[Dovecot] Samba4 and user auth

Pavel Herrmann morpheus.ibis at gmail.com
Mon Jul 1 14:05:10 EEST 2013


On Monday 01 July 2013 12:36:39 Carsten Laun-De Lellis wrote:
> Hi Pavel
> Thankx for your reply.
> When you were setting up your ldap query what kind of password crypto
> did you specify plain ntlm gssapi or anything else? The password field
> in your query is userPassword or am I wrong here?

the password field is hidden (only the user can see it) by default, and not 
stored as a unix-friendly value (anything a crypt() would understand)
what I use is auth_bind (which uses user-supplied password to bind to the LDAP 

what it means is that on every login there are 2 lookups (first one using your 
"service" DN to find the user DN, second one with your user DN to check the 

that also means that you need a password format that your LDAP can understand 
(mostly a plaintext password, or NTLM if your mail server is a Samba domain 
member). As long as you only offer IMAP/SSL I dont think plaintext (as in 
"auth_mechanisms = plain") is an issue, security wise.

as far as the service account (the one that is used to look up users) goes, I 
am using the default option (setting "dn" and "dnpass" variables), which I 
think is a simple bind. it is possible that it only works because Samba4 and 
dovecot run on the same machine.

Pavel Herrmann

> I will try it again.
> ---
> Mit freundlichem Gruß
> Carsten Laun-De Lellis
> Hauptstrasse 13
> D-67705 Trippstadt
> Phone: +49 6306 992140
> Fax: +49 6306 992142
> Mobile: +49 151 27530865
> email: carsten.delellis at delellis.net
> http://www.linkedin.com/in/carstenlaundelellis [1]
> Am 2013-07-01 11:24, schrieb Pavel Herrmann:
> > Hi
> > 
> > On Friday 28 June 2013 07:17:39 Carsten Laun-De Lellis wrote:
> >> Hi all I am trying to set up an email Server with a Samba4 AD as user
> >> Directory. Does anybody know a good how-to to setup user auth against AD
> >> ? Or could anyone tell me how to do it? I am having an email Server up
> >> and running with openldap but want to change to Samba4 AD, because of
> >> the openchange Integration. I would appreciate any help on this topic.> 
> > I have an AD/Samba4 auth for dovecot, it works the same as any LDAP would
> > (with authenticated lookups and auth_bind)
> > 
> > I would suggest you try it, and ask if there are any issues.
> > 
> > Pavel Herrmann
> Links:
> ------
> [1] http://www.linkedin.com/in/carstenlaundelellis

More information about the dovecot mailing list