[Dovecot] Is it possible to authenticate against Active Direcotry using the whole e-mail?
Hi all!
Is it possible to authenticate against Active Directory, using the whole e-mail address and not the user part (%n), so that if you support mutiple domains, all users should authenticate with their e-mail addresses.
I use auth_bind_userdn = DOMAIN \ %u but somehow the *mail* attribute of Active/LDAP should be employed.
thanks in advance Dimitrios Karapiperis
Yes, it's possible to do this. But not possible using auth_bind.
You are going have to login using an administrator account, then do an
ldap search for the email address, then authenicate against it. Using
auth_bind requires you to know the username before you login.
http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups
Just need to change passfilter to do a ?proxy_email? or what it's
called for ad
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi all!
Is it possible to authenticate against Active Directory, using the
whole e-mail address and not the user part (%n), so that if you support mutiple domains, all
users should authenticate with their e-mail addresses.I use auth_bind_userdn = DOMAIN \ %u but somehow the *mail* attribute of Active/LDAP should be employed.
thanks in advance Dimitrios Karapiperis
O/H Patrick Domack έγραψε:
Yes, it's possible to do this. But not possible using auth_bind. You are going have to login using an administrator account, then do an ldap search for the email address, then authenicate against it. Using auth_bind requires you to know the username before you login.
http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups
Just need to change passfilter to do a ?proxy_email? or what it's called for ad
Hi, many thanks for your reply.
Active Direcotry doesn't return the userPassword in
pass_attrs = uid=user, userPassword=password
so the password supplied by the user can't be validated.
I used this configuration
auth_bind = no pass_attrs = mail=user, userPassword=password pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u)) default_pass_scheme = MD5
and although the ldap query located the user it complains with the following:
No password returned (and no nopassword)
Any ideas? Dimitrios
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi all!
Is it possible to authenticate against Active Directory, using the whole e-mail address and not the user part (%n), so that if you support mutiple domains, all users should authenticate with their e-mail addresses.
I use auth_bind_userdn = DOMAIN \ %u but somehow the *mail* attribute of Active/LDAP should be employed.
thanks in advance Dimitrios Karapiperis
-- ΔΗΜΗΤΡΙΟΣ ΚΑΡΑΠΙΠΕΡΗΣ ΤΕΧΝ. ΥΠ. ΣΥΖΕΥΞΙΣ
ΕΛΛΗΝΙΚΗ ΔΗΜΟΚΡΑΤΙΑ - Ν. ΘΕΣΣΑΛΟΝΙΚΗΣ ΔΗΜΟΣ ΘΕΣΣΑΛΟΝΙΚΗΣ - Δ/ΝΣΗ ΟΡΓΑΝΩΣΕΩΣ & ΜΕΘΟΔΩΝ 2310 - 257844 fax 2310 - 244965
Hi I just solved it using authentcation binds auth_bind = yes pass_attrs = mail=user pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u))
Active Directory, as far as I know, by no means exposes users passwords to third party applications or services.
Thanks in advance Dimitrios
O/H Δημήτριος Καραπιπέρης έγραψε:
O/H Patrick Domack έγραψε:
Yes, it's possible to do this. But not possible using auth_bind. You are going have to login using an administrator account, then do an ldap search for the email address, then authenicate against it. Using auth_bind requires you to know the username before you login.
http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups
Just need to change passfilter to do a ?proxy_email? or what it's called for ad
Hi, many thanks for your reply.
Active Direcotry doesn't return the userPassword in
pass_attrs = uid=user, userPassword=password
so the password supplied by the user can't be validated.
I used this configuration
auth_bind = no pass_attrs = mail=user, userPassword=password pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u)) default_pass_scheme = MD5
and although the ldap query located the user it complains with the following:
No password returned (and no nopassword)
Any ideas? Dimitrios
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi all!
Is it possible to authenticate against Active Directory, using the whole e-mail address and not the user part (%n), so that if you support mutiple domains, all users should authenticate with their e-mail addresses.
I use auth_bind_userdn = DOMAIN \ %u but somehow the *mail* attribute of Active/LDAP should be employed.
thanks in advance Dimitrios Karapiperis
-- ΔΗΜΗΤΡΙΟΣ ΚΑΡΑΠΙΠΕΡΗΣ ΤΕΧΝ. ΥΠ. ΣΥΖΕΥΞΙΣ
ΕΛΛΗΝΙΚΗ ΔΗΜΟΚΡΑΤΙΑ - Ν. ΘΕΣΣΑΛΟΝΙΚΗΣ ΔΗΜΟΣ ΘΕΣΣΑΛΟΝΙΚΗΣ - Δ/ΝΣΗ ΟΡΓΑΝΩΣΕΩΣ & ΜΕΘΟΔΩΝ 2310 - 257844 fax 2310 - 244965
That would of been my next guess, to see if you could lookup the
proper user, then attempt a login via that. Just causes extra ldap
traffic.
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi I just solved it using authentcation binds auth_bind = yes pass_attrs = mail=user pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u))
Active Directory, as far as I know, by no means exposes users
passwords to third party applications or services.Thanks in advance Dimitrios
O/H ????????? ??????????? ??????:
O/H Patrick Domack ??????:
Yes, it's possible to do this. But not possible using auth_bind. You are going have to login using an administrator account, then
do an ldap search for the email address, then authenicate against
it. Using auth_bind requires you to know the username before you
login.http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups
Just need to change passfilter to do a ?proxy_email? or what it's
called for adHi, many thanks for your reply.
Active Direcotry doesn't return the userPassword in
pass_attrs = uid=user, userPassword=password
so the password supplied by the user can't be validated.
I used this configuration
auth_bind = no pass_attrs = mail=user, userPassword=password pass_filter = (& (objectclass=User) (objectCategory=Person) (mail=%u)) default_pass_scheme = MD5
and although the ldap query located the user it complains with the
following:No password returned (and no nopassword)
Any ideas? Dimitrios
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi all!
Is it possible to authenticate against Active Directory, using
the whole e-mail address and not the user part (%n), so that if you support mutiple domains, all
users should authenticate with their e-mail addresses.I use auth_bind_userdn = DOMAIN \ %u but somehow the *mail* attribute of Active/LDAP should be employed.
thanks in advance Dimitrios Karapiperis
-- ????????? ??????????? ????. ??. ????????
???????? ?????????? - ?. ???????????? ????? ???????????? - ?/??? ?????????? & ??????? 2310 - 257844 fax 2310 - 244965
participants (3)
-
Patrick Domack
-
Δημήτριος Καραπιπέ ρης
-
Δημήτριος Καραπιπέρης