Problem w/ Dovecot authentication against AD
Garry Glendown
garry at glendown.de
Wed Sep 13 14:34:25 EEST 2017
Hi,
I had to start using Dovecot on a machine as the new OS does not come
with Cyrus IMAP anymore. After multiple problems, I managed to get
everything working, including LDAP authentication against the (old)
Novell LDAP server.
Anyway, the authentication is supposed to be migrated to the new Windows
AD. For other tools, I successfully migrated the config to use AD, but
somehow Dovecot does not work as it should.
I've been going back and forth, trying everything I could think of, but
still can't get it to work.
Here's the excerpt from the config file:
hosts = 10.10.10.210
uris = ldap://10.10.10.210:389
dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net
dnpass = PASSWORD
tls = no
debug_level = -1
auth_bind = yes
ldap_version = 3
base = DC=srv,dc=SLD,dc=net
deref = never
scope = subtree
user_attrs = sAMAccountName=user
user_filter = (&(sAMAccountName=%n)(objectclass=person))
pass_attrs = sAMAccountName=user
pass_filter = (&(sAMAccountName=%n)(objectclass=person))
iterate_attrs = mail=user
iterate_filter = (objectclass=person)
default_pass_scheme = PLAIN
The problem might be caused by the referal-info sent by the AD, which I
can see both in the results dovecot gets (checked with tcpdump), as well
as in ldapsearch ... apart from the actual search result, I always get
three additional results:
#
refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
#
refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
# refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
>From what I can see in the pcap as well as some of the logs, dovecot
binds to the AD, sends out the LDAP query correctly, gets the lookup
result with the user queried plus the above three referrals, then
unbinds from the (named) bind, attempts a simple bind without dn/dnpass
(multiple times), and finally sends three additional search requests
under the search bases
cn=Configuration,DC=srv,DC=SLD,DC=net
DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
These three requests are denied by the AD as they are not permitted
without a successful prior bind.
Dovecot then fails the auth process.
Is there a way to stop Dovecot from using the referals? Openldap seems
to have an option to disable referals, but Dovecot does not allow that
option in its LDAP config, and having the option set in the global
ldap.conf doesn't seem to help any, either. Is there possibly a way to
disable the referal information on the AD side?
Thanks, Garry
--
PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015
More information about the dovecot
mailing list