LDAP authentication

Mon Jun 22 19:54:08 UTC 2015

If you allow anonymous search on AD maybe you can try to set auth_bind = 
no .

a.

On 22/06/15 17:19, Luca Bertoncello wrote:
> Hi again
>
> I'm trying to authenticate a user against an LDAP Server (well, our 
> AD, but it can LDAP).
>
> This is my configuration:
>
> hosts = my.server.local
> auth_bind = yes
> ldap_version = 3
> base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
> scope = subtree
> user_attrs = \
>   =home=/home/imapproxy/%u, \
>   =mail=maildir:/home/imapproxy/%u
>
> pass_attrs = uid=%u, userPassword=%w
> pass_filter = (&(objectClass=user)(sAMAccountName=%u))
> auth_bind_userdn = company\%u
>
> If I try to login on the LDAP-Server using ldapsearch it works, but 
> with Dovecot not...
> I see this in my log:
>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: 
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: 
> OK#0111#011user=bertoncello
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: 
> REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: 
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: 
> base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local 
> scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) 
> fields=
> Jun 22 16:14:08 proxy01 dovecot: auth: Error: 
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): 
> ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local 
> filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: 
> Operations error
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: 
> FAIL#0111586495489
> Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure 
> (client-pid=17122 client-id=1)
> Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure 
> (pid=17122 id=1) (internal failure, 1 successful auths): 
> user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, 
> mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
>
> and if I sniff with ngrep the comunication with the AD I see:
>
> ####
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0#...`......company\bertoncello..secret
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> #
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
> 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........e................000004DC: LdapErr: DSID-0C0906E8, comment: 
> In order to perform this operation a successful bind must be completed 
> on the connection., data 0, v1db1.
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....B.
> ###
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AR]
>   ..
>
> and I can't understand why:
>
> 1) I read "objectClass..posixAccount"
> 2) The authentication does not work...
>
> Thanks for your help!
> Luca Bertoncello
> (lucabert at lucabert.de)