[Dovecot] dovecot + postfix + active directory
hi list,
I'm just curious if someone succesfully done dovecot authentication of Active directory and I will appreciage any link in this regards
Thanks
Askar
I don't know if there are any howto in the net, but I had it configured and working, so I will give you some little tips.
I tested this configuration on Fedora Core 3 and SuSE Prof. 9.2, with dovecot 0.99
Create a Linux user named "vmail" or similar (all virtual mailboxes will be in a dir. under this user's home or under a directory owned by this user).
Postfix side: you must use virtual mailbox delivery (one Linux user "vmail", multiple virtual mailboxes), see the Postfix distribution readme files (README_VIRTUAL if I remember well).
Dovecot side: use pam as password database and use static as user database (with same uid and gid as Postfix virtual mailbox user).
Pam side: in /etc/pam.d add/modify a "dovecot" file containing:
auth required pam_krb5.so no_user_check account required pam_permit.so
- Last: you must verify that you have installed Kerberos 5 clients and libraries, then edit your /etc/krb5.conf like this (CASE SENSITIVE!):
[libdefaults] clockskew = 300 default_realm = YOUR.AD.DOMAIN # default_etypes = des-cbc-crc # default_etypes_des = des-cbc-crc # dns_lookup_realm = false # dns_lookup_kdc = false
[realms] your.ad.domain = { kdc = your_dc_server.your.ad.domain default_domain = YOUR.AD.DOMAIN kpasswd_server = your_dc_server.your.ad.domain }
[domain_realm] .your.ad.domain = YOUR.AD.DOMAIN
[logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false }
You can test Kerberos authentication with the command "kinit username@YOUR.AD.DOMAIN"
Good luck!
--
Ing. PAOLO BASENGHI :::: Systems & Networking Engineer p.basenghi@netribe.it ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ NETRIBE srl :: Collaborative E-Business 42100 :: Reggio Emilia :: Italy :: Via della Costituzione, 27/4 ph. +39 0522 232378 :: fax +39 0522 232386 :: http://www.netribe.it ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Le informazioni contenute in questa comunicazione sono riservate e destinate esclusivamente alla/e persona/e o all'ente sopra indicati. È vietato ai soggetti diversi dai destinatari qualsiasi uso, copia, diffusione di quanto in esso contenuto sia ai sensi dell'art. 616 c.p., sia ai sensi della legge 196/2003. Se questa comunicazione vi è pervenuta per errore, vi preghiamo di rispondere a questa mail e successivamente cancellarla dal vostro sistema. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Askar wrote:
hi list,
I'm just curious if someone succesfully done dovecotauthentication of Active directory and I will appreciage any link in this regards
Thanks
Askar
Paolo Basenghi wrote:
I don't know if there are any howto in the net, but I had it configured and working, so I will give you some little tips.
I tested this configuration on Fedora Core 3 and SuSE Prof. 9.2, with dovecot 0.99
Create a Linux user named "vmail" or similar (all virtual mailboxes will be in a dir. under this user's home or under a directory owned by this user).
Postfix side: you must use virtual mailbox delivery (one Linux user "vmail", multiple virtual mailboxes), see the Postfix distribution readme files (README_VIRTUAL if I remember well).
Dovecot side: use pam as password database and use static as user database (with same uid and gid as Postfix virtual mailbox user).
Pam side: in /etc/pam.d add/modify a "dovecot" file containing:
auth required pam_krb5.so no_user_check account required pam_permit.so
- Last: you must verify that you have installed Kerberos 5 clients and libraries, then edit your /etc/krb5.conf like this (CASE SENSITIVE!):
[libdefaults] clockskew = 300 default_realm = YOUR.AD.DOMAIN # default_etypes = des-cbc-crc # default_etypes_des = des-cbc-crc # dns_lookup_realm = false # dns_lookup_kdc = false
[realms] your.ad.domain = { kdc = your_dc_server.your.ad.domain default_domain = YOUR.AD.DOMAIN kpasswd_server = your_dc_server.your.ad.domain }
[domain_realm] .your.ad.domain = YOUR.AD.DOMAIN
[logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false }
You can test Kerberos authentication with the command "kinit username@YOUR.AD.DOMAIN"
Good luck!
