Hi again I'm trying to authenticate a user against an LDAP Server (well, our AD, but it can LDAP). This is my configuration: hosts = my.server.local auth_bind = yes ldap_version = 3 base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope = subtree user_attrs = \ =home=/home/imapproxy/%u, \ =mail=maildir:/home/imapproxy/%u pass_attrs = uid=%u, userPassword=%w pass_filter = (&(objectClass=user)(sAMAccountName=%u)) auth_bind_userdn = company\%u If I try to login on the LDAP-Server using ldapsearch it works, but with Dovecot not... I see this in my log: Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: OK#0111#011user=bertoncello Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token Jun 22 16:14:08 proxy01 dovecot: auth: Debug: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) fieldsJun 22 16:14:08 proxy01 dovecot: auth: Error: ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: Operations error Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: FAIL#0111586495489 Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure (client-pid=17122 client-id=1) Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure (pid=17122 id=1) (internal failure, 1 successful auths): user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, mpid=17125, TLS, session=<+agW4xsZ4gAKADPG> and if I sniff with ngrep the comunication with the AD I see: #### T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....`........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0#...`......company\bertoncello..secret # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....`........ # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........a............ # T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0. # T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1. ## T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] 0....B. ### T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] .. and I can't understand why: 1) I read "objectClass..posixAccount" 2) The authentication does not work... Thanks for your help! Luca Bertoncello (lucabert at lucabert.de)
If you allow anonymous search on AD maybe you can try to set auth_bind = no . a. On 22/06/15 17:19, Luca Bertoncello wrote:> Hi again > > I'm trying to authenticate a user against an LDAP Server (well, our > AD, but it can LDAP). > > This is my configuration: > > hosts = my.server.local > auth_bind = yes > ldap_version = 3 > base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local > scope = subtree > user_attrs = \ > =home=/home/imapproxy/%u, \ > =mail=maildir:/home/imapproxy/%u > > pass_attrs = uid=%u, userPassword=%w > pass_filter = (&(objectClass=user)(sAMAccountName=%u)) > auth_bind_userdn = company\%u > > If I try to login on the LDAP-Server using ldapsearch it works, but > with Dovecot not... > I see this in my log: > > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden> > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: > OK#0111#011user=bertoncello > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: > REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: > ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: > base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local > scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) > fields> Jun 22 16:14:08 proxy01 dovecot: auth: Error: > ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): > ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local > filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: > Operations error > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: > FAIL#0111586495489 > Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure > (client-pid=17122 client-id=1) > Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure > (pid=17122 id=1) (internal failure, 1 successful auths): > user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, > mpid=17125, TLS, session=<+agW4xsZ4gAKADPG> > > and if I sniff with ngrep the comunication with the AD I see: > > #### > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....`........ > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0#...`......company\bertoncello..secret > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....`........ > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > # > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0. > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: > In order to perform this operation a successful bind must be completed > on the connection., data 0, v1db1. > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....B. > ### > T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] > .. > > and I can't understand why: > > 1) I read "objectClass..posixAccount" > 2) The authentication does not work... > > Thanks for your help! > Luca Bertoncello > (lucabert at lucabert.de)
Alexandros Soumplis <soumplis at ekt.gr> schrieb:> If you allow anonymous search on AD maybe you can try to set auth_bind = > no .I'm sorry, but I think, the AD does NOT allow anonymous search... I'm new in this company and I don't know exactly the server, but every try I did without any authentication, failed... Any other idea? Thanks Luca Bertoncello (lucabert at lucabert.de)
On Monday 22 June 2015 14:19:52 Luca Bertoncello wrote:> Hi again > > I'm trying to authenticate a user against an LDAP Server (well, our > AD, but it can LDAP). > > This is my configuration: > > hosts = my.server.local > auth_bind = yes > ldap_version = 3 > base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local > scope = subtree > user_attrs = \ > =home=/home/imapproxy/%u, \ > =mail=maildir:/home/imapproxy/%u > > pass_attrs = uid=%u, userPassword=%w > pass_filter = (&(objectClass=user)(sAMAccountName=%u)) > auth_bind_userdn = company\%uBTW, there is an userPassword attribute? As I remember, on AD it is sAMAccountpassword.
Hi, I would suggest starting with a simplified config. by example:> hosts = my.server.local > auth_bind = yes > ldap_version = 3 > base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=localbase = DC=company,DC=local> scope = subtree > user_attrs = \ > =home=/home/imapproxy/%u, \ > =mail=maildir:/home/imapproxy/%uremove the user_attrs In my config, home is defined in userdb in main dovecot.conf> pass_attrs = uid=%u, userPassword=%wremove pass_attrs> pass_filter = (&(objectClass=user)(sAMAccountName=%u))pass_filter = (sAMAccountName=%Ln) And add: user_filter = (sAMAccountName=%Ln)> auth_bind_userdn = company\%usomething tickles my brain that says my setup didn't like that. anyway, my config has %Ln at company.xyz If that works, then you can add the other bits one at a time till it fails....> > If I try to login on the LDAP-Server using ldapsearch it works, but with > Dovecot not... > I see this in my log: > > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden> > > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: > OK#0111#011user=bertoncello > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: > REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token > > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: > ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: > base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local > scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) fields> Jun 22 16:14:08 proxy01 dovecot: auth: Error: > ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): > ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local filter=(&(objectClass=posixAccount)(uid=bertoncello))) > failed: Operations error > Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: > FAIL#0111586495489 > Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure > (client-pid=17122 client-id=1) > Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure > (pid=17122 id=1) (internal failure, 1 successful auths): > user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, > mpid=17125, TLS, session=<+agW4xsZ4gAKADPG> > > and if I sniff with ngrep the comunication with the AD I see: > > #### > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....`........ > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0#...`......company\bertoncello..secret > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....`........ > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........a............ > # > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > > 0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0. > > # > T 192.168.168.23:389 -> 10.0.46.4:58761 [AP] > 0........e................000004DC: LdapErr: DSID-0C0906E8, comment: > In order to perform this operation a successful bind must be completed > on the connection., data 0, v1db1. > ## > T 10.0.46.4:58761 -> 192.168.168.23:389 [AP] > 0....B. > ### > T 192.168.168.23:389 -> 10.0.46.4:58761 [AR] > .. > > and I can't understand why: > > 1) I read "objectClass..posixAccount" > 2) The authentication does not work... > > Thanks for your help! > Luca Bertoncello > (lucabert at lucabert.de)