I’ve fixed the issue by using a slightly different configuration. Particularly the problem was due to mistaking %u (user@domain) vs %n (just user). Here are the configuration files for anyone looking to get it working with Active Directory on 2012 R2 on Dovecot 2.2.9 (or similar, whatever comes with Ubuntu Server 14.10).
Note: the uid & guid virtual need to exist (i.e. on Ubuntu, useradd virtual) and the directory /var/vmail must exist and be owned by virtual (referenced in 10-mail.conf and dovecot-ldap.conf.ext). I suspect as well that part of the reason that it is working is that I have UNIX services enabled on AD, which if you’re considering any integration with Linux you have to do anyways, so that must be enabled and configured for each user (which if you’re at this stage you likely know how to do).
Attached are the relevant configuration files. Hopefully it will save the unfortunate sysadmin tasked with integrating AD and Dovecot one day.
On November 27, 2014 at 12:15:05 AM, Aaron Jenkins (aaron@rsbuddy.com<mailto:aaron@rsbuddy.com>) wrote:
I’ve removed the dn / dnpass.
When attempting with new user:
$ cat /var/log/dovecot-info.log Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5553 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5558, TLS, session=<rQXRqdIIZwAK0zcd> Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5559 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5560, TLS, session=<A/TdqdIIaAAK0zcd> Nov 27 00:09:29 auth: Info: ldap(test.user@a d.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123) Nov 27 00:09:35 auth: Info: ldap(test.user@ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123) Nov 27 00:09:37 imap-login: Info: Disconnected (auth failed, 2 attempts in 8 secs): user=<test.user@ad.automaton.uk>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, TLS, session=<mFneqdIIaQAK0zcd>
$ cat /var/log/dovecot-debug.log Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 27 00:13:07 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Nov 27 00:13:07 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Nov 27 00:13:07 auth: Debug: auth client connected (pid=6219) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=/xfdttIIagAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44650 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data) Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user Nov 27 00:13:07 auth: Debug: master in: REQUEST 2256273409 6219 1 a99d65893905abf592245098b369359e session_pid=6223 request_auth_token Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,</xfdttIIagAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 2256273409 Nov 27 00:13:07 auth: Debug: auth client connected (pid=6224) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=gn7dttIIawAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44651 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data) Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user Nov 27 00:13:07 auth: Debug: master in: REQUEST 1233256449 6224 1 587c0fc0406dbbdac1ccf4bb6267ff59 session_pid=6225 request_auth_token Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,<gn7dttIIawAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 1233256449 Nov 27 00:13:07 auth: Debug: auth client connected (pid=6226) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data) Nov 27 00:13:09 auth: Debug: client passdb out: FAIL 1 user=test.user@ad.automaton.uk Nov 27 00:13:09 auth: Debug: client in: AUTH 2 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 resp=AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data) Nov 27 00:13:15 auth: Debug: client passdb out: FAIL 2 user=test.user@ad.automaton.uk
$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk # extended LDIF # # LDAPv3 # base <CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree # filter: (objectclass=*) # requesting: - #
# test.user, Users, ad.automaton.uk dn: CN=test.user,CN=Users,DC=ad,DC=automaton,DC=uk
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
And the password on AD for test.user is 100% ThisIsAPass123.
On November 26, 2014 at 12:16:34 AM, Steffen Kaiser (skdovecot@smail.inf.fh-brs.de<mailto:skdovecot@smail.inf.fh-brs.de>) wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 26 Nov 2014, Aaron Jenkins wrote:
I’ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt).
OK, what about the:
As I understand auth_bind_userdn, you do not need dn/dnpass anyway, because auth_bind_userdn prevents searching for the user's DN
Did you removed the dn/dnpass settings?
What about the:
I wonder if the log shows the error from this setting or from the user's login attempt. Could you try another user?
If you login with another user (not aaron.jenkins) to IMAP, which username is listed in the logs then.
aaron@aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk Enter LDAP Password: # extended LDIF # # LDAPv3 # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree # filter: (objectclass=*) # requesting: - #
# aaron.jenkins, Users, ad.automaton.uk dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Same with the user Mail
On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot@smail.inf.fh-brs.de<mailto:skdovecot@smail.inf.fh-brs.de>) wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 25 Nov 2014, Aaron Jenkins wrote:
I’m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. … Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp
Your conf: auth_bind = yes dn = aaron.jenkins dnpass = dummypass1 auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk
Can you really succeed a simple auth with the dn aaron.jenkins ? This ought to be a full DN. As I understand auth_bind_userdn, you do not need dn/dnpass anyway, because auth_bind_userdn prevents searching for the user's DN, in which case Dovecot requires a connection before any user bind takes place.
I wonder if the log shows the error from this setting or from the user's login attempt. Could you try another user?
Can you auth from command line via
ldapsearch -x -H ldap://dc1.ad.automaton.uk -D
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
- -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw== =6Zsw -----END PGP SIGNATURE----- ---------------Output of GPG------------------ Decryption of block failed gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID 0BFDDF6B gpg: BAD signature from "Steffen Kaiser <skdovecot@smail.inf.fh-brs.de>"
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd 3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj 4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g== =P2I4 -----END PGP SIGNATURE-----