On Thu, 3 Nov 2005, Stephen Lee wrote:
I would like dovecot/pop3 to authenticate against a Windows ADS server. I've got authentication working for Samba and ssh using pam_winbind.so. Here's what my /etc/pam.d/dovecot file looks like:
#%PAM-1.0 auth sufficient pam_winbind.so #auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth account sufficient pam_winbind.so session required pam_stack.so service=system-auth session sufficient pam_winbind.so
I have it like this, if you want to create user's home directory automatically you should add pam_mkhomedir-directive.
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_winbind.so account required pam_stack.so service=system-auth account required pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_stack.so service=system-auth
and this is what a portion of the dovecot.conf file looks like:
auth default { # Space separated list of wanted authentication mechanisms: # plain digest-md5 cram-md5 apop anonymous mechanisms = plain passdb pam { args = dovecot }
Add -session arg if you want that pam_mkhomedir to work.
To get SSH to authenticate against ADS, the user name has to be prefaced with the domain name like "domain\user1". This is what I get when I attempt to login to Dovecot via Outlook/pop3 with the same naming scheme: Dovecot does not like the "\" character and I'm note sure authentication gets past that step to get to the pam phase.
You could make it use the default-domain automatically and then you don't need the domain-part for the username.
smb.conf:
winbind separator = + winbind use default domain = yes workgroup = YOURDOMAIN
Any experiences and suggestions with Dovecot authentication against Windows Active Directory?
Yep, I have had it running for couple of years by now.
-- Pasi Sjöholm