thr3ads.net - dovecot - Working with Active Directory on Windows Server 2012 R2 [Nov 2014]

If this information is useful, please help other people find it:
Share via:

Aaron Jenkins

2014-Nov-25 08:02 UTC

Working with Active Directory on Windows Server 2012 R2

Hi all,

I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.

Background:

AD is running on dc1.ad.automaton.uk<http://dc1.ad.automaton.uk>, the
domain is ad.automaton.uk<http://ad.automaton.uk>. The DNS server is
running on ad.automaton.uk<http://ad.automaton.uk> and the
automaton.uk<http://automaton.uk> DNS is set up correctly in the test
environment in that everything resolves to the correct IP address and I can
authenticate with whichever LDAP clients (ldapsearch, ApacheDS, sssd). It
refuses to bind on Dovecot for some reason.

aaron at mail:/var/log$ uname -a
Linux mail.ad.automaton.uk 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:56:17
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
aaron at mail:/var/log$ dovecot --version
2.2.9
aaron at mail:/var/log$ dpkg -l | grep dovecot
ii  dovecot-core                          1:2.2.9-1ubuntu5                      
amd64        secure POP3/IMAP server - core files
ii  dovecot-gssapi                        1:2.2.9-1ubuntu5                      
amd64        secure POP3/IMAP server - GSSAPI support
ii  dovecot-imapd                         1:2.2.9-1ubuntu5                      
amd64        secure POP3/IMAP server - IMAP daemon
ii  dovecot-ldap                          1:2.2.9-1ubuntu5                      
amd64        secure POP3/IMAP server - LDAP support
aaron at mail:/var/log/$ cat dovecot-debug.log
?
Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
Nov 19 09:22:23 auth: Debug: client in: CONT 1  (previous base64 data may
contain sensitive data)
Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp
Nov 19 09:22:29 auth: Debug: client in: AUTH 2 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
resp= (previous base64 data may contain sensitive data)
Nov 19 09:22:39 auth: Debug: client passdb out: FAIL 2 user=aaron.jenkins temp
Nov 19 09:22:40 auth: Debug: client in: AUTH 3 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
Nov 19 09:22:44 auth: Debug: client passdb out: CONT 3
Nov 19 09:22:44 auth: Debug: client in: CONT 3  (previous base64 data may
contain sensitive data)
Nov 19 09:22:50 auth: Debug: client passdb out: FAIL 3 user=aaron.jenkins temp
Nov 19 09:22:50 auth: Debug: client in: AUTH 4 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
resp= (previous base64 data may contain sensitive data)
Nov 19 09:22:56 auth: Debug: client passdb out: FAIL 4 user=aaron.jenkins temp

(I?ve removed the base64 as it might contain passwords I actually use, if it?s
important I?ll re-run it with a different password unredacted)

Do you guys have any  ideas on how to get it working with 2012 R2? I know the
LDAP is quite funky but I suspect that?s why it doesn?t work. Also, attached is
my sssd config as it?s working fine in case it might provide any insights.





-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-ldap.conf.ext
Type: application/octet-stream
Size: 6269 bytes
Desc: dovecot-ldap.conf.ext
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20141125/649dd0de/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd.conf
Type: application/octet-stream
Size: 1277 bytes
Desc: sssd.conf
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20141125/649dd0de/attachment-0003.obj>

Steffen Kaiser

2014-Nov-25 10:21 UTC

head link

Working with Active Directory on Windows Server 2012 R2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Nov 2014, Aaron Jenkins wrote:
> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.
> ?
> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
> Nov 19 09:22:23 auth: Debug: client in: CONT 1  (previous base64 data may
contain sensitive data)
> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins
temp
Your conf:
auth_bind       = yes
dn              = aaron.jenkins
dnpass          = dummypass1
auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk

Can you really succeed a simple auth with the dn aaron.jenkins ? This 
ought to be a full DN. As I understand auth_bind_userdn, you do not need 
dn/dnpass anyway, because auth_bind_userdn prevents searching for the 
user's DN, in which case Dovecot requires a connection before any user 
bind takes place.

I wonder if the log shows the error from this setting or from the user's 
login attempt. Could you try another user?

Can you auth from command line via

ldapsearch -x -H ldap://dc1.ad.automaton.uk -D  \
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
- -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw
-----END PGP SIGNATURE-----

Aaron Jenkins

2014-Nov-26 07:31 UTC

head link

Working with Active Directory on Windows Server 2012 R2

I?ve attempted the user Mail with the same password with the same result
(binding as my own user was a last-ditch attempt).

aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H
ldap://dc1.ad.automaton.uk -D 
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope
subtree
# filter: (objectclass=*)
# requesting: -
#

# aaron.jenkins, Users, ad.automaton.uk
dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Same with the user Mail



On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at
smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Nov 2014, Aaron Jenkins wrote:
> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.
> ?
> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may
contain sensitive data)
> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins
temp
Your conf:
auth_bind = yes
dn = aaron.jenkins
dnpass = dummypass1
auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk

Can you really succeed a simple auth with the dn aaron.jenkins ? This
ought to be a full DN. As I understand auth_bind_userdn, you do not need
dn/dnpass anyway, because auth_bind_userdn prevents searching for the
user's DN, in which case Dovecot requires a connection before any user
bind takes place.

I wonder if the log shows the error from this setting or from the user's
login attempt. Could you try another user?

Can you auth from command line via

ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
- -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw
-----END PGP SIGNATURE-----

Possibly Parallel Threads

Search for more possibly parallel threads

dovecot - Nov 2014 - Working with Active Directory on Windows Server 2012 R2

Working with Active Directory on Windows Server 2012 R2

Working with Active Directory on Windows Server 2012 R2

Working with Active Directory on Windows Server 2012 R2

Possibly Parallel Threads