Christian Hailer
2013-Jan-14 22:29 UTC
[Samba] Samba4 AD delegation to read userPassword attribute
Hello Samba group, I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? Fedora 17, latest updates applied Samba: Version 4.1.0pre1-GIT-813bd03 dovecot-2.1.10-4.fc17.i686 At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: ... searchResDone resultCode: operationsError (1) matchedDN: Operation unavailable without authentication ... I defined the properties in dovecot-ldap.conf like this: --------------------------------------------------- uris = ldaps://192.168.0.1:636 dn = cn=ldap,ou=USER,dc=example,dc=de dnpass = somepassword base = dc=example,dc=de scope = subtree deref = never user_attrs = sAMAccountName=uid,primaryGroupID=gid user_filter = (sAMAccountName=%u) pass_attrs = mail=user,userPassword=password pass_filter = (sAMAccountName=%u) --------------------------------------------------- So trying to authenticate to Dovecot with a telnet connection>telnet localhost 143Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login someuser somepassword results in the error message "result: mail=someuser at example.de; userPassword missing" A tcpdump shows the following searchRequest: --------------------------------------------------- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree ... Filter: (sAMAccountName=someuser) filter: equalityMatch (3) equalityMatch attributeDesc: sAMAccountName assertionValue: someuser attributes: 2 items AttributeDescription: mail AttributeDescription: userPassword --------------------------------------------------- As a result I get: --------------------------------------------------- Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result] ... searchResEntry objectName: CN=someuser, OU=USER,DC=example,DC=de attributes: 1 item PartialAttributeList item mail type: mail vals: 1 item AttributeValue: someuser at exchange.de --------------------------------------------------- So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user. Is anybody out there who ran into the same problem? Best regards, Christian
Achim Gottinger
2013-Jan-15 12:44 UTC
[Samba] Samba4 AD delegation to read userPassword attribute
Running the environment you described (beside openchange). I guess you need acl:read=false in your smb.conf. achim~ Am 14.01.2013 23:29, schrieb Christian Hailer:> Hello Samba group, > > I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. > > Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? > > Fedora 17, latest updates applied > Samba: Version 4.1.0pre1-GIT-813bd03 > dovecot-2.1.10-4.fc17.i686 > > At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: > > ... > searchResDone > resultCode: operationsError (1) > matchedDN: > Operation unavailable without authentication > ... > > I defined the properties in dovecot-ldap.conf like this: > > --------------------------------------------------- > uris = ldaps://192.168.0.1:636 > dn = cn=ldap,ou=USER,dc=example,dc=de > dnpass = somepassword > > base = dc=example,dc=de > scope = subtree > deref = never > > user_attrs = sAMAccountName=uid,primaryGroupID=gid > user_filter = (sAMAccountName=%u) > > pass_attrs = mail=user,userPassword=password > pass_filter = (sAMAccountName=%u) > --------------------------------------------------- > > So trying to authenticate to Dovecot with a telnet connection > >> telnet localhost 143 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. > 1 login someuser somepassword > > results in the error message "result: mail=someuser at example.de; userPassword missing" > > A tcpdump shows the following searchRequest: > > --------------------------------------------------- > Lightweight Directory Access Protocol > LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree > ... > Filter: (sAMAccountName=someuser) > filter: equalityMatch (3) > equalityMatch > attributeDesc: sAMAccountName > assertionValue: someuser > attributes: 2 items > AttributeDescription: mail > AttributeDescription: userPassword > --------------------------------------------------- > > As a result I get: > > --------------------------------------------------- > Lightweight Directory Access Protocol > LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result] > ... > searchResEntry > objectName: CN=someuser, OU=USER,DC=example,DC=de > attributes: 1 item > PartialAttributeList item mail > type: mail > vals: 1 item > AttributeValue: someuser at exchange.de > --------------------------------------------------- > > So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. > > I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user. > > Is anybody out there who ran into the same problem? > > Best regards, Christian > > > > > > > > > > > > > > > > > > > >
