I'm trying to authenticate users using MS AD with auth_bind option.
Here is my config file:
# 1.0.15: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imaps
ssl_cert_file: /etc/dovecot/ssl/cert.pem
ssl_key_file: /etc/dovecot/ssl/key.pem
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
mail_plugins: acl
auth default:
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
plugin:
acl: vfile
content of dovecot-ldap.conf
hosts = myhost:389
auth_bind = yes
auth_bind_userdn = cn=%n,ou=People,dc=company,dc=com
base = ou=People,dc=company,dc=com
user_attrs = mailNickname=home
user_filter = (&(objectClass=user)(sAMAccountName=%n))
user_global_uid = vmail
user_global_gid = vmail
Using the same options I can fetch info with ldapsearch
ldapsearch -h myhost -b 'dc=company,dc=com' -D
'cn=username,ou=People,dc=company,dc=com' -x -W
'(&(objectClass=user)(sAMAccountName=username))'
Dovecot doesn't work with this setting, shows in log:
dovecot: auth(default): ldap(username,10.131.11.147): ldap_search()
failed: Operations error
Using tcpdump i found a cause of it, seems dovecot binds to AD server,
then drop connection and trying to do search without bind.
During sniff I see response to my ldap search - LdapErr:
DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection
Found similar problem in maillist - without solution.
http://markmail.org/message/a6pui34ewb5bd55d
Kindly asking what to do with it? :)
--
Best Regards
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:> I'm trying to authenticate users using MS AD with auth_bind option. > Here is my config file:..> content of dovecot-ldap.conf > hosts = myhost:389You should use port 3268 with AD. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090525/7cb90bd1/attachment-0002.bin>
Hello, Using port 3268 I faced with absolutely the same behavior. So, doesn't matter in this case. On Tue, May 26, 2009 at 1:33 AM, Timo Sirainen <tss at iki.fi> wrote:> On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote: >> I'm trying to authenticate users using MS AD with auth_bind option. >> Here is my config file: > .. >> content of dovecot-ldap.conf >> hosts = ?myhost:389 > > You should use port 3268 with AD. > >-- Gooood Night
On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote:> Using tcpdump i found a cause of it, seems dovecot binds to AD server, > then drop connection and trying to do search without bind. > During sniff I see response to my ldap search - LdapErr: > DSID-0C090627, comment: In order to perform this operation a > successful bind must be completed on the connectionDovecot drops the user bind when it does the userdb lookup. If AD doesn't support anonymous lookups, you can specify some user with dn and dnpass settings and Dovecot will use it for the userdb lookups. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090528/e646d47d/attachment-0002.bin>
If I use dn and dnpass it'd use password lookups mechanism for this access to password field on LDAP should be granted to some particular user. Unfortunately, it's impossible. Thats why I want to use auth_bind way. On Thu, May 28, 2009 at 11:57 PM, Timo Sirainen <tss at iki.fi> wrote:> On Mon, 2009-05-25 at 17:07 +0200, Misha Volodko wrote: >> Using tcpdump i found a cause of it, seems dovecot binds to AD server, >> then drop connection and trying to do search without bind. >> During sniff I see response to my ldap search - LdapErr: >> DSID-0C090627, comment: In order to perform this operation a >> successful bind must be completed on the connection > > Dovecot drops the user bind when it does the userdb lookup. If AD > doesn't support anonymous lookups, you can specify some user with dn and > dnpass settings and Dovecot will use it for the userdb lookups. > >-- Gooood Night