dovecot - Jun 2015 - LDAP authentication

Hi again

I'm trying to authenticate a user against an LDAP Server (well, our  
AD, but it can LDAP).

This is my configuration:

hosts = my.server.local
auth_bind = yes
ldap_version = 3
base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
scope = subtree
user_attrs = \
   =home=/home/imapproxy/%u, \
   =mail=maildir:/home/imapproxy/%u

pass_attrs = uid=%u, userPassword=%w
pass_filter = (&(objectClass=user)(sAMAccountName=%u))
auth_bind_userdn = company\%u

If I try to login on the LDAP-Server using ldapsearch it works, but  
with Dovecot not...
I see this in my log:

Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in:  
AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out:  
OK#0111#011user=bertoncello
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in:  
REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
Jun 22 16:14:08 proxy01 dovecot: auth: Debug:  
ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search:  
base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local  
scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello))  
fieldsJun 22 16:14:08 proxy01 dovecot: auth: Error:  
ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>):  
ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local  
filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed:  
Operations error
Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out:  
FAIL#0111586495489
Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure  
(client-pid=17122 client-id=1)
Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure  
(pid=17122 id=1) (internal failure, 1 successful auths):  
user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4,  
mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>

and if I sniff with ngrep the comunication with the AD I see:

####
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
   0....`........
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
   0........a............
##
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
   0#...`......company\bertoncello..secret
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
   0........a............
##
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
   0....`........
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
   0........a............
#
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
    
0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
#
T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
   0........e................000004DC: LdapErr: DSID-0C0906E8,  
comment: In order to perform this operation a successful bind must be  
completed on the connection., data 0, v1db1.
##
T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
   0....B.
###
T 192.168.168.23:389 -> 10.0.46.4:58761 [AR]
   ..

and I can't understand why:

1) I read "objectClass..posixAccount"
2) The authentication does not work...

Thanks for your help!
Luca Bertoncello
(lucabert at lucabert.de)

If you allow anonymous search on AD maybe you can try to set auth_bind = 
no .

a.


On 22/06/15 17:19, Luca Bertoncello wrote:
> Hi again
>
> I'm trying to authenticate a user against an LDAP Server (well, our 
> AD, but it can LDAP).
>
> This is my configuration:
>
> hosts = my.server.local
> auth_bind = yes
> ldap_version = 3
> base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
> scope = subtree
> user_attrs = \
>   =home=/home/imapproxy/%u, \
>   =mail=maildir:/home/imapproxy/%u
>
> pass_attrs = uid=%u, userPassword=%w
> pass_filter = (&(objectClass=user)(sAMAccountName=%u))
> auth_bind_userdn = company\%u
>
> If I try to login on the LDAP-Server using ldapsearch it works, but 
> with Dovecot not...
> I see this in my log:
>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in: 
>
AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out: 
> OK#0111#011user=bertoncello
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in: 
>
REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: 
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search: 
> base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local 
> scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello)) 
> fields> Jun 22 16:14:08 proxy01 dovecot: auth: Error: 
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): 
> ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local 
> filter=(&(objectClass=posixAccount)(uid=bertoncello))) failed: 
> Operations error
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out: 
> FAIL#0111586495489
> Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure 
> (client-pid=17122 client-id=1)
> Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure 
> (pid=17122 id=1) (internal failure, 1 successful auths): 
> user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4, 
> mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
>
> and if I sniff with ngrep the comunication with the AD I see:
>
> ####
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0#...`......company\bertoncello..secret
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........a............
> #
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>
0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>   0........e................000004DC: LdapErr: DSID-0C0906E8, comment: 
> In order to perform this operation a successful bind must be completed 
> on the connection., data 0, v1db1.
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>   0....B.
> ###
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AR]
>   ..
>
> and I can't understand why:
>
> 1) I read "objectClass..posixAccount"
> 2) The authentication does not work...
>
> Thanks for your help!
> Luca Bertoncello
> (lucabert at lucabert.de)

Alexandros Soumplis <soumplis at ekt.gr> schrieb:
> If you allow anonymous search on AD maybe you can try to set auth_bind = 
> no .
I'm sorry, but I think, the AD does NOT allow anonymous search...
I'm new in this company and I don't know exactly the server, but every
try
I did without any authentication, failed...