Hi Paolo,
Thank you for you quick reply, atm i'm trying with postfix + dovecot +ad with no luck. Yes i'm using the virtual user for postfix vmail:vmail. however I'm getting authentication errors. I duno If PAM is *must* in my case (i'm not using pam right now). when I tries to connect with mail client "thunderbird" I also get login failure. Here is the portion from dove-ldap.conf ....
hosts = xxx.abc.edu.pk (domain name crypted(changed) for security reason) :P dn = cn=abc,cn=Users,dc=abc,dc=edu,dc=pk
dnpass = xxxx
ldap_version = 3
base = dc=abc,dc=edu,dc=pk
deref = never
scope = subtree #user_attrs = uid,,,,, (i'm trying with different settings for user_attrs here) #user_attrs = uid,homeDirectory,,uid,, #user_filter = (&(objectClass=posixAccount)(uid=%u)) user_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u)) # Password checking attributes in order: # Virtual user name (user@domain) # Password, may optionally start with {type}, eg. {crypt} pass_attrs = uid,userPassword
# Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u))
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT default_pass_scheme = PLAIN user_global_uid = 1009 user_global_gid = 1003
I can see that I can't get any error while starting dovecot, however while trying to login via mail client it fails to authenticate.
Note: is PAM is *MUST* for postfix + dovecot + Active directory ?
Thanks and regards
Askar
Active Directory uses kerberos protocol for authentication, so you need pam_krb5 module to authenticate. I don't know if it is possible to authenticate in A.D. without Kerberos.
In the configuration I proposed to you, A.D. is required only for
authentication, the accounting information (uid, gid) is static (vmail
Linux user), the home dir. is determined by template (example:
/home/vmail/mailboxes/
I heard that exists a Microsoft extension to A.D. LDAP schema to add Unix accounting info, but I never used it.
So I don't know if you *must* use pam+kerberos, but I suggest that you *should* try it, leaving out dovecot-ldap.conf.
Cheers
--
Ing. PAOLO BASENGHI :::: Systems & Networking Engineer p.basenghi@netribe.it ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ NETRIBE srl :: Collaborative E-Business 42100 :: Reggio Emilia :: Italy :: Via della Costituzione, 27/4 ph. +39 0522 232378 :: fax +39 0522 232386 :: http://www.netribe.it ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Le informazioni contenute in questa comunicazione sono riservate e destinate esclusivamente alla/e persona/e o all'ente sopra indicati. È vietato ai soggetti diversi dai destinatari qualsiasi uso, copia, diffusione di quanto in esso contenuto sia ai sensi dell'art. 616 c.p., sia ai sensi della legge 196/2003. Se questa comunicazione vi è pervenuta per errore, vi preghiamo di rispondere a questa mail e successivamente cancellarla dal vostro sistema. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Askar wrote:
Hi Paolo,
Thank you for you quick reply, atm i'm trying with postfix +dovecot +ad with no luck. Yes i'm using the virtual user for postfix vmail:vmail. however I'm getting authentication errors. I duno If PAM is *must* in my case (i'm not using pam right now). when I tries to connect with mail client "thunderbird" I also get login failure. Here is the portion from dove-ldap.conf ....
hosts = xxx.abc.edu.pk (domain name crypted(changed) for security reason) :P dn = cn=abc,cn=Users,dc=abc,dc=edu,dc=pk
dnpass = xxxx
ldap_version = 3
base = dc=abc,dc=edu,dc=pk
deref = never
scope = subtree #user_attrs = uid,,,,, (i'm trying with different settings for user_attrs here) #user_attrs = uid,homeDirectory,,uid,, #user_filter = (&(objectClass=posixAccount)(uid=%u)) user_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u)) # Password checking attributes in order: # Virtual user name (user@domain) # Password, may optionally start with {type}, eg. {crypt} pass_attrs = uid,userPassword
# Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (sAMAccountName=%u) #user_filter = (&(objectClass=sAMACcountName)(cn=%u))
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT default_pass_scheme = PLAIN user_global_uid = 1009 user_global_gid = 1003
I can see that I can't get any error while starting dovecot, however while trying to login via mail client it fails to authenticate.
