On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:> Good morning. > > I was just reading > https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found > the following statement >> When using LDA <https://wiki.dovecot.org/LDA> and static userdb, >> deliver can check if destination user exists. With auth binds this >> check isn't possible. > > Is this still relevant? Is there a workaround? It seems like using > dovecots lmtp in an active directory environment is not possible, is > this correct? >You cannot check user existence with auth binds because auth bind requires user credentials. This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos. Aki -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191002/149238da/attachment-0001.html>
Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users. Thanks! Best regards, David Wells. El 02/10/2019 a las 04:29, Aki Tuomi escribi?:> > > On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote: >> Good morning. >> >> I was just reading >> https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found >> the following statement >>> When using LDA <https://wiki.dovecot.org/LDA> and static userdb, >>> deliver can check if destination user exists. With auth binds this >>> check isn't possible. >> >> Is this still relevant? Is there a workaround? It seems like using >> dovecots lmtp in an active directory environment is not possible, is >> this correct? >> > You cannot check user existence with auth binds because auth bind > requires user credentials. > > This is why I suggested you use a "service user" in LDAP to perform > the database lookups instead of auth binds. You can still authenticate > your users using kerberos. > > Aki >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191002/2bbea6aa/attachment.html>
You set ?auth_bind' to ?no' and and you make sure ?dn? and ?dnpass? are properly configured with a user with enough privileges to read users passwords. And also, you make sure your pass_attrs contains a password attributes (containing the user password hash).> Le 2 oct. 2019 ? 19:33, David Wells - Alfavinil S.A. via dovecot <dovecot at dovecot.org> a ?crit : > > Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users. > > Thanks! > Best regards, > David Wells. > > > El 02/10/2019 a las 04:29, Aki Tuomi escribi?: >> >> On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote: >>> Good morning. >>> >>> I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups <https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups> and found the following statement >>>> When using LDA <https://wiki.dovecot.org/LDA> and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible. >>> >>> Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct? >>> >> You cannot check user existence with auth binds because auth bind requires user credentials. >> >> This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos. >> >> Aki >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191002/c55abbba/attachment.html>