Any other idea?

Thanks
Luca Bertoncello
(lucabert at lucabert.de)

On Monday 22 June 2015 14:19:52 Luca Bertoncello wrote:
> Hi again
> 
> I'm trying to authenticate a user against an LDAP Server (well, our
> AD, but it can LDAP).
> 
> This is my configuration:
> 
> hosts = my.server.local
> auth_bind = yes
> ldap_version = 3
> base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
> scope = subtree
> user_attrs = \
>    =home=/home/imapproxy/%u, \
>    =mail=maildir:/home/imapproxy/%u
> 
> pass_attrs = uid=%u, userPassword=%w
> pass_filter = (&(objectClass=user)(sAMAccountName=%u))
> auth_bind_userdn = company\%u
BTW, there is an userPassword attribute? As I remember, on AD it is 
sAMAccountpassword.

Hi,

I would suggest starting with a simplified config.  by example:
> hosts = my.server.local
> auth_bind = yes
> ldap_version = 3
> base = CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
base = DC=company,DC=local
> scope = subtree
> user_attrs = \
>    =home=/home/imapproxy/%u, \
>    =mail=maildir:/home/imapproxy/%u
remove the user_attrs
In my config, home is defined in userdb in main dovecot.conf
> pass_attrs = uid=%u, userPassword=%w
remove pass_attrs
> pass_filter = (&(objectClass=user)(sAMAccountName=%u))
pass_filter = (sAMAccountName=%Ln)
  And add:
user_filter = (sAMAccountName=%Ln)
> auth_bind_userdn = company\%u
something tickles my brain that says my setup didn't like that.  anyway, 
my config has %Ln at company.xyz

If that works, then you can add the other bits one at a time till it 
fails....







>
> If I try to login on the LDAP-Server using ldapsearch it works, but with
> Dovecot not...
> I see this in my log:
>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client in:
>
AUTH#0111#011PLAIN#011service=imap#011secured#011session=+agW4xsZ4gAKADPG#011lip=10.0.46.4#011rip=10.0.51.198#011lport=143#011rport=34018#011resp=<hidden>
>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: client passdb out:
> OK#0111#011user=bertoncello
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master in:
>
REQUEST#0111586495489#01117122#0111#01161785e0770d6c48e7316ab484bc2778c#011session_pid=17125#011request_auth_token
>
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug:
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>): user search:
> base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
> scope=subtree filter=(&(objectClass=posixAccount)(uid=bertoncello))
fields> Jun 22 16:14:08 proxy01 dovecot: auth: Error:
> ldap(bertoncello,10.0.51.198,<+agW4xsZ4gAKADPG>):
> ldap_search(base=CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
filter=(&(objectClass=posixAccount)(uid=bertoncello)))
> failed: Operations error
> Jun 22 16:14:08 proxy01 dovecot: auth: Debug: master userdb out:
> FAIL#0111586495489
> Jun 22 16:14:08 proxy01 dovecot: imap: Error: Internal auth failure
> (client-pid=17122 client-id=1)
> Jun 22 16:14:08 proxy01 dovecot: imap-login: Internal login failure
> (pid=17122 id=1) (internal failure, 1 successful auths):
> user=<bertoncello>, method=PLAIN, rip=10.0.51.198, lip=10.0.46.4,
> mpid=17125, TLS, session=<+agW4xsZ4gAKADPG>
>
> and if I sniff with ngrep the comunication with the AD I see:
>
> ####
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>    0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>    0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>    0#...`......company\bertoncello..secret
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>    0........a............
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>    0....`........
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>    0........a............
> #
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>
>
0.....c{.5CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local................1....objectClass..posixAccount....uid..bertoncello0.
>
> #
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AP]
>    0........e................000004DC: LdapErr: DSID-0C0906E8, comment:
> In order to perform this operation a successful bind must be completed
> on the connection., data 0, v1db1.
> ##
> T 10.0.46.4:58761 -> 192.168.168.23:389 [AP]
>    0....B.
> ###
> T 192.168.168.23:389 -> 10.0.46.4:58761 [AR]
>    ..
>
> and I can't understand why:
>
> 1) I read "objectClass..posixAccount"
> 2) The authentication does not work...
>
> Thanks for your help!
> Luca Bertoncello
> (lucabert at lucabert.de)