Problem w/ Dovecot authentication against AD

mj lists at merit.unu.edu
Wed Sep 13 14:55:55 EEST 2017 

Hi,

Perhaps you need auth_bind = yes?

MJ

On 09/13/2017 01:34 PM, Garry Glendown wrote:
> Hi,
> 
> I had to start using Dovecot on a machine as the new OS does not come
> with Cyrus IMAP anymore. After multiple problems, I managed to get
> everything working, including LDAP authentication against the (old)
> Novell LDAP server.
> Anyway, the authentication is supposed to be migrated to the new Windows
> AD. For other tools, I successfully migrated the config to use AD, but
> somehow Dovecot does not work as it should.
> 
> I've been going back and forth, trying everything I could think of, but
> still can't get it to work.
> 
> Here's the excerpt from the config file:
> 
> hosts = 10.10.10.210
> uris = ldap://10.10.10.210:389
> dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net
> dnpass = PASSWORD
> tls = no
> debug_level = -1
> auth_bind = yes
> ldap_version = 3
> base = DC=srv,dc=SLD,dc=net
> deref = never
> scope = subtree
> user_attrs =  sAMAccountName=user
> user_filter = (&(sAMAccountName=%n)(objectclass=person))
> pass_attrs = sAMAccountName=user
> pass_filter = (&(sAMAccountName=%n)(objectclass=person))
> iterate_attrs = mail=user
> iterate_filter = (objectclass=person)
> default_pass_scheme = PLAIN
> 
> The problem might be caused by the referal-info sent by the AD, which I
> can see both in the results dovecot gets (checked with tcpdump), as well
> as in ldapsearch ... apart from the actual search result, I always get
> three additional results:
> 
> #
> refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
> 
> #
> refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
> 
> # refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net
> 
>  From what I can see in the pcap as well as some of the logs, dovecot
> binds to the AD, sends out the LDAP query correctly, gets the lookup
> result with the user queried plus the above three referrals, then
> unbinds from the (named) bind, attempts a simple bind without dn/dnpass
> (multiple times), and finally sends three additional search requests
> under the search bases
> 
>     cn=Configuration,DC=srv,DC=SLD,DC=net
>     DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
>     DC=DomainDnsZones,DC=srv,DC=SLD,DC=net
> 
> These three requests are denied by the AD as they are not permitted
> without a successful prior bind.
> Dovecot then fails the auth process.
> 
> Is there a way to stop Dovecot from using the referals? Openldap seems
> to have an option to disable referals, but Dovecot does not allow that
> option in its LDAP config, and having the option set in the global
> ldap.conf doesn't seem to help any, either. Is there possibly a way to
> disable the referal information on the AD side?
> 
> Thanks, Garry
>

More information about the dovecot mailing list