I posted earlier with reports of less than stellar success in using Active
Directory for dovecot authentication.
My approach is to using the two-step approach of
- obtaining the user DN by a search using an authenticated bind (using a
service account)
- then binding as that DN, and returning the relevant user attributes
This hasn't been succesful. Dovecot's authentication process does
perform the (first) authenticated bind successfully, it does obtain the right
DN, than just sits there doing nothing as far as I can tell, and after a long
delay concludes authentication failure - shortly before deciding to perform the
bind with the user-supplied credentials, successfully. Source inspection has
not resulted in a glorious eureka yet.
So I thought, why not handle it myself? And I wrote a little script, using the
checkpassword interface. I've enclosed it.
The script is based on
<http://wiki2.dovecot.org/AuthDatabase/CheckPassword>, but somehow the
userdb_uid and userdb_gid I've passed back in the "EXTRA"
environment variable get lost along the way.
It syslogs, and the syslogs show that the LDAP parts working as expected:
Mar 3 14:49:09 <mail.info> ponyboy checkpassword: successful
authenticated bind and DN(js) lookup
Mar 3 14:49:09 <mail.info> ponyboy checkpassword: DN(js) is CN=Jeroen
Scheerder,OU=Users,OU=Netherlands,OU=ON2IT,DC=office,DC=on2it,DC=net
Mar 3 14:49:09 <mail.info> ponyboy checkpassword: js authenticated
In dovecot's log, simultaneously, I see basically a successful login, except
that the (user_)uid and (userdb_)gid work - unless I disable prefetch, and use a
static userdb:
Mar 03 14:49:04 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Mar 03 14:49:04 auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Mar 03 14:49:04 auth: Debug: auth client connected (pid=90856)
Mar 03 14:49:09 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=+qFODbTzDgB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=63246
resp=<hidden>
Mar 03 14:49:09 auth: Debug:
checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): execute:
/usr/local/etc/dovecot/checkpassword-on2it
/usr/local/libexec/dovecot/checkpassword-reply
Mar 03 14:49:09 auth: Debug:
checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): Received input:
userdb_uid=143 userdb_gid=143
Mar 03 14:49:09 auth: Debug:
checkpassword(js,127.0.0.1,<+qFODbTzDgB/AAAB>): exit_status=0
Mar 03 14:49:09 auth: Debug: client passdb out: OK 1 user=js
Mar 03 14:49:09 auth: Debug: master in: REQUEST 4007395329 90856 1
29571963894e557ab643d2e51872ba55 session_pid=90899 request_auth_token
Mar 03 14:49:09 auth: Debug: prefetch(js,127.0.0.1,<+qFODbTzDgB/AAAB>):
success
Mar 03 14:49:09 auth: Debug: master userdb out: USER 4007395329 js uid=143
gid=143 auth_token=e2d7c2463dd4c039010e904afb4ea45214cb7de5
Mar 03 14:49:09 imap-login: Info: Login: user=<js>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, mpid=90899, secured,
session=<+qFODbTzDgB/AAAB>
Mar 03 14:49:09 imap: Error: user js: Mail access for users with UID 143 not
permitted (see first_valid_uid in config file, uid from userdb lookup).
Mar 03 14:49:09 imap: Error: Invalid user settings. Refer to server log for more
information.
With a static userdb (as shown in the config below): behold, everything works:
Mar 03 14:52:49 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=R0plGrTzGAB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=40984
resp=<hidden>
Mar 03 14:52:49 auth: Debug:
checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): execute:
/usr/local/etc/dovecot/checkpassword-on2it
/usr/local/libexec/dovecot/checkpassword-reply
Mar 03 14:52:49 auth: Debug:
checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): Received input:
userdb_uid=143 userdb_gid=143
Mar 03 14:52:49 auth: Debug:
checkpassword(js,127.0.0.1,<R0plGrTzGAB/AAAB>): exit_status=0
Mar 03 14:52:49 auth: Debug: client passdb out: OK 1 user=js
Mar 03 14:52:49 auth: Debug: master in: REQUEST 2818310145 90960 1
1b6ea6c4e6b90fd49a87195c35fa34ef session_pid=91002 request_auth_token
Mar 03 14:52:49 auth: Debug: master userdb out: USER 2818310145 js uid=1000
gid=1000 home=/var/mail/on2it/js
auth_token=21609f5f149bf80dec701dce9f288824cdf52c60
Mar 03 14:52:49 imap-login: Info: Login: user=<js>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, mpid=91002, secured,
session=<R0plGrTzGAB/AAAB>
Mar 03 14:53:04 imap(js): Info: Connection closed in=0 out=352
So it's working for me now. This is clearly not the way things ought to
work... but the stock LDAP interaction seems broken to my limited mind.
So who would be so friendly as to point out the fallacies I've been
pursuing?
Regards, Jeroen.
$ dovecot -n
# 2.2.10: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.0-RELEASE amd64 ufs
auth_debug = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
first_valid_gid = 1000
first_valid_uid = 1000
imap_client_workarounds = delay-newmail
last_valid_gid = 1000
last_valid_uid = 1000
log_path = /tmp/dovecot
mail_gid = 1000
mail_location = maildir:/var/mail/on2it/%Ln
mail_uid = 1000
maildir_very_dirty_syncs = yes
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
args = /usr/local/etc/dovecot/checkpassword-on2it
driver = checkpassword
}
protocols = imap
service auth-worker {
user = root
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
}
shutdown_clients = no
ssl = no
userdb {
args = uid=1000 gid=1000 home=/var/mail/on2it/%Ln
driver = static
}
valid_chroot_dirs = /var/mail/on2itn2it
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: checkpasswd
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140303/0ce38b76/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140303/0ce38b76/attachment.sig>