dovecot - Nov 2014 - Working with Active Directory on Windows Server 2012 R2

I?ve attempted the user Mail with the same password with the same result
(binding as my own user was a last-ditch attempt).

aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H
ldap://dc1.ad.automaton.uk -D 
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope
subtree
# filter: (objectclass=*)
# requesting: -
#

# aaron.jenkins, Users, ad.automaton.uk
dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Same with the user Mail



On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at
smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Nov 2014, Aaron Jenkins wrote:
> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.
> ?
> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may
contain sensitive data)
> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins
temp
Your conf:
auth_bind = yes
dn = aaron.jenkins
dnpass = dummypass1
auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk

Can you really succeed a simple auth with the dn aaron.jenkins ? This
ought to be a full DN. As I understand auth_bind_userdn, you do not need
dn/dnpass anyway, because auth_bind_userdn prevents searching for the
user's DN, in which case Dovecot requires a connection before any user
bind takes place.

I wonder if the log shows the error from this setting or from the user's
login attempt. Could you try another user?

Can you auth from command line via

ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
- -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 26 Nov 2014, Aaron Jenkins wrote:
> I?ve attempted the user Mail with the same password with the same result
(binding as my own user was a last-ditch attempt).
OK, what about the:
>                        As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN
Did you removed the dn/dnpass settings?

What about the:
> I wonder if the log shows the error from this setting or from the
user's
> login attempt. Could you try another user?
If you login with another user (not aaron.jenkins) to IMAP, which
username is listed in the logs then.
>
> aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H
ldap://dc1.ad.automaton.uk -D 
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b
CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with
scope subtree
> # filter: (objectclass=*)
> # requesting: -
> #
>
> # aaron.jenkins, Users, ad.automaton.uk
> dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Same with the user Mail
>
>
>
> On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at
smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 25 Nov 2014, Aaron Jenkins wrote:
>
>> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.
>> ?
>> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
>> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap
secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993
rport=56395
>> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
>> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data
may contain sensitive data)
>> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1
user=aaron.jenkins temp
>
> Your conf:
> auth_bind = yes
> dn = aaron.jenkins
> dnpass = dummypass1
> auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk
>
> Can you really succeed a simple auth with the dn aaron.jenkins ? This
> ought to be a full DN. As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN, in which case Dovecot requires a connection before any user
> bind takes place.
>
> I wonder if the log shows the error from this setting or from the
user's
> login attempt. Could you try another user?
>
> Can you auth from command line via
>
> ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \
> CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
> - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
>
> - --
> Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
> tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
> i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
> XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
> bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
> 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw=> =6Zsw
> -----END PGP SIGNATURE-----
> ---------------Output of GPG------------------
> Decryption of block failed
> gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID
0BFDDF6B
> gpg: BAD signature from "Steffen Kaiser <skdovecot at
smail.inf.fh-brs.de>"
>
>
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd
3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg
w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv
yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj
4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM
wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g==P2I4
-----END PGP SIGNATURE-----

I?ve removed the dn / dnpass.

When attempting with new user:

$ cat /var/log/dovecot-info.log
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5553 id=1)
(internal failure, 1 successful auths): user=<test.user>, method=PLAIN,
rip=10.211.55.29, lip=10.211.55.33, mpid=5558, TLS,
session=<rQXRqdIIZwAK0zcd>
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5559 id=1)
(internal failure, 1 successful auths): user=<test.user>, method=PLAIN,
rip=10.211.55.29, lip=10.211.55.33, mpid=5560, TLS,
session=<A/TdqdIIaAAK0zcd>
Nov 27 00:09:29 auth: Info: ldap(test.user at
ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials
(given password: ThisIsAPass123)
Nov 27 00:09:35 auth: Info: ldap(test.user at
ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials
(given password: ThisIsAPass123)
Nov 27 00:09:37 imap-login: Info: Disconnected (auth failed, 2 attempts in 8
secs): user=<test.user at ad.automaton.uk>, method=PLAIN,
rip=10.211.55.29, lip=10.211.55.33, TLS, session=<mFneqdIIaQAK0zcd>

