Howto authenticate smartPhone via Active Directory

Mark Foley mfoley at ohprs.org
Wed Dec 6 08:32:21 EET 2017


On Tue, 5 Dec 2017 16:42:15 +0100 mj <lists at merit.unu.edu> wrote:

> Hi,
>
> Not much time to reply now.
>
> On 12/05/2017 05:21 AM, Mark Foley wrote:
> > mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
> > to try my config (have to do so after hours), but I have some probably simple-minded questions:
>
> Well, that looks as if you are testing/trying out on your production 
> machine. Why not setup a seperate (virtual?) test server to play with..? 
> Use the same os version, with the same dovecot version.
> Or clone your production machine, so you can test as much as you like, 
> without time pressure, at any given time.

I've been playing with this ldap authentication for a couple of years off and on. Time isn't a
problem. The issue with setting up a test environment is that I really need the domain
workstations and external smartphone attempting to connect when I make a change so I can follow
what's going on in the Dovecot log and maillog. It's rather simple to test a change, then put
things back. I'll likely not go the test platform route for now, but thanks for the input.

> > Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
> > differences in your config from the "original"? You've kept the hosts, base, ldap_version,
> > scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

> Not the complete file, no. I just provided the essentials.
>
[deleted]

Ok, here's what I've come up with for dovecot-ldap.conf.ext

hosts = mail.hprs.local
base = dc=mail, dc=hprs, dc=local

ldap_version = 3
scope           = subtree
deref           = never

debug_level = -1

auth_bind = yes
auth_bind_userdn = %n at dom
dn = cn=Administrator,cn=users,dc=hprs,dc=local
dnpass = *******

user_filter     = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter     = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))



I've enabled auth-ldap.conf.ext in 10-auth.conf. My doveconf is listed at bottom.

Unfortuntately, this doesn't work. My remote devices are not even showing as trying to connect.
For internal domain LAN users I get:

Dec 06 01:08:10 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=192.168.0.52, lip=192.168.0.2, session=<3/ZyxaVfE8PAqAA0>

I do see ldap listening on 389, imap[s] (Dovecot) listening on 143 and 993, these last two are
opened externally through the firewall. 

> For the rest: my advise is that you *really* need to pay around with 
> this much more. Get yourself a test environment, and play and test.
>
> Plus: read some dovecot/ad howto's, and try things in your own environment.
>
> Quick google returns:
> https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
>

I know my level of sophistication on this must sound like I've glibly posted a question hoping
someone will do the work for me without my having to do any thinking myself, but believe me,
I've been reading and experimenting with this for a very long time.  I've got internal AD
authentication working with GSSAPI and I've got a rather complex checkpassword program able to
do authentication, so I don't think I'm a complete moron, although this project makes me feel
that way. Now, I just want smartphones to authenticate with their owners' domain credentials
and get them out of /etc/passwd.

I believe I've read all the Dovecot wikis on ldap plus things from many other sites.  I've been
to that howtoforge site before.  It mostly deals with setting up Postfix, which I'm not using. 
The dovecot bits make more sense in light of your feedback.  I've tried that ldapsearch
example:

ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'

with the domain user I specified in my dovecot-ldap.conf.ext with my host and dc info and I get
the error 

ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

I've seen confusing postings on this error having to do with port 636 and LDAPS -- no idea what
they're talking about.  My user is the Samba/domain administrator and has a pretty complex
password. None of the sites I've visited on this error indicate it has anything to do with the
actual password's complexity.

Perhaps I'm just thick-skulled with all this.

If you or anyone can see something obviously wrong with my conf, or have any suggestion at all
on a baby step I can take to incm me forward, please let me know.

Thanks, --Mark

doveconf -n:
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  driver = passwd
}
verbose_ssl = yes



More information about the dovecot mailing list