dovecot - Dec 2017 - Howto authenticate smartPhone via Active Directory

Hi Mark,

Just to let you know that we are running dovecot with AD. (and I guess: 
*many* people are running that combination)

It worked without issues, we are using in dovecot-ldap.conf.ext:

 > auth_bind = yes

this user/passwd filter:
> = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
 > dn = cn=search_dovecit,cn=users,dc=company,dc=com
 > dnpass = top_secret

And not the 3268 port, but regular 389.

Hope that helps.

MJ



On 12/04/2017 01:38 AM, Mark Foley wrote:
> Unfortunately, I tried for weeks to figure out passdb ldap without success.
I guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The
dovecot wiki
> https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All
it says is:
> 
> Active Directory
> 
> When connecting to AD, you may need to use port 3268. Then again, not all
LDAP fields are
> available in port 3268. Use whatever works.
http://technet.microsoft.com/en-us/library/cc978012.aspx
> 
> I have not been able to find an example of someone using Dovecot and ldap
with AD.
> 
> However, I have had some success with CheckPassword
> (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I
wrote to do
> ntlm_auth, I am able to authenticate the smartPhone user and pass the
required parameters back
> to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except
pointing to my
> checkpassword executable.
> 
> passdb {
> 	  driver = checkpassword
> 	    args = /user/util/bin/checkpassword
> }
> userdb {
> 	  driver = prefetch
> }
> 
> The one issue I have with this at the moment is that dovecot runs
checkpassword for every user,
> smartphone or otherwise:
> 
> Dec 03 18:56:32 auth-worker(14903): Info:
shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying
the next passdb
> Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> Dec 03 18:56:32 auth: Debug: client passdb out: OK      1      
user=charmaine  original_user=charmaine at HPRS.LOCAL
> Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1  
586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
> Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed
charmaine -> HPRS\charmaine
> Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001     
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000     
home=/home/HPRS/charmaine      
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=charmaine at
HPRS.LOCAL
> Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>,
method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS,
session=<oy/YWXhfAtXAqAA0>
> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
> 
> Notice after the "shadow" auth fails it says, "unknown user
- trying the next passdb", which is
> checkpassword (which apparently succeeds), then it goes on to gssapi which
also succeeds.  Is
> there a way to only have it do checkpassword if all shadow and gssapi fail?
My mechanisms are:
> 
> auth_mechanisms = plain login gssapi
> 
> THX, --Mark
> 
> --Mark
> 
> -----Original Message-----
> Date: Sun, 03 Dec 2017 22:28:53 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
> 
> with passdb ldap i guess.
> 
> ---Aki Tuomi
> Dovecot oy
> 
> -------- Original message --------
> From: Mark Foley <mfoley at ohprs.org>
> Date: 03/12/2017  21:18  (GMT+02:00)
> To: dovecot at dovecot.org
> Subject: Re: Howto authenticate smartPhone via Active Directory
> 
> Yes, you are right. This link:
https://www.redips.net/linux/android-email-postfix-auth/#section2
> shows:
> 
> passdb pam {
> }
> 
> used for authenticating Android.? Problem #1 is that Slackware does not
ship with PAM and the
> AD/DC Samba4 does not use it. It is used on Slackware for a domain member,
but I'm not sure I
> should try configuring PAM on the AD/DC.
> 
> Is there some otherway I can get authentication using domain credentials
besides pam? the phone
> can send user and password.
> 
> --Mark
> 
> -----Original Message-----
>> Date: Sun, 03 Dec 2017 15:22:56 +0200
>> Subject: Re: Howto authenticate smartPhone via Active Directory
>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
>>
>> Actually you are authenticating gssapi clients from ad and everyone
else from shadow. maybe you need to configure pam module?
>> ---Aki TuomiDovecot oy
>>
>> -------- Original message --------
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: 03/12/2017? 06:03? (GMT+02:00)
>> To: dovecot at dovecot.org
>> Subject: Howto authenticate smartPhone via Active Directory
> 
>> I have a Samba4 Active Directory server. Dovecot authenticates AD Users
with domain credentials
>> using GSSAPI (Thunderbird client). I believe I have Dovecot set to
attempt authentication via
>> shadow first and. failing that, it does authenticate via GSSAPI.
>>
>> Smartphones connect to Dovecot via port 143 and SSL.? They are not
domain members so if the
>> shadow authentication fails, no other methods are tried and no
connection is made.
>>
>> What can I do with my dovecot config to fix this?
>>
>>> doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 4.4.88 x86_64 Slackware 14.2
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = plain login gssapi
>> auth_use_winbind = yes
>> auth_username_format = %n
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>  ? driver = shadow
>> }
>> protocols = imap
>> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>  ? driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark
>

mj - thanks! That the first useful example I've received from any
forum/list. I'm getting ready
to try my config (have to do so after hours), but I have some probably
simple-minded questions:

Your example is not the complete dovecot-ldap.conf.ext file, right? Have you
just given me
differences in your config from the "original"? You've kept the
hosts, base, ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus
"user_for_bind"? Is that something I need
in order to make this work?

