Howto authenticate smartPhone via Active Directory

Mark Foley mfoley at ohprs.org
Tue Dec 5 06:21:17 EET 2017 

mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
to try my config (have to do so after hours), but I have some probably simple-minded questions:

Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
differences in your config from the "original"? You've kept the hosts, base, ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need
in order to make this work?

Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs here, or is that
litterally what you have there?

My dnpass (original) is:

dnpass = ************

your example is:

dnpass = top_secret

Again, are the assigned values meta-syntax (meta-syntax in configs is not obvious to me unless
it is bold, underlined, italicized and colored ... or uses brackets or some other convention)?
If meta, what is actually supposed to go there?

With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from
my installed original.

You don't mention the user_attrs/pass_attrs settings. Is this because you use the originals or
because you have commented them out? My current settings are:

user_attrs      = quotaFieldAD=quota_rule=*:storage=%$MB
pass_attrs      = userPassword=password

My auth_mechanisms are:

auth_mechanisms = plain login gssapi

Is this sufficient for ldap?

Thanks for your help --Mark

btw - I have been running Dovecot with AD for years, but for local Domain users authenticating
via GSSAPI.  Remote users (e.g. smartPhones) don't have that mechanism that I'm aware of.
Currently they are authenticated via shadow, but I'd like to remove AD users from /etc/passwd. 

On Mon, 4 Dec 2017 09:04:57 +0100 mj <lists at merit.unu.edu> wrote
>
> Hi Mark,
>
> Just to let you know that we are running dovecot with AD. (and I guess: 
> *many* people are running that combination)
>
> It worked without issues, we are using in dovecot-ldap.conf.ext:
>
>  > auth_bind = yes
>
> this user/passwd filter:
> > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
>
>  > dn = cn=search_dovecit,cn=users,dc=company,dc=com
>  > dnpass = top_secret
>
> And not the 3268 port, but regular 389.
>
> Hope that helps.
>
> MJ
>
>
>
> On 12/04/2017 01:38 AM, Mark Foley wrote:
> > Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> > not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
> > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
> > 
> > Active Directory
> > 
> > When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
> > available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
> > 
> > I have not been able to find an example of someone using Dovecot and ldap with AD.
> > 
> > However, I have had some success with CheckPassword
> > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
> > ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
> > to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
> > checkpassword executable.
> > 
> > passdb {
> > 	  driver = checkpassword
> > 	    args = /user/util/bin/checkpassword
> > }
> > userdb {
> > 	  driver = prefetch
> > }
> > 
> > The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
> > smartphone or otherwise:
> > 
> > Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> > Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=charmaine at HPRS.LOCAL
> > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
> > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
> > Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=charmaine at HPRS.LOCAL
> > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
> > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
> > 
> > Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
> > checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
> > there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
> > 
> > auth_mechanisms = plain login gssapi
> > 
> > THX, --Mark
> > 
> > --Mark
> > 
> > -----Original Message-----
> > Date: Sun, 03 Dec 2017 22:28:53 +0200
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
> > 
> > with passdb ldap i guess.
> > 
> > ---Aki Tuomi
> > Dovecot oy
> > 
> > -------- Original message --------
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: 03/12/2017  21:18  (GMT+02:00)
> > To: dovecot at dovecot.org
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> > 
> > Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
> > shows:
> > 
> > passdb pam {
> > }
> > 
> > used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
> > AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
> > should try configuring PAM on the AD/DC.
> > 
> > Is there some otherway I can get authentication using domain credentials besides pam? the phone
> > can send user and password.
> > 
> > --Mark
> > 
> > -----Original Message-----
> >> Date: Sun, 03 Dec 2017 15:22:56 +0200
> >> Subject: Re: Howto authenticate smartPhone via Active Directory
> >> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> >> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
> >>
> >> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> >> ---Aki TuomiDovecot oy
> >>
> >> -------- Original message --------
> >> From: Mark Foley <mfoley at ohprs.org>
> >> Date: 03/12/2017  06:03  (GMT+02:00)
> >> To: dovecot at dovecot.org
> >> Subject: Howto authenticate smartPhone via Active Directory
> > 
> >> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> >> shadow first and. failing that, it does authenticate via GSSAPI.
> >>
> >> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> >> shadow authentication fails, no other methods are tried and no connection is made.
> >>
> >> What can I do with my dovecot config to fix this?
> >>
> >>> doveconf -n
> >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> >> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> >> auth_debug = yes
> >> auth_debug_passwords = yes
> >> auth_gssapi_hostname = $ALL
> >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >> auth_mechanisms = plain login gssapi
> >> auth_use_winbind = yes
> >> auth_username_format = %n
> >> auth_verbose = yes
> >> auth_verbose_passwords = plain
> >> disable_plaintext_auth = no
> >> info_log_path = /var/log/dovecot_info
> >> mail_location = maildir:~/Maildir
> >> passdb {
> >>    driver = shadow
> >> }
> >> protocols = imap
> >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >> userdb {
> >>    driver = passwd
> >> }
> >> verbose_ssl = yes
> >>
> >> Thanks, Mark
> > 
>

More information about the dovecot mailing list