Dovecot & AD (was: Dovecot 2 LDAP "unknown user")

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 5 Nov 2016, Peter Fraser wrote:

> 1. I need to make sure the user logon name in AD and the samAccountname
>    are exactly the same, case and all. It seems postfix
>    uses the samAccountname and Dovecot the User logon name.
> 2. I also noticed that if the Display name for a user in AD is blank,
>    that user cannot log in using telnet <server ip> 110.

OK, this is something interesting

> and dovecot-ldap.conf.ext reads as follows
>
> #Custom Settings
> hosts = ip address
> ldap_version = 3
> scope = subtree
> deref = never
> base = cn=users,dc=domain,dc=com
> dn = cn=administrator,cn=users,dc=domain,dc=com
> dnpass = password
> auth_bind = yes
> auth_bind_userdn = %n
> ldap_version = 3
> scope = subtree
> user_attrs = home=/home/vmail/%u,=uid=vmail,=gid=vmail
> pass_attrs = uid=%n,userPassword=password
> #pass_attrs=uid=user, userpassword=password
> user_filter = (&(objectclass=person)(samaccountname=%n))
> pass_filter = (&(objectclass=inetorgperson)(mail=%u))

Check out your 1. and pass_filter
"postfix uses samAccountname" <-> pass_filter uses "mail" to identify an 
user.

So I suggest you use:

pass_filter = 
(&(objectclass=inetorgperson)(|(mail=%u)(samaccountname=%n)(cn=%n)))

Note: add all LDAP attributes to the LDAP query, that identify exactly one 
user (never more than one). If cn is not unique, use something you think 
is appropriate. Some examples in the net use userPrincipalName, ...
Also, search the net for "dovecot active directory" and you'll find 
that some exclude entries with certain userAccountControl strings.
That way Dovecot finds the user regardless of what s/he enters as 
username. You could even use something like (mail=%n at example.com)

pass_attrs=samaccountname=user, userpassword=password

This will return samaccountname as new username for userdb queries.

user_filter = (&(objectclass=person)(samaccountname=%n))

Finally, this query must find the user's data. Because pass_attrs mangle 
the "user" information of Dovecot to be samaccountname, this attribute 
must be present. If postfix delivers to this user, too, you are done. 
Otherwise use a similiar approach as with pass_filter.
Dovecot LDA and LMTP do not use pass_filter, but only user_filter.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWCSKXnz1H7kL/d9rAQI2Wgf+OIFn5vssn1giLEocVSpZDvirLHLe4c1m
br+PBzklJ2OtM4gYjVdcSkgOmuDGOoeIOcxZQIZwmz7413oCjmA8jloUzzYhj6Q6
6CSLHlBWMqtsnQC8+bITuEWBO+ygXT4A5HdEiJANT/oq+Jq1PXq6gN4W3CVwaq+4
f0b+H+Ejk9Xf8jjnpsvhL4SeS71fc7QwmcDZ3syxutQhWgu/urkAUqu3B0R9PD2r
FOxJS+q4lF4JTni4vlWrqtuUeK9Mv675vLq1Uw8c+jLdlBgD5QKKsFNy3LTokMEm
qU1g7uSISl16AmZ6arIk2ZEtBMpYlFYhxct/EMbjfgeKZ75zG9g6Fw==
=S+La
-----END PGP SIGNATURE-----