[Dovecot] Dovecot Authentication through LDAP Server
I have a Samba PDC with LDAP (samba version 3.0.21c with Openldap 2.3.19). where i have all the users. I have configured sendmail on another system with dovecot as IMAP and POP3 server. I wanted to enable user authentication from LDAP server which is on samba PDC.
So configured /etc/dovecot.conf
################################################################
protocols = pop3 imap imap_listen = [::] pop3_listen = [::] login_dir = /var/run/dovecot-login login = imap login_user = testuser login = pop3 verbose_proctitle = yes maildir_copy_with_hardlinks = yes mbox_locks = fcntl auth = default auth_mechanisms = plain digest-md5 auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = ldap /etc/dovecot-ldap.conf auth_user = dovecot auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ ################################################################
configured /etc/dovecot-ldap.conf ####################################################################### # NOTE: We don't support "authentication binds", so you'll have to give # dovecot-auth read access to userPassword field in LDAP server. With OpenLDAP # this is done by modifying /etc/ldap/slapd.conf. There should already be # something like this: #
# access to attribute=userPassword # by dn="<dovecot's dn>" read # add this # by anonymous auth # by self write # by * none
# Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 192.168.129.18
# Distinguished Name - the username used to login to the LDAP server
dn = uid=root,ou=People,dc=msdpl,dc=com
# Password for LDAP server
dnpass = mobil5@b1d
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base
base = dc=msdpl,dc=com
# Dereference: never, searching, finding, always
deref = never
# Search scope: base, onelevel, subtree
scope = subtree
# User attributes in order:
# Virtual user name (user@domain)
# Home directory
# MAIL environment
# System user name (for initgroups())
# System UID
# System GID
#user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber
user_attrs = uid,homeDirectory,,uid,,
# Filter for user lookup. Some variables can be used:
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=posixAccount)(uid=%u))
#ser_filter = (&(objectClass=sambaSamAccount)(uid=%u))
# Password checking attributes in order:
# Virtual user name (user@domain)
# Password, may optionally start with {type}, eg. {crypt}
pass_attrs = uid,userPassword
# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
# Default password scheme. "{scheme}" before password overrides this.
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT
#default_pass_scheme = CRYPT
# You can use same UID and GID for all user accounts if you really want to.
# If the UID/GID is still found from LDAP reply, it overrides these values.
#user_global_uid = 100
#user_global_gid = 100
####################################################################### The following is the error when we check using [root]#telnet mymailserverip 110 Trying 192.168.129.248 Connected to testmail.mydomain.com (192.168.129.248) Escape character is '^]`. user dcadmin pass mypass ERR-Authentication Failure
The following is the log output of /var/log/maillog ######################################################################### Jun 8 13:09:16 testmail dovecot-auth: ldap(dcadmin): No password in reply Jun 8 13:10:16 testmail pop3-login: Disconnected: Inactivity [::ffff: 127.0.0.1]
Jun 8 13:10:26 testmail dovecot-auth: ldap(root): No password in reply Jun 8 13:11:26 testmail pop3-login: Disconnected: Inactivity [::ffff: 127.0.0.1] Jun 8 13:11:38 testmail dovecot-auth: LDAP: ldap_result() failed: Can't contact LDAP server Jun 8 13:13:46 testmail dovecot-auth: ldap(root): No password in reply Jun 8 13:13:46 testmail imap-login: Disconnected [::ffff:127.0.0.1] Jun 8 13:14:03 testmail dovecot-auth: ldap(dcadmin): No password in reply Jun 8 13:14:03 testmail imap-login: Disconnected [::ffff:127.0.0.1] ############################################################################
Regards Niranjan
On Thu, 2006-06-08 at 16:57 +0530, ashok cvs wrote:
dn = uid=root,ou=People,dc=msdpl,dc=com .. Jun 8 13:13:46 testmail dovecot-auth: ldap(root): No password in reply
This means that the dn you gave doesn't have read permission to the userPassword field in LDAP, so it's not returned. This is the default so you'll need to play with the LDAP server's permissions.
Alternative is to use auth binds, which is probably what you want to do anyway instead. Except you seem to be using Dovecot 0.99.x which doesn't support this feature. I'd suggest upgrading to 1.0betas in any case.
participants (2)
-
ashok cvs
-
Timo Sirainen