How to "Windows Authenticate"

Rick Romero rick at havokmon.com
Thu Sep 3 11:53:19 UTC 2015 

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an
idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba)
in order to properly process NTLM/Kerberos handshake - which it appears you
have.
Second that means having Dovecot know how to accept NTLM authentication
(SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here:
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time
requirements for inclucing samba/kerberos libs within Dovecot.  If it
doesn't 'just work' with the config changes in the wiki, you may need to
recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many
issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley <mfoley at ohprs.org>:

> This can't be that hard. I think I've enabled LDAP in Dovecot just by
> including
> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
> now have
> the configuration shown below. Two questions:
>
> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
> accounts still have the ID and password set in "Logon Information".
> Checking
> "Require logon using Secure Password Authentication (SPA)" doesn't work.
> All I
> can seem to find on the Internet is how to configure address books using
> LDAP.
>
> 2. Should I remove "passdb { drive = shadow } from the dovecot
> configuration?
>
> Anybody?
>
> $ doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> driver = shadow
> }
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> driver = passwd
> }
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> verbose_ssl = yes
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Wed, 02 Sep 2015 13:31:35 -0400
> To: dovecot at dovecot.org
> Subject: How to "Windows Authenticate"
>
>> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
>> (2010/2013) on
>> Windows workstations for over 6 months with no problems.  Dovecot is
>> hosted on
>> the office Samba4 AC/DC server.
>>
>> I have been using auth_mechanisms plain login, and passdb driver =
>> shadow.
>>
>> What I'd like to do now is use the "Windows Authenticated" login so I
>> don't have
>> to have separate passwords for users logging into the Windows AD
>> workstations
>> and their Outlook clients.
>>
>> If anyone has actually done this I'd appreciate some tips. My various
>> attempts
>> have not been successful.
>>
>> Here is my current config:
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>   driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>   driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark Foley
>
> From dovecot-bounces at dovecot.org  Wed Sep  2 13:32:13 2015
> Return-Path: <dovecot-bounces at dovecot.org>
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
> (2011-06-06) on
>         mail.hprs.local
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=3.0 tests=none
autolearn=unavailable
>         version=3.3.2-_revision__1.14__
> X-Original-To: dovecot at dovecot.org
> Delivered-To: dovecot at dovecot.org
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> From: Mark Foley <mfoley at ohprs.org>
> Date: Wed, 02 Sep 2015 13:31:35 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: How to "Windows Authenticate"
> User-Agent: Heirloom mailx 12.5 7/5/10
> Content-Type: text/plain; charset=us-ascii
> X-BeenThere: dovecot at dovecot.org
> X-Mailman-Version: 2.1.17
> Precedence: list
> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
>         <mailto:dovecot-request at dovecot.org?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:dovecot at dovecot.org>
> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
>         <mailto:dovecot-request at dovecot.org?subject=subscribe>
> Errors-To: dovecot-bounces at dovecot.org
> Sender: "dovecot" <dovecot-bounces at dovecot.org>
> Status: R
>
> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
> (2010/2013) on
> Windows workstations for over 6 months with no problems.  Dovecot is
> hosted on
> the office Samba4 AC/DC server.
>
> I have been using auth_mechanisms plain login, and passdb driver =
shadow.
>
> What I'd like to do now is use the "Windows Authenticated" login so I
> don't have
> to have separate passwords for users logging into the Windows AD
> workstations
> and their Outlook clients.
>
> If anyone has actually done this I'd appreciate some tips. My various
> attempts
> have not been successful.
>
> Here is my current config:
>
> $ doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> driver = passwd
> }
> verbose_ssl = yes
> Thanks, Mark Foley

More information about the dovecot mailing list