[Dovecot] LDAP w/SASL "Active Directory" authentication failing.

Timo Sirainen tss at iki.fi
Fri Nov 4 22:38:08 EET 2011


On Tue, 2011-11-01 at 09:55 -0600, David Varela wrote:

> I am running a Dovecot server (version 1.2.17) on FreeBSD 8.2, using
> LDAP to authenticate Active Directory users.  I can successfully bind and
> authenticate using PLAIN and LDAP without SASL, but obviously passwords for
> the bind user and the user being authenticated are being passed in plain
> text.  I've attempted to configure my server to us SASL however when I
> attempt to authenticate a user I see authentication failures.  I reviewed
> the security log on my domain controller and see that the bind user is
> binding properly, so the issue appears to be orginating from the user
> authentication, however I cannot determine what the issue is.  Here is all
> the information regarding my configuration, along with the logs from the
> server:

SASL binding currently works only for the initial "ldap admin user"
authentication. It doesn't work for individual user authentication
requests (auth_bind=yes).

> #auth_bind = yes

Here you're not even attempting to use auth binds.

> pass_attrs = mail=user

And you're also not returning a password for user.

> Nov 01 09:13:26 auth(default): Info: ldap(davidv at smallmountain.net,127.0.0.1):
> No password returned (and no nopassword)

So Dovecot has no way of authenticating user.

I'd suggest forgetting about SASL and enabling TLS instead.




More information about the dovecot mailing list