Aaron Jenkins
2014-Nov-25 08:02 UTC
Working with Active Directory on Windows Server 2012 R2
Hi all, I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. Background: AD is running on dc1.ad.automaton.uk<http://dc1.ad.automaton.uk>, the domain is ad.automaton.uk<http://ad.automaton.uk>. The DNS server is running on ad.automaton.uk<http://ad.automaton.uk> and the automaton.uk<http://automaton.uk> DNS is set up correctly in the test environment in that everything resolves to the correct IP address and I can authenticate with whichever LDAP clients (ldapsearch, ApacheDS, sssd). It refuses to bind on Dovecot for some reason. aaron at mail:/var/log$ uname -a Linux mail.ad.automaton.uk 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:56:17 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux aaron at mail:/var/log$ dovecot --version 2.2.9 aaron at mail:/var/log$ dpkg -l | grep dovecot ii dovecot-core 1:2.2.9-1ubuntu5 amd64 secure POP3/IMAP server - core files ii dovecot-gssapi 1:2.2.9-1ubuntu5 amd64 secure POP3/IMAP server - GSSAPI support ii dovecot-imapd 1:2.2.9-1ubuntu5 amd64 secure POP3/IMAP server - IMAP daemon ii dovecot-ldap 1:2.2.9-1ubuntu5 amd64 secure POP3/IMAP server - LDAP support aaron at mail:/var/log/$ cat dovecot-debug.log ? Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp Nov 19 09:22:29 auth: Debug: client in: AUTH 2 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 resp= (previous base64 data may contain sensitive data) Nov 19 09:22:39 auth: Debug: client passdb out: FAIL 2 user=aaron.jenkins temp Nov 19 09:22:40 auth: Debug: client in: AUTH 3 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 Nov 19 09:22:44 auth: Debug: client passdb out: CONT 3 Nov 19 09:22:44 auth: Debug: client in: CONT 3 (previous base64 data may contain sensitive data) Nov 19 09:22:50 auth: Debug: client passdb out: FAIL 3 user=aaron.jenkins temp Nov 19 09:22:50 auth: Debug: client in: AUTH 4 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 resp= (previous base64 data may contain sensitive data) Nov 19 09:22:56 auth: Debug: client passdb out: FAIL 4 user=aaron.jenkins temp (I?ve removed the base64 as it might contain passwords I actually use, if it?s important I?ll re-run it with a different password unredacted) Do you guys have any ideas on how to get it working with 2012 R2? I know the LDAP is quite funky but I suspect that?s why it doesn?t work. Also, attached is my sssd config as it?s working fine in case it might provide any insights. -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-ldap.conf.ext Type: application/octet-stream Size: 6269 bytes Desc: dovecot-ldap.conf.ext URL: <http://dovecot.org/pipermail/dovecot/attachments/20141125/649dd0de/attachment-0002.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd.conf Type: application/octet-stream Size: 1277 bytes Desc: sssd.conf URL: <http://dovecot.org/pipermail/dovecot/attachments/20141125/649dd0de/attachment-0003.obj>
Steffen Kaiser
2014-Nov-25 10:21 UTC
Working with Active Directory on Windows Server 2012 R2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 25 Nov 2014, Aaron Jenkins wrote:> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. > ? > Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) > Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 > Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 > Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) > Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins tempYour conf: auth_bind = yes dn = aaron.jenkins dnpass = dummypass1 auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk Can you really succeed a simple auth with the dn aaron.jenkins ? This ought to be a full DN. As I understand auth_bind_userdn, you do not need dn/dnpass anyway, because auth_bind_userdn prevents searching for the user's DN, in which case Dovecot requires a connection before any user bind takes place. I wonder if the log shows the error from this setting or from the user's login attempt. Could you try another user? Can you auth from command line via ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \ CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \ - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw -----END PGP SIGNATURE-----
Aaron Jenkins
2014-Nov-26 07:31 UTC
Working with Active Directory on Windows Server 2012 R2
I?ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt). aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk Enter LDAP Password: # extended LDIF # # LDAPv3 # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree # filter: (objectclass=*) # requesting: - # # aaron.jenkins, Users, ad.automaton.uk dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Same with the user Mail On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 25 Nov 2014, Aaron Jenkins wrote:> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. > ? > Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) > Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 > Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 > Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) > Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins tempYour conf: auth_bind = yes dn = aaron.jenkins dnpass = dummypass1 auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk Can you really succeed a simple auth with the dn aaron.jenkins ? This ought to be a full DN. As I understand auth_bind_userdn, you do not need dn/dnpass anyway, because auth_bind_userdn prevents searching for the user's DN, in which case Dovecot requires a connection before any user bind takes place. I wonder if the log shows the error from this setting or from the user's login attempt. Could you try another user? Can you auth from command line via ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \ CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \ - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw -----END PGP SIGNATURE-----