Re: Howto authenticate smartPhone via Active Directory
with passdb ldap i guess. ---Aki TuomiDovecot oy -------- Original message --------From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows:
passdb pam { }
used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC.
Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password.
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 15:22:56 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
I have not been able to find an example of someone using Dovecot and ldap with AD.
However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable.
passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch }
The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise:
Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
auth_mechanisms = plain login gssapi
THX, --Mark
--Mark
-----Original Message----- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
with passdb ldap i guess.
---Aki Tuomi Dovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -----Original Message----- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tuomi@dovecot.fi> > To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > -------- Original message -------- > From: Mark Foley <mfoley@ohprs.org> > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the > shadow authentication fails, no other methods are tried and no connection is made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
You might get better results with https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm
It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.
Aki
On 04.12.2017 02:38, Mark Foley wrote:
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
I have not been able to find an example of someone using Dovecot and ldap with AD.
However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable.
passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch }
The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise:
Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
auth_mechanisms = plain login gssapi
THX, --Mark
--Mark
-----Original Message----- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
with passdb ldap i guess.
---Aki Tuomi Dovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows:
passdb pam { }
used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC.
Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password.
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 15:22:56 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark
On 12/04/2017 09:01 AM, Aki Tuomi wrote:
It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.
No. As far as I know, samba in AD mode always does ldap. (AD *is* just that: microsoft-ized ldap)
And you should configure dovecot simply as a regular ldap client. That's what we do, anyway.
MJ
Hi Mark,
Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination)
It worked without issues, we are using in dovecot-ldap.conf.ext:
auth_bind = yes
this user/passwd filter:
= (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
dn = cn=search_dovecit,cn=users,dc=company,dc=com dnpass = top_secret
And not the 3268 port, but regular 389.
Hope that helps.
MJ
On 12/04/2017 01:38 AM, Mark Foley wrote:
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
I have not been able to find an example of someone using Dovecot and ldap with AD.
However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable.
passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch }
The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise:
Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
auth_mechanisms = plain login gssapi
THX, --Mark
--Mark
-----Original Message----- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
with passdb ldap i guess.
---Aki Tuomi Dovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows:
passdb pam { }
used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC.
Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password.
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 15:22:56 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions:
Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right?
Your dn is:
dn = cn=search_dovecit,cn=users,dc=company,dc=com
Mine (original) is:
dn = cn=user_for_bind,cn=Users,dc=dom
Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need in order to make this work?
Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs here, or is that litterally what you have there?
My dnpass (original) is:
dnpass = ************
your example is:
dnpass = top_secret
Again, are the assigned values meta-syntax (meta-syntax in configs is not obvious to me unless it is bold, underlined, italicized and colored ... or uses brackets or some other convention)? If meta, what is actually supposed to go there?
With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from my installed original.
You don't mention the user_attrs/pass_attrs settings. Is this because you use the originals or because you have commented them out? My current settings are:
user_attrs = quotaFieldAD=quota_rule=*:storage=%$MB pass_attrs = userPassword=password
My auth_mechanisms are:
auth_mechanisms = plain login gssapi
Is this sufficient for ldap?
Thanks for your help --Mark
btw - I have been running Dovecot with AD for years, but for local Domain users authenticating via GSSAPI. Remote users (e.g. smartPhones) don't have that mechanism that I'm aware of. Currently they are authenticated via shadow, but I'd like to remove AD users from /etc/passwd.
On Mon, 4 Dec 2017 09:04:57 +0100 mj <lists@merit.unu.edu> wrote
Hi Mark,
Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination)
It worked without issues, we are using in dovecot-ldap.conf.ext:
auth_bind = yes
this user/passwd filter:
= (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
dn = cn=search_dovecit,cn=users,dc=company,dc=com dnpass = top_secret
And not the 3268 port, but regular 389.
Hope that helps.
MJ
On 12/04/2017 01:38 AM, Mark Foley wrote:
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
I have not been able to find an example of someone using Dovecot and ldap with AD.
However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable.
passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch }
The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise:
Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
auth_mechanisms = plain login gssapi
THX, --Mark
--Mark
-----Original Message----- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
with passdb ldap i guess.
---Aki Tuomi Dovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows:
passdb pam { }
used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC.
Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password.
--Mark
-----Original Message-----
Date: Sun, 03 Dec 2017 15:22:56 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi@dovecot.fi> To: Mark Foley <mfoley@ohprs.org>, dovecot@dovecot.org
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy
-------- Original message -------- From: Mark Foley <mfoley@ohprs.org> Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark
Hi,
Not much time to reply now.
On 12/05/2017 05:21 AM, Mark Foley wrote:
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions: Well, that looks as if you are testing/trying out on your production machine. Why not setup a seperate (virtual?) test server to play with..? Use the same os version, with the same dovecot version. Or clone your production machine, so you can test as much as you like, without time pressure, at any given time.
Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right? Not the complete file, no. I just provided the essentials.
Your dn is:
dn = cn=search_dovecit,cn=users,dc=company,dc=com
Mine (original) is:
dn = cn=user_for_bind,cn=Users,dc=dom
Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need in order to make this work? It's the user that dovecot uses to search for your user, Can be anything, as long as it can authenticate using the password in:
My dnpass (original) is:
dnpass = ************
your example is:
dnpass = top_secret Use the password of whatever user you use.
If meta, what is actually supposed to go there? The password of user_for_bind
With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from my installed original. https://social.msdn.microsoft.com/Forums/vstudio/en-US/77f48af7-bbef-4cd7-9c...
For the rest: my advise is that you *really* need to pay around with this much more. Get yourself a test environment, and play and test.
Plus: read some dovecot/ad howto's, and try things in your own environment.
Quick google returns: https://www.howtoforge.com/postfix-dovecot-authentication-against-active-dir...
Enjoy :-)
MJ
participants (3)
-
Aki Tuomi
-
Mark Foley
-
mj