[Dovecot] LDAP w/SASL "Active Directory" authentication failing.
Timo Sirainen
tss at iki.fi
Fri Nov 4 22:38:08 EET 2011
On Tue, 2011-11-01 at 09:55 -0600, David Varela wrote:
> I am running a Dovecot server (version 1.2.17) on FreeBSD 8.2, using
> LDAP to authenticate Active Directory users. I can successfully bind and
> authenticate using PLAIN and LDAP without SASL, but obviously passwords for
> the bind user and the user being authenticated are being passed in plain
> text. I've attempted to configure my server to us SASL however when I
> attempt to authenticate a user I see authentication failures. I reviewed
> the security log on my domain controller and see that the bind user is
> binding properly, so the issue appears to be orginating from the user
> authentication, however I cannot determine what the issue is. Here is all
> the information regarding my configuration, along with the logs from the
> server:
SASL binding currently works only for the initial "ldap admin user"
authentication. It doesn't work for individual user authentication
requests (auth_bind=yes).
> #auth_bind = yes
Here you're not even attempting to use auth binds.
> pass_attrs = mail=user
And you're also not returning a password for user.
> Nov 01 09:13:26 auth(default): Info: ldap(davidv at smallmountain.net,127.0.0.1):
> No password returned (and no nopassword)
So Dovecot has no way of authenticating user.
I'd suggest forgetting about SASL and enabling TLS instead.
More information about the dovecot
mailing list