$ cat /var/log/dovecot-debug.log
Nov 27 00:13:07 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Nov 27 00:13:07 auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6219)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=/xfdttIIagAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44650
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1
AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive
data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 2256273409 6219 1
a99d65893905abf592245098b369359e session_pid=6223 request_auth_token
Nov 27 00:13:07 auth: Debug:
ldap(test.user,10.211.55.29,</xfdttIIagAK0zcd>): user search:
base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree
filter=(&(name=test.user)(objectClass=person))
fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 2256273409
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6224)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=gn7dttIIawAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44651
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1
AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive
data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 1233256449 6224 1
587c0fc0406dbbdac1ccf4bb6267ff59 session_pid=6225 request_auth_token
Nov 27 00:13:07 auth: Debug:
ldap(test.user,10.211.55.29,<gn7dttIIawAK0zcd>): user search:
base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree
filter=(&(name=test.user)(objectClass=person))
fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 1233256449
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6226)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured
session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1
AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data
may contain sensitive data)
Nov 27 00:13:09 auth: Debug: client passdb out: FAIL 1 user=test.user at
ad.automaton.uk
Nov 27 00:13:09 auth: Debug: client in: AUTH 2 PLAIN service=imap secured
session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652
resp=AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64
data may contain sensitive data)
Nov 27 00:13:15 auth: Debug: client passdb out: FAIL 2 user=test.user at
ad.automaton.uk

$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D
CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk -W - -b
CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk
# extended LDIF
#
# LDAPv3
# base <CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree
# filter: (objectclass=*)
# requesting: -
#

# test.user, Users, ad.automaton.uk
dn: CN=test.user,CN=Users,DC=ad,DC=automaton,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

And the password on AD for test.user is 100% ThisIsAPass123.



On November 26, 2014 at 12:16:34 AM, Steffen Kaiser (skdovecot at
smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 26 Nov 2014, Aaron Jenkins wrote:
> I?ve attempted the user Mail with the same password with the same result
(binding as my own user was a last-ditch attempt).
OK, what about the:
> As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN
Did you removed the dn/dnpass settings?

What about the:
> I wonder if the log shows the error from this setting or from the
user's
> login attempt. Could you try another user?
If you login with another user (not aaron.jenkins) to IMAP, which
username is listed in the logs then.
>
> aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H
ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
-W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with
scope subtree
> # filter: (objectclass=*)
> # requesting: -
> #
>
> # aaron.jenkins, Users, ad.automaton.uk
> dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Same with the user Mail
>
>
>
> On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at
smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 25 Nov 2014, Aaron Jenkins wrote:
>
>> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test
environment.
>> ?
>> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
>> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap
secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993
rport=56395
>> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
>> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data
may contain sensitive data)
>> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1
user=aaron.jenkins temp
>
> Your conf:
> auth_bind = yes
> dn = aaron.jenkins
> dnpass = dummypass1
> auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk
>
> Can you really succeed a simple auth with the dn aaron.jenkins ? This
> ought to be a full DN. As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN, in which case Dovecot requires a connection before any user
> bind takes place.
>
> I wonder if the log shows the error from this setting or from the
user's
> login attempt. Could you try another user?
>
> Can you auth from command line via
>
> ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \
> CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \
> - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk
>
> - --
> Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg
> tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX
> i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa
> XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u
> bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd
> 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw=> =6Zsw
> -----END PGP SIGNATURE-----
> ---------------Output of GPG------------------
> Decryption of block failed
> gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID
0BFDDF6B
> gpg: BAD signature from "Steffen Kaiser <skdovecot at
smail.inf.fh-brs.de>"
>
>
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd
3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg
w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv
yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj
4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM
wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g==P2I4
-----END PGP SIGNATURE-----