName=%u)) user_attrs = sAMAccountName=user user_filter = (&(objectClass=person)(sAMAccountName=%u))
What happens in this case is best shown in the packet capture as displayed by tshark:
$ tshark -o tcp.check_checksum:FALSE -tr -r dc2.pcap
1 0.000000 172.17.50.13 -> 172.17.10.2 LDAP 197 bindRequest(7) "CN=DovecotSvc,OU=Svcs,DC=office,DC=on2it,DC=net" simple
2 0.001879 172.17.10.2 -> 172.17.50.13 LDAP 88 bindResponse(7) successYay! The service account binds just fine.
3 0.001967 172.17.50.13 -> 172.17.10.2 LDAP 180 searchRequest(8) "dc=office,dc=on2it,dc=net" wholeSubtree
4 0.002772 172.17.10.2 -> 172.17.50.13 LDAP 502 searchResEntry(8) "CN=Jeroen Scheerder,OU=Users,DC=office,DC=on2it,DC=net" \
| searchResRef(8) | searchResRef(8) | searchResRef(8) | searchResDone(8) success
5 0.098367 172.17.50.13 -> 172.17.10.2 TCP 66 49416 > 389 [ACK] Seq=246 Ack=459 Win=1037 Len=0 TSval=602425599 TSecr=124473537Yay! The user DN is found successfully.
6 225.149885 172.17.50.13 -> 172.17.10.2 LDAP 166 bindRequest(12) "CN=Jeroen Scheerder,OU=Users,DC=office,DC=on2it,DC=net" simple
7 225.152323 172.17.10.2 -> 172.17.50.13 LDAP 88 bindResponse(12) success
8 225.248387 172.17.50.13 -> 172.17.10.2 TCP 66 49416 > 389 [ACK] Seq=346 Ack=481 Win=1040 Len=0 TSval=602650749 TSecr=124496053Yay! The user DN bind works. But wait, why is it taking dovecot 225 seconds to get around to trying it? The auth process has already given up.
Approach 2: A template defines the user DN. Bind to that DN. AD DNs don't contain usernames, but AD allows all kinds of non-LDAP shorthands for DNs, inclusing %user%@domain. I've verified this to work using ldapsearch: $ ldapsearch -o ldif-wrap=no -x -LLL -E pr=200/noprompt -H ldap://dc2.office.on2it.net
-b dc=office,dc=on2it,dc=net -s sub
-D js@office.on2it.net -W
'(&(ObjectClass=person)(sAMAccountName=js))' DN Enter LDAP Password: dn: CN=Jeroen Scheerder,DC=office,DC=on2it,DC=netThe config looks like:
hosts = dc2.office.on2it.net ldap_version = 3 base = dc=office,dc=on2it,dc=net scope=subtree auth_bind = yes auth_bind_userdn = "%u@office.on2it.net"
pass_attrs = sAMAccountName=user user_attrs = sAMAccountName=user
What happens in this case is best shown by a snippet of dovecot logging:
Mar 5 09:57:36 <mail.err> ponyboy dovecot: auth: Error: ldap(js,127.0.0.1,<z1dLNtjzJwB/AAAB>): ldap_search(base=dc=office,dc=on2it,dc=net filter=(&(objectClass=posixAccount)(uid=js))) failed: Operations error
Mar 5 09:57:36 <mail.err> ponyboy dovecot: imap: Error: Disconnected from auth server, aborting (client-pid=7247 client-id=1)
Mar 5 09:57:36 <mail.crit> ponyboy dovecot: auth: Fatal: master: service(auth): child 7245 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes })
Mar 5 09:57:36 <mail.info> ponyboy dovecot: imap-login: Internal login failure (pid=7247 id=1) (internal failure, 1 successful auths): user=<js>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7248, secured, session=<z1dLNtjzJwB/AAAB>I find this intriguing -- "1 successful auths", so says imap-login, with auth dying horribly. I smell a rat. Something's wrong here...