Howto authenticate smartPhone via Active Directory

Mark Foley mfoley at ohprs.org
Mon Dec 4 02:38:48 EET 2017 

Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
checkpassword executable. 

passdb {
	  driver = checkpassword
	    args = /user/util/bin/checkpassword
}
userdb {
	  driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: 
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: 
Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=charmaine at HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=charmaine at HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-----Original Message-----
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tuomi at dovecot.fi>
To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

-------- Original message --------
From: Mark Foley <mfoley at ohprs.org> 
Date: 03/12/2017  21:18  (GMT+02:00) 
To: dovecot at dovecot.org 
Subject: Re: Howto authenticate smartPhone via Active Directory 

Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials besides pam? the phone
can send user and password.

--Mark

-----Original Message-----
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
> -------- Original message --------
> From: Mark Foley <mfoley at ohprs.org> 
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot at dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> shadow authentication fails, no other methods are tried and no connection is made. 
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2 
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark

More information about the dovecot mailing list