[Dovecot] Dovecot/LDAP problem
Dear Dovecot mailing list people -
What I'm trying to do is use Postfix (with virtual users) and a POP3 server (we don't want IMAP - don't ask) to work against our new Active Directory servers that will be coming soon. Before we roll anything out we're testing it in the lab. Here's what we've got: x86 server running Red Hat Enterprise Linux 3 Postfix 2.0.16 Dovecot-1.0 Beta7 Windows 2003 server running Active Directory Windows XP client running Outlook
Eventually, we'd like the clients to be joined to the AD domain and that's where we'll store ALL the user information. The email will come in on our postfix server (which uses virtual users) and the clients will check it passing their email username and domain password. The catch is that USERS CAN BE ANYWHERE IN THE DIRECTORY. (I apologize for the caps, I wanted to make sure that phrase wasn't glossed over.) So, for instance:
DC=local | DC=domain | OU=group1 | | | > CN=user1 | > CN=user2 | OU=group2 | | | > CN=user3 | > CN=user4 | OU=group3 | >CN=user5
The path to user1 is therefore CN=user1,OU=group1,DC=domain,DC=local (at least in the AD world.) The path to user3 is CN=user3,OU=group2,DC=domain,DC=local. So to search for users I would think (because this is how Postfix does it) that I could have the search base as DC=domain,DC=local and then have scope = subtree. IT DOESN'T WORK. (Again, caps used for emphasis only.)
Here's the meat of the dovecot-ldap.conf file I'm using: hosts = 192.168.x.x dn = cn=Administrator,cn=Users,DC=domain,DC=local dnpass = xxxxx auth_bind = yes ldap_version = 3 base = DC=domain,DC=local scope = subtree user_attrs = sAMAccountName,mail,,,, user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) pass_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) user_global_uid = 44 user_global_gid = 44
--- Interestingly, if I simply point the base to the actual user's container, it works just fine. The idea works from Postfix, but from dovecot it doesn't actually seem to search the tree. ---
Here's some of the output from the log files. dovecot: May 17 15:35:52 Info: auth(default): client in: AUTH 1 PLAIN service=POP3 lip= 192.168.0.199 rip=192.168.0.195 resp=AGp1c2VyAHBhc3N3b3Jk dovecot: May 17 15:35:52 Info: auth(default): ldap(user1, 192.168.0.195): bind search: base=DC=LAB,DC=local filter=(&(objectClass=organizationalPerson)(sAMAccountName=user1)) dovecot: May 17 15:36:52 Info: pop3-login: Disconnected: Inactivity: method=PLAIN, rip= 192.168.90.195, lip=192.168.90.199 dovecot: May 17 15:37:52 Info: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=192.168.0.199 rip=192.168.0.195 resp=AGp1c2VyAHBhc3N3b3Jk dovecot: May 17 15:37:52 Info: auth(default): ldap(user1,192.168.0.195): bind search: base=DC=domain,DC=local filter=(&(objectClass=organizationalPerson)(sAMAccountName=user1)) dovecot: May 17 15:37:54 Info: auth(default): client out: OK 1 user=user1 dovecot: May 17 15:37:54 Info: auth(default): client out: OK 1 user=user1 dovecot: May 17 15:37:54 Info: auth(default): master in: REQUEST 1 25233 1 dovecot: May 17 15:37:54 Info: auth(default): ldap(user1,192.168.0.195): base=DC=LAB,DC=local scope=subtree filter=(&(objectClass=organizationalPerson)(sAMAccountName=user1)) fields=sAMAccountName,mail,,,, dovecot: May 17 15:38:52 Info: pop3-login: Disconnected: Inactivity: user=<user1>, method=PLAIN, rip=192.168.0.195, lip=192.168.0.199
Can anybody offer any insight? Pretty please?
- Burton
Here's the meat of the dovecot-ldap.conf file I'm using: hosts = 192.168.x.x dn = cn=Administrator,cn=Users,DC=domain,DC=local dnpass = xxxxx auth_bind = yes ldap_version = 3 base = DC=domain,DC=local scope = subtree user_attrs = sAMAccountName,mail,,,, user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) pass_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) user_global_uid = 44 user_global_gid = 44
You might want to turn off auth_bind. auth_bind will bind to the active directory/ldap server with the user's credentials, not the dn. Not sure if that's what is causing your problems or not.
I left auth_bind on, but commented out the dn and dnpass fields. I would think those would be the credentials with which to bind to search for the user, then bind with the supplied credentials when the user's been found since the user could be anywhere in the ldap structure. In any event, I've enabled anonymous lookups (for the time being) so it's not necessary.
It was also suggested that the LDAP path is backwards, but again this is pretty much the same path I used in configuring Postfix. Oh, and unfortunately, dumping Outlook isn't something we can do. :(
I'm all out of ideas... I'm sniffing the packets and it's just like it gets a query result but never attempts to bind.
- Burton
On 5/18/06, Andrew Bates <abates@omeganetserv.com> wrote:
Here's the meat of the dovecot-ldap.conf file I'm using: hosts = 192.168.x.x dn = cn=Administrator,cn=Users,DC=domain,DC=local dnpass = xxxxx auth_bind = yes ldap_version = 3 base = DC=domain,DC=local scope = subtree user_attrs = sAMAccountName,mail,,,, user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) pass_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) user_global_uid = 44 user_global_gid = 44
You might want to turn off auth_bind. auth_bind will bind to the active directory/ldap server with the user's credentials, not the dn. Not sure if that's what is causing your problems or not.
So I did some more testing, still using the dovecot-ldap.conf file.
If I create an OU off the base (like "OU=test,DC=domain,DC=local") and use that as the search base dovecot will search all the nodes off that as far as I care to nest them. However, it will not perform that same search starting at the root of the domain. Does anyone know if this is an Active Directory setting?
Thanks in advance!
- Burton Simmons
On 5/18/06, Burton Simmons <burtonsimmons@gmail.com> wrote:
I left auth_bind on, but commented out the dn and dnpass fields. I would think those would be the credentials with which to bind to search for the user, then bind with the supplied credentials when the user's been found since the user could be anywhere in the ldap structure. In any event, I've enabled anonymous lookups (for the time being) so it's not necessary.
It was also suggested that the LDAP path is backwards, but again this is pretty much the same path I used in configuring Postfix. Oh, and unfortunately, dumping Outlook isn't something we can do. :(
I'm all out of ideas... I'm sniffing the packets and it's just like it gets a query result but never attempts to bind.
- Burton
On 5/18/06, Andrew Bates <abates@omeganetserv.com> wrote:
Here's the meat of the dovecot-ldap.conf file I'm using: hosts = 192.168.x.x dn = cn=Administrator,cn=Users,DC=domain,DC=local dnpass = xxxxx auth_bind = yes ldap_version = 3 base = DC=domain,DC=local scope = subtree user_attrs = sAMAccountName,mail,,,, user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) pass_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u))
user_global_uid = 44 user_global_gid = 44
You might want to turn off auth_bind. auth_bind will bind to the active directory/ldap server with the user's credentials, not the dn. Not sure if that's what is causing your problems or not.
participants (2)
-
Andrew Bates
-
Burton Simmons