[Dovecot] LDAP (AD) auth problem
I'm trying to authenticate users using MS AD with auth_bind option. Here is my config file:
# 1.0.15: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps ssl_cert_file: /etc/dovecot/ssl/cert.pem ssl_key_file: /etc/dovecot/ssl/key.pem disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:~/Maildir mail_debug: yes mail_plugins: acl auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf plugin: acl: vfile
content of dovecot-ldap.conf hosts = myhost:389 auth_bind = yes auth_bind_userdn = cn=%n,ou=People,dc=company,dc=com base = ou=People,dc=company,dc=com user_attrs = mailNickname=home user_filter = (&(objectClass=user)(sAMAccountName=%n)) user_global_uid = vmail user_global_gid = vmail
Using the same options I can fetch info with ldapsearch ldapsearch -h myhost -b 'dc=company,dc=com' -D 'cn=username,ou=People,dc=company,dc=com' -x -W '(&(objectClass=user)(sAMAccountName=username))'
Dovecot doesn't work with this setting, shows in log: dovecot: auth(default): ldap(username,10.131.11.147): ldap_search() failed: Operations error
Using tcpdump i found a cause of it, seems dovecot binds to AD server, then drop connection and trying to do search without bind. During sniff I see response to my ldap search - LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection
Found similar problem in maillist - without solution. http://markmail.org/message/a6pui34ewb5bd55d
Kindly asking what to do with it? :)
-- Best Regards
Hello,
Using port 3268 I faced with absolutely the same behavior. So, doesn't matter in this case.
On Tue, May 26, 2009 at 1:33 AM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:
I'm trying to authenticate users using MS AD with auth_bind option. Here is my config file: .. content of dovecot-ldap.conf hosts = myhost:389
You should use port 3268 with AD.
-- Gooood Night
Hello,
Tried with version 1.1.13 - the same issue. Does anybody succeed in auth. virtual users using active directory and authentication binds mechanism? I've found a lot of examples how to use password lookups but I cannot use it, unfortunately.
On Tue, May 26, 2009 at 9:08 AM, Misha Volodko <pablo@honey.org.ua> wrote:
Hello,
Using port 3268 I faced with absolutely the same behavior. So, doesn't matter in this case.
On Tue, May 26, 2009 at 1:33 AM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:
I'm trying to authenticate users using MS AD with auth_bind option. Here is my config file: .. content of dovecot-ldap.conf hosts = myhost:389
You should use port 3268 with AD.
-- Best Regards
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:
Using tcpdump i found a cause of it, seems dovecot binds to AD server, then drop connection and trying to do search without bind. During sniff I see response to my ldap search - LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection
Dovecot drops the user bind when it does the userdb lookup. If AD doesn't support anonymous lookups, you can specify some user with dn and dnpass settings and Dovecot will use it for the userdb lookups.
If I use dn and dnpass it'd use password lookups mechanism for this access to password field on LDAP should be granted to some particular user. Unfortunately, it's impossible. Thats why I want to use auth_bind way.
On Thu, May 28, 2009 at 11:57 PM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:
Using tcpdump i found a cause of it, seems dovecot binds to AD server, then drop connection and trying to do search without bind. During sniff I see response to my ldap search - LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection
Dovecot drops the user bind when it does the userdb lookup. If AD doesn't support anonymous lookups, you can specify some user with dn and dnpass settings and Dovecot will use it for the userdb lookups.
-- Gooood Night
No, it doesn't use password lookups. It still would do auth binding,
but the userdb lookup would be done when bound to the specified dn.
On May 29, 2009, at 9:56 AM, Misha Volodko wrote:
If I use dn and dnpass it'd use password lookups mechanism for this access to password field on LDAP should be granted to some particular user. Unfortunately, it's impossible. Thats why I want to use auth_bind way.
On Thu, May 28, 2009 at 11:57 PM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:
Using tcpdump i found a cause of it, seems dovecot binds to AD
server, then drop connection and trying to do search without bind. During sniff I see response to my ldap search - LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connectionDovecot drops the user bind when it does the userdb lookup. If AD doesn't support anonymous lookups, you can specify some user with
dn and dnpass settings and Dovecot will use it for the userdb lookups.-- Gooood Night
participants (2)
-
Misha Volodko
-
Timo Sirainen