Working with Active Directory on Windows Server 2012 R2

Sun Nov 30 01:40:09 UTC 2014

I’ve fixed the issue by using a slightly different configuration. Particularly the problem was due to mistaking %u (user at domain) vs %n (just user). Here are the configuration files for anyone looking to get it working with Active Directory on 2012 R2 on Dovecot 2.2.9 (or similar, whatever comes with Ubuntu Server 14.10).

Note: the uid & guid virtual need to exist (i.e. on Ubuntu, useradd virtual) and the directory /var/vmail must exist and be owned by virtual (referenced in 10-mail.conf and dovecot-ldap.conf.ext). I suspect as well that part of the reason that it is working is that I have UNIX services enabled on AD, which if you’re considering any integration with Linux you have to do anyways, so that must be enabled and configured for each user (which if you’re at this stage you likely know how to do).

Attached are the relevant configuration files. Hopefully it will save the unfortunate sysadmin tasked with integrating AD and Dovecot one day.

On November 27, 2014 at 12:15:05 AM, Aaron Jenkins (aaron at rsbuddy.com<mailto:aaron at rsbuddy.com>) wrote:

I’ve removed the dn / dnpass.

When attempting with new user:

$ cat /var/log/dovecot-info.log
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5553 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5558, TLS, session=<rQXRqdIIZwAK0zcd>
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5559 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5560, TLS, session=<A/TdqdIIaAAK0zcd>
Nov 27 00:09:29 auth: Info: ldap(test.user at a
d.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123)
Nov 27 00:09:35 auth: Info: ldap(test.user at ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123)
Nov 27 00:09:37 imap-login: Info: Disconnected (auth failed, 2 attempts in 8 secs): user=<test.user at ad.automaton.uk>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, TLS, session=<mFneqdIIaQAK0zcd>

$ cat /var/log/dovecot-debug.log
Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Nov 27 00:13:07 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6219)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=/xfdttIIagAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44650
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 2256273409 6219 1 a99d65893905abf592245098b369359e session_pid=6223 request_auth_token
Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,</xfdttIIagAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 2256273409
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6224)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=gn7dttIIawAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44651
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 1233256449 6224 1 587c0fc0406dbbdac1ccf4bb6267ff59 session_pid=6225 request_auth_token
Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,<gn7dttIIawAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 1233256449
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6226)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data)
Nov 27 00:13:09 auth: Debug: client passdb out: FAIL 1 user=test.user at ad.automaton.uk
Nov 27 00:13:09 auth: Debug: client in: AUTH 2 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 resp=AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data)
Nov 27 00:13:15 auth: Debug: client passdb out: FAIL 2 user=test.user at ad.automaton.uk

$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk
# extended LDIF
#
# LDAPv3
# base <CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree
# filter: (objectclass=*)
# requesting: -
#

# test.user, Users, ad.automaton.uk
dn: CN=test.user,CN=Users,DC=ad,DC=automaton,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

And the password on AD for test.user is 100% ThisIsAPass123.

On November 26, 2014 at 12:16:34 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 26 Nov 2014, Aaron Jenkins wrote:

> I’ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt).

OK, what about the:

> As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN

Did you removed the dn/dnpass settings?

What about the:
> I wonder if the log shows the error from this setting or from the user's
> login attempt. Could you try another user?

If you login with another user (not aaron.jenkins) to IMAP, which
username is listed in the logs then.

>
> aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree
> # filter: (objectclass=*)
> # requesting: -
> #
>
> # aaron.jenkins, Users, ad.automaton.uk
> dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Same with the user Mail
>
>
>
> On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 25 Nov 2014, Aaron Jenkins wrote:
>
>> I’m having issues getting Dovecot to work with AD on 2012 R2 in a test environment.
>> …
>> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
>> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
>> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
>> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data)
>> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp
>
> Your conf:
> auth_bind = yes
> dn = aaron.jenkins
> dnpass = dummypass1
> auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk
>
> Can you really succeed a simple auth with the dn aaron.jenkins ? This
> ought to be a full DN. As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN, in which case Dovecot requires a connection before any user
> bind takes place.
>
> I wonder if the log shows the error from this setting or from the user's
> login attempt. Could you try another user?
>
> Can you auth from command line via
>
> ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \
> CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
> - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
>
> - --
> Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
> tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
> i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
> XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
> bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
> 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==
> =6Zsw
> -----END PGP SIGNATURE-----
> ---------------Output of GPG------------------
> Decryption of block failed
> gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID 0BFDDF6B
> gpg: BAD signature from "Steffen Kaiser <skdovecot at smail.inf.fh-brs.de>"
>
>

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd
3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg
w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv
yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj
4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM
wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g==
=P2I4
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-ldap.conf.ext
Type: application/octet-stream
Size: 6233 bytes
Desc: dovecot-ldap.conf.ext
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141130/85e93c3d/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth-ldap.conf.ext
Type: application/octet-stream
Size: 324 bytes
Desc: auth-ldap.conf.ext
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141130/85e93c3d/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 10-auth.conf
Type: application/octet-stream
Size: 5133 bytes
Desc: 10-auth.conf
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141130/85e93c3d/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 10-mail.conf
Type: application/octet-stream
Size: 15775 bytes
Desc: 10-mail.conf
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141130/85e93c3d/attachment-0007.obj>