On Tue, 24 Nov 2020 at 14:51, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:

> On 24/11/2020 13:20 Odhiambo Washington <odhiambo@gmail.com> wrote:
>
>
>
>
>
> On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo@gmail.com> wrote:
> > Hi,
> >
> > I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out.
> > I could do with a third eye to help me spot what is wrong.
> >
> >
> >
> > root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local
> > Password:
> > passdb: odhiambo@newideatest.local auth failed
> > extra fields:
> >
> > info.log:
> >
> > Nov 22 14:31:08 auth: Info: > >
> >
> > Here is my doveconf -n:
> >
> > https://paste.ubuntu.com/p/SPmrxZxHPx/
> >
> > My dovecot-ldap.cont.ext:
> >
> > uris = ldap://localhost/
> > dn = "dovecot@newideatest.local"
> > dnpass = "XXXXXXXX"
> > sasl_bind = no
> > tls = no
> > ldap_version = 3
> > deref = never
> > scope = subtree
> > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> > auth_bind = yes
> > user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> > user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> > pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> > pass_attrs = sAMAccountName=user,userPassword=password
> >
> > The use exists in the database:
> >
>
>
> For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:
>
>
> ##### BEGIN
> uris = ldap://localhost/
> dn = "dovecot@newideatest.local"
> dnpass = "verystupid"
> sasl_bind = no
> tls = no
> ldap_version = 3
> deref = never
> scope = subtree
> base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> auth_bind = yes

You probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password
from LDAP, it is only required when you have to do first a lookup and then authenticate as the user to verify password.

Hello Aki,

Thanks for looking at this.

In my case, when I change to "auth_bind = no", then this happens:

root@adc0:/etc/dovecot# telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
1 login odhiambo@newideatest.local XXXXXXX
1 NO [AUTHENTICATIONFAILED] Authentication failed.
1 logout

Auth succeeds though when I have it set to "yes".

My conf.d/auth-ldap.conf.ext contains:
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = static
args = uid=Debian-exim gid=Debian-exim home=/var/spool/virtual/%Ld/%Ln
}

How can I return the password from LDAP?
I'd be happy to know what I need to do so that I can use your suggestion. This LDAP stuff is still quite some "greek" to me.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)