dovecot - Jul 2005 - [Fwd: Re: Dovecot and ActiveDirectory]

Oops! Thought I'd CC'd this to the list. Sorry, Oliver!

Chris

-------- Original Message --------
Date: Wed, 13 Jul 2005 20:09:35 +0100
From: Chris Wakelin <c.d.wakelin at reading.ac.uk>
To: Jeroen Scheerder <Jeroen.Scheerder at phil.uu.nl>
CC: Chris Wakelin <c.d.wakelin at reading.ac.uk>
Subject: Re: [Dovecot] Dovecot and ActiveDirectory

Jeroen Scheerder wrote:
> Chris Wakelin (13/7/05 16:08 +0100) [Re: [Dovecot] Dovecot and
> ActiveDirectory]:
> 
> 
>>I've got it working via PAM and pam_ldap on Solaris. [..]
> 
> 
> That's exactly what I'm striving to do.
> 
> I've never set up LDAP authentication for Solaris itself, and actually
> never used PAM before.
> 
> If I may be so bold, could I bother you for details about your
> configuration in these respects?
/opt/RDGpldap/etc/ldap.conf:

host xxx.rdg.ac.uk
base dc=xxxxx,dc=ad,dc=rdg,dc=ac,dc=uk
binddn cn=xxxuser,cn=users,dc=xxxxx,dc=ad,dc=rdg,dc=ac,dc=uk
bindpw xxxpasswd
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

xxxuser is a read-only account in the AD.

/etc/pam.conf:

...
dovecot         auth    required        /opt/RDGpldap/lib/pam_ldap.so
dovecot         account required        /opt/RDGpldap/lib/pam_ldap.so
dovecot         session required        /opt/RDGpldap/lib/pam_ldap.so

dovecot.conf:

auth_username_translation AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

auth default {
   mechanisms = plain login
   passdb = pam
   userdb = passwd
   user = root
}

The auth_username_translation is because AD users are case-insensitive
but UNIX ones aren't! We have users in both AD and UNIX (but could use
something like "userdb=static uid=xxxx gid=yyyy home=/var/mail/%Lu"
assuming xxxx:yyyy has appropriate permissions on the spool files)

pam_ldap-178 was configured with

./configure --prefix=/opt/RDGpldap \
             --with-ldap-conf-file=/opt/RDGpldap/etc/ldap.conf

Hope this helps,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094