Hi Mark,
I haven't done it, but I've played with the scenario enough to have an idea.
What you want to do is have Outlook auth via NTLM to Dovecot.
First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.
A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot. If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.
Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.
Hope that helps!
Rick
Quoting Mark Foley <mfoley@ohprs.org>:
This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:
How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.
Should I remove "passdb { drive = shadow } from the dovecot configuration?
Anybody?
$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_ssl = yes
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"
I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems. Dovecot is hosted on the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver = shadow.
What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.
Here is my current config:
$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark Foley
From dovecot-bounces@dovecot.org Wed Sep 2 13:32:13 2015 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> Status: R
I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems. Dovecot is hosted on the office Samba4 AC/DC server.
I have been using auth_mechanisms plain login, and passdb driver = shadow.
What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.
If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.
Here is my current config:
$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes Thanks, Mark Foley