Is your "dc=company,dc=com" meta-syntax and you use your actual domain
CNs here, or is that
litterally what you have there?

My dnpass (original) is:

dnpass = ************

your example is:

dnpass = top_secret

Again, are the assigned values meta-syntax (meta-syntax in configs is not
obvious to me unless
it is bold, underlined, italicized and colored ... or uses brackets or some
other convention)?
If meta, what is actually supposed to go there?

With your "this user/passwd filter". Can you tell me why you have
"userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely*
different from
my installed original.

You don't mention the user_attrs/pass_attrs settings. Is this because you
use the originals or
because you have commented them out? My current settings are:

user_attrs      = quotaFieldAD=quota_rule=*:storage=%$MB
pass_attrs      = userPassword=password

My auth_mechanisms are:

auth_mechanisms = plain login gssapi

Is this sufficient for ldap?

Thanks for your help --Mark

btw - I have been running Dovecot with AD for years, but for local Domain users
authenticating
via GSSAPI.  Remote users (e.g. smartPhones) don't have that mechanism that
I'm aware of.
Currently they are authenticated via shadow, but I'd like to remove AD users
from /etc/passwd.

On Mon, 4 Dec 2017 09:04:57 +0100 mj <lists at merit.unu.edu>
wrote
>
> Hi Mark,
>
> Just to let you know that we are running dovecot with AD. (and I guess: 
> *many* people are running that combination)
>
> It worked without issues, we are using in dovecot-ldap.conf.ext:
>
>  > auth_bind = yes
>
> this user/passwd filter:
> > =
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
>
>  > dn = cn=search_dovecit,cn=users,dc=company,dc=com
>  > dnpass = top_secret
>
> And not the 3268 port, but regular 389.
>
> Hope that helps.
>
> MJ
>
>
>
> On 12/04/2017 01:38 AM, Mark Foley wrote:
> > Unfortunately, I tried for weeks to figure out passdb ldap without
success. I guess I'm just
> > not knowledgeable enough about how to use ldap and Active Directory.
The dovecot wiki
> > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much.
All it says is:
> > 
> > Active Directory
> > 
> > When connecting to AD, you may need to use port 3268. Then again, not
all LDAP fields are
> > available in port 3268. Use whatever works.
http://technet.microsoft.com/en-us/library/cc978012.aspx
> > 
> > I have not been able to find an example of someone using Dovecot and
ldap with AD.
> > 
> > However, I have had some success with CheckPassword
> > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a
program I wrote to do
> > ntlm_auth, I am able to authenticate the smartPhone user and pass the
required parameters back
> > to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard
except pointing to my
> > checkpassword executable.
> > 
> > passdb {
> > 	  driver = checkpassword
> > 	    args = /user/util/bin/checkpassword
> > }
> > userdb {
> > 	  driver = prefetch
> > }
> > 
> > The one issue I have with this at the moment is that dovecot runs
checkpassword for every user,
> > smartphone or otherwise:
> > 
> > Dec 03 18:56:32 auth-worker(14903): Info:
shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying
the next passdb
> > Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> > Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> > Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> > Dec 03 18:56:32 auth: Debug:
checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> > Dec 03 18:56:32 auth: Debug: client passdb out: OK      1      
user=charmaine  original_user=charmaine at HPRS.LOCAL
> > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902 
1       586863e54c57c999ee5731906a59257c        session_pid=14907
request_auth_token
> > Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> > Dec 03 18:56:32 auth-worker(14903): Debug:
passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed
charmaine -> HPRS\charmaine
> > Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001    
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000     
home=/home/HPRS/charmaine      
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=charmaine at
HPRS.LOCAL
> > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>,
method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS,
session=<oy/YWXhfAtXAqAA0>
> > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
> > 
> > Notice after the "shadow" auth fails it says, "unknown
user - trying the next passdb", which is
> > checkpassword (which apparently succeeds), then it goes on to gssapi
which also succeeds.  Is
> > there a way to only have it do checkpassword if all shadow and gssapi
fail? My mechanisms are:
> > 
> > auth_mechanisms = plain login gssapi
> > 
> > THX, --Mark
> > 
> > --Mark
> > 
> > -----Original Message-----
> > Date: Sun, 03 Dec 2017 22:28:53 +0200
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
> > 
> > with passdb ldap i guess.
> > 
> > ---Aki Tuomi
> > Dovecot oy
> > 
> > -------- Original message --------
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: 03/12/2017  21:18  (GMT+02:00)
> > To: dovecot at dovecot.org
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> > 
> > Yes, you are right. This link:
https://www.redips.net/linux/android-email-postfix-auth/#section2
> > shows:
> > 
> > passdb pam {
> > }
> > 
> > used for authenticating Android.? Problem #1 is that Slackware does
not ship with PAM and the
> > AD/DC Samba4 does not use it. It is used on Slackware for a domain
member, but I'm not sure I
> > should try configuring PAM on the AD/DC.
> > 
> > Is there some otherway I can get authentication using domain
credentials besides pam? the phone
> > can send user and password.
> > 
> > --Mark
> > 
> > -----Original Message-----
> >> Date: Sun, 03 Dec 2017 15:22:56 +0200
> >> Subject: Re: Howto authenticate smartPhone via Active Directory
> >> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> >> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org
> >>
> >> Actually you are authenticating gssapi clients from ad and
everyone else from shadow. maybe you need to configure pam module?
> >> ---Aki TuomiDovecot oy
> >>
> >> -------- Original message --------
> >> From: Mark Foley <mfoley at ohprs.org>
> >> Date: 03/12/2017? 06:03? (GMT+02:00)
> >> To: dovecot at dovecot.org
> >> Subject: Howto authenticate smartPhone via Active Directory
> > 
> >> I have a Samba4 Active Directory server. Dovecot authenticates AD
Users with domain credentials
> >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to
attempt authentication via
> >> shadow first and. failing that, it does authenticate via GSSAPI.
> >>
> >> Smartphones connect to Dovecot via port 143 and SSL.? They are not
domain members so if the
> >> shadow authentication fails, no other methods are tried and no
connection is made.
> >>
> >> What can I do with my dovecot config to fix this?
> >>
> >>> doveconf -n
> >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> >> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> >> auth_debug = yes
> >> auth_debug_passwords = yes
> >> auth_gssapi_hostname = $ALL
> >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >> auth_mechanisms = plain login gssapi
> >> auth_use_winbind = yes
> >> auth_username_format = %n
> >> auth_verbose = yes
> >> auth_verbose_passwords = plain
> >> disable_plaintext_auth = no
> >> info_log_path = /var/log/dovecot_info
> >> mail_location = maildir:~/Maildir
> >> passdb {
> >>  ? driver = shadow
> >> }
> >> protocols = imap
> >> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >> userdb {
> >>  ? driver = passwd
> >> }
> >> verbose_ssl = yes
> >>
> >> Thanks, Mark
> > 
>

