Howto authenticate smartPhone via Active Directory
mj
lists at merit.unu.edu
Mon Dec 4 10:04:57 EET 2017
Hi Mark,
Just to let you know that we are running dovecot with AD. (and I guess:
*many* people are running that combination)
It worked without issues, we are using in dovecot-ldap.conf.ext:
> auth_bind = yes
this user/passwd filter:
> = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass = top_secret
And not the 3268 port, but regular 389.
Hope that helps.
MJ
On 12/04/2017 01:38 AM, Mark Foley wrote:
> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
> https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
>
> Active Directory
>
> When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
> available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
>
> I have not been able to find an example of someone using Dovecot and ldap with AD.
>
> However, I have had some success with CheckPassword
> (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do
> ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
> to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
> checkpassword executable.
>
> passdb {
> driver = checkpassword
> args = /user/util/bin/checkpassword
> }
> userdb {
> driver = prefetch
> }
>
> The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
> smartphone or otherwise:
>
> Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine at HPRS.LOCAL
> Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
> Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine at HPRS.LOCAL
> Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
>
> Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
> checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is
> there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
>
> auth_mechanisms = plain login gssapi
>
> THX, --Mark
>
> --Mark
>
> -----Original Message-----
> Date: Sun, 03 Dec 2017 22:28:53 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
>
> with passdb ldap i guess.
>
> ---Aki Tuomi
> Dovecot oy
>
> -------- Original message --------
> From: Mark Foley <mfoley at ohprs.org>
> Date: 03/12/2017 21:18 (GMT+02:00)
> To: dovecot at dovecot.org
> Subject: Re: Howto authenticate smartPhone via Active Directory
>
> Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
> shows:
>
> passdb pam {
> }
>
> used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the
> AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
> should try configuring PAM on the AD/DC.
>
> Is there some otherway I can get authentication using domain credentials besides pam? the phone
> can send user and password.
>
> --Mark
>
> -----Original Message-----
>> Date: Sun, 03 Dec 2017 15:22:56 +0200
>> Subject: Re: Howto authenticate smartPhone via Active Directory
>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
>>
>> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
>> ---Aki TuomiDovecot oy
>>
>> -------- Original message --------
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: 03/12/2017 06:03 (GMT+02:00)
>> To: dovecot at dovecot.org
>> Subject: Howto authenticate smartPhone via Active Directory
>
>> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
>> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
>> shadow first and. failing that, it does authenticate via GSSAPI.
>>
>> Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the
>> shadow authentication fails, no other methods are tried and no connection is made.
>>
>> What can I do with my dovecot config to fix this?
>>
>>> doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 4.4.88 x86_64 Slackware 14.2
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = plain login gssapi
>> auth_use_winbind = yes
>> auth_username_format = %n
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>> driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>> driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark
>
More information about the dovecot
mailing list