-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 5 Nov 2016, Peter Fraser wrote:
- I need to make sure the user logon name in AD and the samAccountname are exactly the same, case and all. It seems postfix uses the samAccountname and Dovecot the User logon name.
- I also noticed that if the Display name for a user in AD is blank, that user cannot log in using telnet <server ip> 110.
OK, this is something interesting
and dovecot-ldap.conf.ext reads as follows
#Custom Settings hosts = ip address ldap_version = 3 scope = subtree deref = never base = cn=users,dc=domain,dc=com dn = cn=administrator,cn=users,dc=domain,dc=com dnpass = password auth_bind = yes auth_bind_userdn = %n ldap_version = 3 scope = subtree user_attrs = home=/home/vmail/%u,=uid=vmail,=gid=vmail pass_attrs = uid=%n,userPassword=password #pass_attrs=uid=user, userpassword=password user_filter = (&(objectclass=person)(samaccountname=%n)) pass_filter = (&(objectclass=inetorgperson)(mail=%u))
Check out your 1. and pass_filter "postfix uses samAccountname" <-> pass_filter uses "mail" to identify an user.
So I suggest you use:
pass_filter = (&(objectclass=inetorgperson)(|(mail=%u)(samaccountname=%n)(cn=%n)))
Note: add all LDAP attributes to the LDAP query, that identify exactly one user (never more than one). If cn is not unique, use something you think is appropriate. Some examples in the net use userPrincipalName, ... Also, search the net for "dovecot active directory" and you'll find that some exclude entries with certain userAccountControl strings. That way Dovecot finds the user regardless of what s/he enters as username. You could even use something like (mail=%n@example.com)
pass_attrs=samaccountname=user, userpassword=password
This will return samaccountname as new username for userdb queries.
user_filter = (&(objectclass=person)(samaccountname=%n))
Finally, this query must find the user's data. Because pass_attrs mangle the "user" information of Dovecot to be samaccountname, this attribute must be present. If postfix delivers to this user, too, you are done. Otherwise use a similiar approach as with pass_filter. Dovecot LDA and LMTP do not use pass_filter, but only user_filter.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWCSKXnz1H7kL/d9rAQI2Wgf+OIFn5vssn1giLEocVSpZDvirLHLe4c1m br+PBzklJ2OtM4gYjVdcSkgOmuDGOoeIOcxZQIZwmz7413oCjmA8jloUzzYhj6Q6 6CSLHlBWMqtsnQC8+bITuEWBO+ygXT4A5HdEiJANT/oq+Jq1PXq6gN4W3CVwaq+4 f0b+H+Ejk9Xf8jjnpsvhL4SeS71fc7QwmcDZ3syxutQhWgu/urkAUqu3B0R9PD2r FOxJS+q4lF4JTni4vlWrqtuUeK9Mv675vLq1Uw8c+jLdlBgD5QKKsFNy3LTokMEm qU1g7uSISl16AmZ6arIk2ZEtBMpYlFYhxct/EMbjfgeKZ75zG9g6Fw== =S+La -----END PGP SIGNATURE-----