Hi,

Not much time to reply now.

On 12/05/2017 05:21 AM, Mark Foley wrote:
> mj - thanks! That the first useful example I've received from any
forum/list. I'm getting ready
> to try my config (have to do so after hours), but I have some probably
simple-minded questions:
Well, that looks as if you are testing/trying out on your production 
machine. Why not setup a seperate (virtual?) test server to play with..? 
Use the same os version, with the same dovecot version.
Or clone your production machine, so you can test as much as you like, 
without time pressure, at any given time.
> Your example is not the complete dovecot-ldap.conf.ext file, right? Have
you just given me
> differences in your config from the "original"? You've kept
the hosts, base, ldap_version,
> scope, deref, debug_level, and auth_bind_userdn settings in your config,
right?
Not the complete file, no. I just provided the essentials.
> Your dn is:
> 
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> 
> Mine (original) is:
> 
> dn = cn=user_for_bind,cn=Users,dc=dom
> 
> Can you tell me why you have "search_dovecit" versus
"user_for_bind"? Is that something I need
> in order to make this work?
It's the user that dovecot uses to search for your user, Can be 
anything, as long as it can authenticate using the password in:
> My dnpass (original) is:
> 
> dnpass = ************
> 
> your example is:
> 
> dnpass = top_secret
Use the password of whatever user you use.
> If meta, what is actually supposed to go there?
The password of user_for_bind
> With your "this user/passwd filter". Can you tell me why you have
"userAccountControl=514"? Is
> that 514 bit documented somewhere? Your user_filer/pass_filter is
*completely* different from
> my installed original.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/77f48af7-bbef-4cd7-9c83-d9359b255534/ldap-query-get-nonlockeddisabled-accounts?forum=netfxbcl

For the rest: my advise is that you *really* need to pay around with 
this much more. Get yourself a test environment, and play and test.

Plus: read some dovecot/ad howto's, and try things in your own environment.

Quick google returns:
https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x

Enjoy :-)

MJ