Hi again
I'm trying to authenticate a user against an LDAP Server (well, our
AD, but it can LDAP).
This is my configuration:
hosts = my.server.local
auth_bind = yes
ldap_version = 3
base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
scope = subtree
user_attrs =
=home=/home/imapproxy/%u,
=mail=maildir:/home/imapproxy/%u
pass_attrs = uid=%u, userPassword=%w pass_filter = (&(objectClass=user)(sAMAccountName=%u)) auth_bind_userdn = company\%u
If I try to login on the LDAP-Server using ldapsearch it works, but
with Dovecot not...
I see this in my log:
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out:
OK#0111#011user=bertoncello
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in:
REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
Jun 22 16:14:08 proxy01 dovecot: auth: Debug:
ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search:
base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello))
fields=
Jun 22 16:14:08 proxy01 dovecot: auth: Error:
ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>):
ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed:
Operations error
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out:
FAIL#0111586495489
Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure
(client-pid=17122 client-id=1)
Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure
(pid=17122 id=1) (internal failure, 1 successful auths):
user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4,
mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
and if I sniff with ngrep the comunication with the AD I see:
####
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
0............ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0#.........company\bertoncello..secret
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
0........a............
##
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
0....`........
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
0........a............
#
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
0........e................000004DC: LdapErr: DSID-0C0906E8,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, v1db1.
##
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
0....B.
###
T 192.168.168.23:389 -> 10.0.46.4:58761 [AR]
..
and I can't understand why:
- I read "objectClass..posixAccount"
- The authentication does not work...
Thanks for your help! Luca Bertoncello (lucabert@lucabert.de)
If you allow anonymous search on AD maybe you can try to set auth_bind = no .
a.
On 22/06/15 17:19, Luca Bertoncello wrote:
Hi again
I'm trying to authenticate a user against an LDAP Server (well, our AD, but it can LDAP).
This is my configuration:
hosts = my.server.local auth_bind = yes ldap_version = 3 base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope = subtree user_attrs =
=home=/home/imapproxy/%u,
=mail=maildir:/home/imapproxy/%upass_attrs = uid=%u, userPassword=%w pass_filter = (&(objectClass=user)(sAMAccountName=%u)) auth_bind_userdn = company\%u
If I try to login on the LDAP-Server using ldapsearch it works, but with Dovecot not... I see this in my log:
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: OK#0111#011user=bertoncello Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token Jun 22 16:14:08 proxy01 dovecot: auth: Debug: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) fields= Jun 22 16:14:08 proxy01 dovecot: auth: Error: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: Operations error Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: FAIL#0111586495489 Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure (client-pid=17122 client-id=1) Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure (pid=17122 id=1) (internal failure, 1 successful auths): user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
and if I sniff with ngrep the comunication with the AD I see:
#### T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....
........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0#.........company\bertoncello..secret # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....`........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ # T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0. # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1. ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....B. ### T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] ..and I can't understand why:
- I read "objectClass..posixAccount"
- The authentication does not work...
Thanks for your help! Luca Bertoncello (lucabert@lucabert.de)
Alexandros Soumplis soumplis@ekt.gr schrieb:
If you allow anonymous search on AD maybe you can try to set auth_bind = no .
I'm sorry, but I think, the AD does NOT allow anonymous search... I'm new in this company and I don't know exactly the server, but every try I did without any authentication, failed...
Any other idea?
Thanks Luca Bertoncello (lucabert@lucabert.de)
Can you try adding the following options
user_filter = (&(samAccountName=%Ln)(objectClass=person)) pass_filter = (&(samAccountName=%Ln)(objectClass=person)) pass_attrs = userPassword=password default_pass_scheme = CRYPT
a.
On 22/06/15 23:00, Luca Bertoncello wrote:
Alexandros Soumplis soumplis@ekt.gr schrieb:
If you allow anonymous search on AD maybe you can try to set auth_bind = no . I'm sorry, but I think, the AD does NOT allow anonymous search... I'm new in this company and I don't know exactly the server, but every try I did without any authentication, failed...
Any other idea?
Thanks Luca Bertoncello (lucabert@lucabert.de)
On Monday 22 June 2015 14:19:52 Luca Bertoncello wrote:
Hi again
I'm trying to authenticate a user against an LDAP Server (well, our AD, but it can LDAP).
This is my configuration:
hosts = my.server.local auth_bind = yes ldap_version = 3 base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope = subtree user_attrs =
=home=/home/imapproxy/%u,
=mail=maildir:/home/imapproxy/%upass_attrs = uid=%u, userPassword=%w pass_filter = (&(objectClass=user)(sAMAccountName=%u)) auth_bind_userdn = company\%u BTW, there is an userPassword attribute? As I remember, on AD it is sAMAccountpassword.
Hi,
I would suggest starting with a simplified config. by example:
hosts = my.server.local auth_bind = yes ldap_version = 3 base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
base = DC=company,DC=local
scope = subtree user_attrs =
=home=/home/imapproxy/%u,
=mail=maildir:/home/imapproxy/%u
remove the user_attrs In my config, home is defined in userdb in main dovecot.conf
pass_attrs = uid=%u, userPassword=%w
remove pass_attrs
pass_filter = (&(objectClass=user)(sAMAccountName=%u))
pass_filter = (sAMAccountName=%Ln) And add: user_filter = (sAMAccountName=%Ln)
auth_bind_userdn = company\%u
something tickles my brain that says my setup didn't like that. anyway, my config has %Ln@company.xyz
If that works, then you can add the other bits one at a time till it fails....
If I try to login on the LDAP-Server using ldapsearch it works, but with Dovecot not... I see this in my log:
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: OK#0111#011user=bertoncello Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) fields= Jun 22 16:14:08 proxy01 dovecot: auth: Error: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: Operations error Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: FAIL#0111586495489 Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure (client-pid=17122 client-id=1) Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure (pid=17122 id=1) (internal failure, 1 successful auths): user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
and if I sniff with ngrep the comunication with the AD I see:
#### T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....
........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0#.........company\bertoncello..secret # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....`........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ # T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
# T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1. ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....B. ### T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] ..
and I can't understand why:
- I read "objectClass..posixAccount"
- The authentication does not work...
Thanks for your help! Luca Bertoncello (lucabert@lucabert.de)
participants (4)
-
Alexandros Soumplis
-
Bob Miller
-
Luca Bertoncello
-
mihai@badici.ro