[Dovecot] dovecot + postfix + active directory

Mon Apr 11 12:26:00 EEST 2005

Paolo Basenghi wrote:

> I don't know if there are any howto in the net, but I had it 
> configured and working, so I will give you some little tips.
>
> I tested this configuration on Fedora Core 3 and SuSE Prof. 9.2, with 
> dovecot 0.99
>
> - Create a Linux user named "vmail" or similar (all virtual mailboxes 
> will be in a dir. under this user's home or under a directory owned by 
> this user).
>
> - Postfix side: you must use virtual mailbox delivery (one Linux user 
> "vmail", multiple virtual mailboxes), see the Postfix distribution 
> readme files (README_VIRTUAL if I remember well).
>
> - Dovecot side: use pam as password database and use static as user 
> database (with same uid and gid as Postfix virtual mailbox user).
>
> - Pam side: in /etc/pam.d add/modify a "dovecot" file containing:
>
> auth      required  pam_krb5.so no_user_check
> account      required  pam_permit.so
>
>
> - Last: you must verify that you have installed Kerberos 5 clients and 
> libraries, then edit your /etc/krb5.conf like this (CASE SENSITIVE!):
>
> [libdefaults]
> clockskew = 300
> default_realm = YOUR.AD.DOMAIN
> # default_etypes = des-cbc-crc
> #       default_etypes_des = des-cbc-crc
> # dns_lookup_realm = false
> # dns_lookup_kdc = false
>
> [realms]
> your.ad.domain = {
> kdc = your_dc_server.your.ad.domain
> default_domain = YOUR.AD.DOMAIN
> kpasswd_server = your_dc_server.your.ad.domain
> }
>
> [domain_realm]
> .your.ad.domain = YOUR.AD.DOMAIN
>
> [logging]
> default = SYSLOG:NOTICE:DAEMON
> kdc = FILE:/var/log/kdc.log
> kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = false
> }
>
> You can test Kerberos authentication with the command "kinit 
> username at YOUR.AD.DOMAIN"
>
> Good luck!
>
Hi Paolo,

         Thank you for you quick reply, atm i'm trying with postfix + 
dovecot +ad with no luck.
Yes i'm using the virtual user for postfix vmail:vmail. however I'm 
getting authentication errors.
I duno If PAM is *must* in my case (i'm not using pam right now). when I 
tries to connect with mail client "thunderbird" I also get login failure.
Here is the portion from dove-ldap.conf ....

hosts = xxx.abc.edu.pk (domain name crypted(changed) for security reason) :P
dn = cn=abc,cn=Users,dc=abc,dc=edu,dc=pk

dnpass = xxxx

ldap_version = 3

base = dc=abc,dc=edu,dc=pk

deref = never

scope = subtree
#user_attrs = uid,,,,, (i'm trying with different settings for 
user_attrs here)
#user_attrs = uid,homeDirectory,,uid,,
#user_filter = (&(objectClass=posixAccount)(uid=%u))
user_filter = (sAMAccountName=%u)
#user_filter = (&(objectClass=sAMACcountName)(cn=%u))
# Password checking attributes in order:
#  Virtual user name (user at domain)
#  Password, may optionally start with {type}, eg. {crypt}
pass_attrs = uid,userPassword

# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (sAMAccountName=%u)
#user_filter = (&(objectClass=sAMACcountName)(cn=%u))

# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT
default_pass_scheme = PLAIN
user_global_uid = 1009
user_global_gid = 1003

I can see that I can't get any error while starting dovecot, however 
while trying to login via mail client it fails to authenticate.

Note: is PAM is *MUST* for postfix + dovecot + Active directory ?

Thanks and regards

Askar