Problem w/ Dovecot authentication against AD
Hi,
I had to start using Dovecot on a machine as the new OS does not come with Cyrus IMAP anymore. After multiple problems, I managed to get everything working, including LDAP authentication against the (old) Novell LDAP server. Anyway, the authentication is supposed to be migrated to the new Windows AD. For other tools, I successfully migrated the config to use AD, but somehow Dovecot does not work as it should.
I've been going back and forth, trying everything I could think of, but still can't get it to work.
Here's the excerpt from the config file:
hosts = 10.10.10.210 uris = ldap://10.10.10.210:389 dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net dnpass = PASSWORD tls = no debug_level = -1 auth_bind = yes ldap_version = 3 base = DC=srv,dc=SLD,dc=net deref = never scope = subtree user_attrs = sAMAccountName=user user_filter = (&(sAMAccountName=%n)(objectclass=person)) pass_attrs = sAMAccountName=user pass_filter = (&(sAMAccountName=%n)(objectclass=person)) iterate_attrs = mail=user iterate_filter = (objectclass=person) default_pass_scheme = PLAIN
The problem might be caused by the referal-info sent by the AD, which I can see both in the results dovecot gets (checked with tcpdump), as well as in ldapsearch ... apart from the actual search result, I always get three additional results:
# refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
# refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
# refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
From what I can see in the pcap as well as some of the logs, dovecot binds to the AD, sends out the LDAP query correctly, gets the lookup result with the user queried plus the above three referrals, then unbinds from the (named) bind, attempts a simple bind without dn/dnpass (multiple times), and finally sends three additional search requests under the search bases
cn=Configuration,DC=srv,DC=SLD,DC=net DC=ForestDnsZones,DC=srv,DC=SLD,DC=net DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
These three requests are denied by the AD as they are not permitted without a successful prior bind. Dovecot then fails the auth process.
Is there a way to stop Dovecot from using the referals? Openldap seems to have an option to disable referals, but Dovecot does not allow that option in its LDAP config, and having the option set in the global ldap.conf doesn't seem to help any, either. Is there possibly a way to disable the referal information on the AD side?
Thanks, Garry
-- PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015
You need to disable referral following in /etc/ldap/ldap.conf (or whatever applies to your system)
Aki
On 13.09.2017 14:34, Garry Glendown wrote:
Hi,
I had to start using Dovecot on a machine as the new OS does not come with Cyrus IMAP anymore. After multiple problems, I managed to get everything working, including LDAP authentication against the (old) Novell LDAP server. Anyway, the authentication is supposed to be migrated to the new Windows AD. For other tools, I successfully migrated the config to use AD, but somehow Dovecot does not work as it should.
I've been going back and forth, trying everything I could think of, but still can't get it to work.
Here's the excerpt from the config file:
hosts = 10.10.10.210 uris = ldap://10.10.10.210:389 dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net dnpass = PASSWORD tls = no debug_level = -1 auth_bind = yes ldap_version = 3 base = DC=srv,dc=SLD,dc=net deref = never scope = subtree user_attrs = sAMAccountName=user user_filter = (&(sAMAccountName=%n)(objectclass=person)) pass_attrs = sAMAccountName=user pass_filter = (&(sAMAccountName=%n)(objectclass=person)) iterate_attrs = mail=user iterate_filter = (objectclass=person) default_pass_scheme = PLAIN
The problem might be caused by the referal-info sent by the AD, which I can see both in the results dovecot gets (checked with tcpdump), as well as in ldapsearch ... apart from the actual search result, I always get three additional results:
# refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
# refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
# refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
From what I can see in the pcap as well as some of the logs, dovecot binds to the AD, sends out the LDAP query correctly, gets the lookup result with the user queried plus the above three referrals, then unbinds from the (named) bind, attempts a simple bind without dn/dnpass (multiple times), and finally sends three additional search requests under the search bases
cn=Configuration,DC=srv,DC=SLD,DC=net DC=ForestDnsZones,DC=srv,DC=SLD,DC=net DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
These three requests are denied by the AD as they are not permitted without a successful prior bind. Dovecot then fails the auth process.
Is there a way to stop Dovecot from using the referals? Openldap seems to have an option to disable referals, but Dovecot does not allow that option in its LDAP config, and having the option set in the global ldap.conf doesn't seem to help any, either. Is there possibly a way to disable the referal information on the AD side?
Thanks, Garry
You need to disable referral following in /etc/ldap/ldap.conf (or whatever applies to your system) I had found that option ("referrals off") earlier, but it didn't work - while doing more (new) tcpdumps, I noticed the result format had changed, which reminded me that I had changed LDAP to version 2 during my extended attempts to get it to work ... after switching back to version 3, the authentication finally worked!!!
Thanks, -garry
-- PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015
Hi,
Perhaps you need auth_bind = yes?
MJ
On 09/13/2017 01:34 PM, Garry Glendown wrote:
Hi,
I had to start using Dovecot on a machine as the new OS does not come with Cyrus IMAP anymore. After multiple problems, I managed to get everything working, including LDAP authentication against the (old) Novell LDAP server. Anyway, the authentication is supposed to be migrated to the new Windows AD. For other tools, I successfully migrated the config to use AD, but somehow Dovecot does not work as it should.
I've been going back and forth, trying everything I could think of, but still can't get it to work.
Here's the excerpt from the config file:
hosts = 10.10.10.210 uris = ldap://10.10.10.210:389 dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net dnpass = PASSWORD tls = no debug_level = -1 auth_bind = yes ldap_version = 3 base = DC=srv,dc=SLD,dc=net deref = never scope = subtree user_attrs = sAMAccountName=user user_filter = (&(sAMAccountName=%n)(objectclass=person)) pass_attrs = sAMAccountName=user pass_filter = (&(sAMAccountName=%n)(objectclass=person)) iterate_attrs = mail=user iterate_filter = (objectclass=person) default_pass_scheme = PLAIN
The problem might be caused by the referal-info sent by the AD, which I can see both in the results dovecot gets (checked with tcpdump), as well as in ldapsearch ... apart from the actual search result, I always get three additional results:
# refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
# refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
# refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
From what I can see in the pcap as well as some of the logs, dovecot binds to the AD, sends out the LDAP query correctly, gets the lookup result with the user queried plus the above three referrals, then unbinds from the (named) bind, attempts a simple bind without dn/dnpass (multiple times), and finally sends three additional search requests under the search bases
cn=Configuration,DC=srv,DC=SLD,DC=net DC=ForestDnsZones,DC=srv,DC=SLD,DC=net DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
These three requests are denied by the AD as they are not permitted without a successful prior bind. Dovecot then fails the auth process.
Is there a way to stop Dovecot from using the referals? Openldap seems to have an option to disable referals, but Dovecot does not allow that option in its LDAP config, and having the option set in the global ldap.conf doesn't seem to help any, either. Is there possibly a way to disable the referal information on the AD side?
Thanks, Garry
participants (3)
-
Aki Tuomi
-
Garry Glendown
-
mj