Note: is PAM is *MUST* for postfix + dovecot + Active directory ?
Thanks and regards
Askar
Paolo Basenghi wrote:
Active Directory uses kerberos protocol for authentication, so you need pam_krb5 module to authenticate. I don't know if it is possible to authenticate in A.D. without Kerberos.
In the configuration I proposed to you, A.D. is required only for authentication, the accounting information (uid, gid) is static (vmail Linux user), the home dir. is determined by template (example: /home/vmail/mailboxes/
). In other words, my config. works well if you can utilize virtual mailboxes *AND* each mailbox dir. name equals to A.D. username. I heard that exists a Microsoft extension to A.D. LDAP schema to add Unix accounting info, but I never used it.
So I don't know if you *must* use pam+kerberos, but I suggest that you *should* try it, leaving out dovecot-ldap.conf.
Cheers
hi Paolo,
thanks for you reply, heh i'm trying with krb5 + pam from last 4 hours without any access when i treid to connect through mail client thunderbird i got this error....
dovecot-auth: PAM: pam_authenticate(abc) failed: unknown user user (abc) do exist in AD :(
even when i tried to confirm kinit abc@abc.com (my domain)
i got ........ kinit: krb5_get_init_creds: unable to reach any KDC in realm mail.xxxxxxxxxxx
Thanks and regards
Askar
Paolo Basenghi wrote:
Active Directory uses kerberos protocol for authentication, so you need pam_krb5 module to authenticate. I don't know if it is possible to authenticate in A.D. without Kerberos.
In the configuration I proposed to you, A.D. is required only for authentication, the accounting information (uid, gid) is static (vmail Linux user), the home dir. is determined by template (example: /home/vmail/mailboxes/
). In other words, my config. works well if you can utilize virtual mailboxes *AND* each mailbox dir. name equals to A.D. username. I heard that exists a Microsoft extension to A.D. LDAP schema to add Unix accounting info, but I never used it.
So I don't know if you *must* use pam+kerberos, but I suggest that you *should* try it, leaving out dovecot-ldap.conf.
Cheers
Hello,
I'm now trying with pam + kerbers , when I tries with "kinit abc" authentication to AD works which means my ker5.conf file is correct , however when I tries from mail client thunderbird I got error...
"dovecot-auth: PAM: pam_authenticate(rizwan) failed: unknown user"
I added "dovecot" file to /etc/pam.d/ with these lines (as you suggested)
account required pam_krb5.so no_user_check account required pam_permit.so
It looks like that pam is not using kerbers thats why it giving me error of "unknown user", I treid with changing the module name eg, pam_kerb5.so to pam_kerb5.so.4 , which gives me errors .........
teacher dovecot-auth: in openpam_load_module(): no pam_krb5.so.4 found Apr 12 19:04:24 teacher dovecot-auth: PAM: pam_start(abc) failed: system error Apr 12 19:04:24 teacher dovecot-auth: in openpam_load_module(): no pam_krb5.so.4 found Apr 12 19:04:24 teacher dovecot-auth: PAM: pam_start(abc) failed: system error
which mean pam do reading and loading the specified modules and complains if something misssing.
Regards
Askar
I've got it to work (in testing) with PAM and pam_ldap in Solaris 8. The user account info is stored in NIS (i.e. userdb=passwd), though. We're not using postfix.
Best Wishes, Chris
On Mon, 11 Apr 2005 13:26:04 +0600 Askar askar@askarali.info wrote:
hi list,
I'm just curious if someone succesfully done dovecotauthentication of Active directory and I will appreciage any link in this regards
Thanks
Askar
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
participants (3)
-
Askar
-
Chris Wakelin
-
Paolo Basenghi