If you allow anonymous search on AD maybe you can try to set auth_bind = no .
a.
On 22/06/15 17:19, Luca Bertoncello wrote:
Hi again
I'm trying to authenticate a user against an LDAP Server (well, our AD, but it can LDAP).
This is my configuration:
hosts = my.server.local auth_bind = yes ldap_version = 3 base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope = subtree user_attrs =
=home=/home/imapproxy/%u,
=mail=maildir:/home/imapproxy/%upass_attrs = uid=%u, userPassword=%w pass_filter = (&(objectClass=user)(sAMAccountName=%u)) auth_bind_userdn = company\%u
If I try to login on the LDAP-Server using ldapsearch it works, but with Dovecot not... I see this in my log:
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: OK#0111#011user=bertoncello Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token Jun 22 16:14:08 proxy01 dovecot: auth: Debug: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) fields= Jun 22 16:14:08 proxy01 dovecot: auth: Error: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: Operations error Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: FAIL#0111586495489 Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure (client-pid=17122 client-id=1) Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure (pid=17122 id=1) (internal failure, 1 successful auths): user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
and if I sniff with ngrep the comunication with the AD I see:
#### T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....
........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0#.........company\bertoncello..secret # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....`........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ # T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0. # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1. ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....B. ### T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] ..and I can't understand why:
- I read "objectClass..posixAccount"
- The authentication does not work...
Thanks for your help! Luca Bertoncello (lucabert@lucabert.de)