Christian Hailer
2013-Jan-15 19:15 UTC
[Samba] Samba4 AD delegation to read userPassword attribute
-------- Originalnachricht -------- Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute Von: Christian Hailer <Chrissi at amusing.de> An: Achim Gottinger <achim at ag-web.biz> Cc: Hi Achim, thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user... I tried to bind with the domain administrator account, there it doesn't work too. Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere... Thanks in advance, Christian Achim Gottinger <achim at ag-web.biz> schrieb: Running the environment you described (beside openchange). I guess you need acl:read=false in your smb.conf. achim~ Am 14.01.2013 23:29, schrieb Christian Hailer:> Hello Samba group, > > I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. > > Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? > > Fedora 17, latest updates applied > Samba: Version 4.1.0pre1-GIT-813bd03 > dovecot-2.1.10-4.fc17.i686 > > At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: > > ... > searchResDone > resultCode: operationsError (1) > matchedDN: > Operation unavailable without authentication > ... > > I defined the properties in dovecot-ldap.conf like this: > > --------------------------------------------------- > uris = ldaps://192.168.0.1:636 > dn = cn=ldap,ou=USER,dc=example,dc=de > dnpass = somepassword > > base = dc=example,dc=de > scope = subtree > deref = never > > user_attrs = sAMAccountName=uid,primaryGroupID=gid > user_filter = (sAMAccountName=%u) > > pass_attrs = mail=user,userPassword=password > pass_filter = (sAMAccountName=%u) > --------------------------------------------------- > > So trying to authenticate to Dovecot with a telnet connection > >> telnet localhost 143 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. > 1 login someuser somepassword > > results in the error message "result: mail=someuser at example.de; userPassword missing" > > A tcpdump shows the following searchRequest: > > --------------------------------------------------- > Lightweight Directory Access Protocol > LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree > ... > Filter: (sAMAccountName=someuser) > filter: equalityMatch (3) > equalityMatch > attributeDesc: sAMAccountName > assertionValue: someuser > attributes: 2 items > AttributeDescription: mail > AttributeDescription: userPassword > --------------------------------------------------- > > As a result I get: > > --------------------------------------------------- > Lightweight Directory Access Protocol > LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result] > ... > searchResEntry > objectName: CN=someuser, OU=USER,DC=example,DC=de > attributes: 1 item > PartialAttributeList item mail > type: mail > vals: 1 item > AttributeValue: someuser at exchange.de > --------------------------------------------------- > > So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. > > I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user. > > Is anybody out there who ran into the same problem? > > Best regards, Christian > > > > > > > > > > > > > > > > > > > >-- To unsubscribe from this list go to the following URL and read the instructions: lists.samba.org/mailman/options/samba
Achim Gottinger
2013-Jan-15 20:41 UTC
[Samba] Samba4 AD delegation to read userPassword attribute
Am 15.01.2013 20:02, schrieb Christian Hailer:> Hi Achim, > > thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user... > I tried to bind with the domain administrator account, there it doesn't work too. > > Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere...I use different configs for passdb and userdb for Dovecot. Dovecot stores all mail's as user vmail.vmail(999:999) in /var/lib/vmail/[username]/mail here so you might have to modify the user_attrs mappings. With these separate config for userdb and passdb, auth_bind works for passdb and pass_attrs are not necessary. dovecot-ldap.conf passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } dovecot-ldap-passdb.conf.ext ----------------------------------- hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de ldap_version = 3 base = cn=Users,dc=example,dc=de pass_filter = (&(objectClass=person)(cn=%u)(mail=*)) ----------------------------------- dovecot-ldap-userdb.conf.ext ----------------------------------- hosts = localhost dn = cn=ldap,cn=Users,dc=example,dc=de dnpass = password ldap_version = 3 base = cn=Users,dc=example,dc=de user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail user_filter = (&(objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) -----------------------------------