[Dovecot] Dovecot, AD and authenticated binds...
I posted earlier with reports of less than stellar success in using Active Directory for dovecot authentication.
My approach is to using the two-step approach of - obtaining the user DN by a search using an authenticated bind (using a service account) - then binding as that DN, and returning the relevant user attributes
This hasn't been succesful. Dovecot's authentication process does perform the (first) authenticated bind successfully, it does obtain the right DN, than just sits there doing nothing as far as I can tell, and after a long delay concludes authentication failure - shortly before deciding to perform the bind with the user-supplied credentials, successfully. Source inspection has not resulted in a glorious eureka yet.
So I thought, why not handle it myself? And I wrote a little script, using the checkpassword interface. I've enclosed it. The script is based on <http://wiki2.dovecot.org/AuthDatabase/CheckPassword>, but somehow the userdb_uid and userdb_gid I've passed back in the "EXTRA" environment variable get lost along the way.
It syslogs, and the syslogs show that the LDAP parts working as expected:
Mar 3 14:49:09 <mail.info> ponyboy checkpassword: successful authenticated bind and DN(js) lookup Mar 3 14:49:09 <mail.info> ponyboy checkpassword: DN(js) is CN=Jeroen Scheerder,OU=Users,OU=Netherlands,OU=ON2IT,DC=office,DC=on2it,DC=net Mar 3 14:49:09 <mail.info> ponyboy checkpassword: js authenticated
In dovecot's log, simultaneously, I see basically a successful login, except that the (user_)uid and (userdb_)gid work - unless I disable prefetch, and use a static userdb:
Mar 03 14:49:04 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Mar 03 14:49:04 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 03 14:49:04 auth: Debug: auth client connected (pid=90856) Mar 03 14:49:09 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=+qFODbTzDgB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=63246 resp=<hidden> Mar 03 14:49:09 auth: Debug: checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): execute: /usr/local/etc/dovecot/checkpassword-on2it /usr/local/libexec/dovecot/checkpassword-reply Mar 03 14:49:09 auth: Debug: checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): Received input: userdb_uid=143 userdb_gid=143 Mar 03 14:49:09 auth: Debug: checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): exit_status=0 Mar 03 14:49:09 auth: Debug: client passdb out: OK 1 user=js Mar 03 14:49:09 auth: Debug: master in: REQUEST 4007395329 90856 1 29571963894e557ab643d2e51872ba55 session_pid=90899 request_auth_token Mar 03 14:49:09 auth: Debug: prefetch(js,127.0.0.1,<+qFODbTzDgB/AAAB>): success Mar 03 14:49:09 auth: Debug: master userdb out: USER 4007395329 js uid=143 gid=143 auth_token=e2d7c2463dd4c039010e904afb4ea45214cb7de5 Mar 03 14:49:09 imap-login: Info: Login: user=<js>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=90899, secured, session=<+qFODbTzDgB/AAAB> Mar 03 14:49:09 imap: Error: user js: Mail access for users with UID 143 not permitted (see first_valid_uid in config file, uid from userdb lookup). Mar 03 14:49:09 imap: Error: Invalid user settings. Refer to server log for more information.
With a static userdb (as shown in the config below): behold, everything works:
Mar 03 14:52:49 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=R0plGrTzGAB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=40984 resp=<hidden> Mar 03 14:52:49 auth: Debug: checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): execute: /usr/local/etc/dovecot/checkpassword-on2it /usr/local/libexec/dovecot/checkpassword-reply Mar 03 14:52:49 auth: Debug: checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): Received input: userdb_uid=143 userdb_gid=143 Mar 03 14:52:49 auth: Debug: checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): exit_status=0 Mar 03 14:52:49 auth: Debug: client passdb out: OK 1 user=js Mar 03 14:52:49 auth: Debug: master in: REQUEST 2818310145 90960 1 1b6ea6c4e6b90fd49a87195c35fa34ef session_pid=91002 request_auth_token Mar 03 14:52:49 auth: Debug: master userdb out: USER 2818310145 js uid=1000 gid=1000 home=/var/mail/on2it/js auth_token=21609f5f149bf80dec701dce9f288824cdf52c60 Mar 03 14:52:49 imap-login: Info: Login: user=<js>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=91002, secured, session=<R0plGrTzGAB/AAAB> Mar 03 14:53:04 imap(js): Info: Connection closed in=0 out=352
So it's working for me now. This is clearly not the way things ought to work... but the stock LDAP interaction seems broken to my limited mind.
So who would be so friendly as to point out the fallacies I've been pursuing?
Regards, Jeroen.
$ dovecot -n # 2.2.10: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.0-RELEASE amd64 ufs auth_debug = yes auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes first_valid_gid = 1000 first_valid_uid = 1000 imap_client_workarounds = delay-newmail last_valid_gid = 1000 last_valid_uid = 1000 log_path = /tmp/dovecot mail_gid = 1000 mail_location = maildir:/var/mail/on2it/%Ln mail_uid = 1000 maildir_very_dirty_syncs = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/checkpassword-on2it driver = checkpassword } protocols = imap service auth-worker { user = root } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = postfix mode = 0666 user = postfix } } service imap-login { inet_listener imap { port = 143 } } shutdown_clients = no ssl = no userdb { args = uid=1000 gid=1000 home=/var/mail/on2it/%Ln driver = static } valid_chroot_dirs = /var/mail/on2itn2it
participants (1)
-
Jeroen Scheerder