Hi, I have no success in using AD with dovecot.
The little checkpassword script I cooked up that uses ldapsearch to lookup a
user DN (with an authenticated bind) and then ldapsearch with an authenticated
bind for that DN again works well.
* Approach 1: use a service account to bind to AD, lookup the user DN, and bind
to that DN.
It fails. The LDAP config looks like:
hosts = dc2.office.on2it.net
ldap_version = 3
base = dc=office,dc=on2it,dc=net
scope=subtree
auth_bind = yes
dn = CN=DovecotSvc,OU=Svcs,DC=office,DC=on2it,DC=net
dnpass = suppressed
pass_attrs = sAMAccountName=user
pass_filter = (&(objectClass=person)(sAMAccountName=%u))
user_attrs = sAMAccountName=user
user_filter = (&(objectClass=person)(sAMAccountName=%u))
What happens in this case is best shown in the packet capture as displayed by
tshark:
$ tshark -o tcp.check_checksum:FALSE -tr -r dc2.pcap
1 0.000000 172.17.50.13 -> 172.17.10.2 LDAP 197 bindRequest(7)
"CN=DovecotSvc,OU=Svcs,DC=office,DC=on2it,DC=net" simple
2 0.001879 172.17.10.2 -> 172.17.50.13 LDAP 88 bindResponse(7)
success
Yay! The service account binds just fine.
3 0.001967 172.17.50.13 -> 172.17.10.2 LDAP 180 searchRequest(8)
"dc=office,dc=on2it,dc=net" wholeSubtree
4 0.002772 172.17.10.2 -> 172.17.50.13 LDAP 502 searchResEntry(8)
"CN=Jeroen Scheerder,OU=Users,DC=office,DC=on2it,DC=net" \
| searchResRef(8) | searchResRef(8) | searchResRef(8) |
searchResDone(8) success
5 0.098367 172.17.50.13 -> 172.17.10.2 TCP 66 49416 > 389 [ACK]
Seq=246 Ack=459 Win=1037 Len=0 TSval=602425599 TSecr=124473537
Yay! The user DN is found successfully.
6 225.149885 172.17.50.13 -> 172.17.10.2 LDAP 166 bindRequest(12)
"CN=Jeroen Scheerder,OU=Users,DC=office,DC=on2it,DC=net" simple
7 225.152323 172.17.10.2 -> 172.17.50.13 LDAP 88 bindResponse(12)
success
8 225.248387 172.17.50.13 -> 172.17.10.2 TCP 66 49416 > 389 [ACK]
Seq=346 Ack=481 Win=1040 Len=0 TSval=602650749 TSecr=124496053
Yay! The user DN bind works. But wait, why is it taking dovecot 225 seconds
to get around to trying it? The auth process has already given up.
* Approach 2: A template defines the user DN. Bind to that DN.
AD DNs don't contain usernames, but AD allows all kinds of non-LDAP
shorthands for DNs, inclusing %user%@domain.
I've verified this to work using ldapsearch:
$ ldapsearch -o ldif-wrap=no -x -LLL -E pr=200/noprompt -H
ldap://dc2.office.on2it.net \
-b dc=office,dc=on2it,dc=net -s sub \
-D [email protected] -W \
'(&(ObjectClass=person)(sAMAccountName=js))' DN
Enter LDAP Password:
dn: CN=Jeroen Scheerder,DC=office,DC=on2it,DC=net
The config looks like:
hosts = dc2.office.on2it.net
ldap_version = 3
base = dc=office,dc=on2it,dc=net
scope=subtree
auth_bind = yes
auth_bind_userdn = "%[email protected]"
pass_attrs = sAMAccountName=user
user_attrs = sAMAccountName=user
What happens in this case is best shown by a snippet of dovecot logging:
Mar 5 09:57:36 <mail.err> ponyboy dovecot: auth: Error:
ldap(js,127.0.0.1,<z1dLNtjzJwB/AAAB>):
ldap_search(base=dc=office,dc=on2it,dc=net
filter=(&(objectClass=posixAccount)(uid=js))) failed: Operations error
Mar 5 09:57:36 <mail.err> ponyboy dovecot: imap: Error: Disconnected
from auth server, aborting (client-pid=7247 client-id=1)
Mar 5 09:57:36 <mail.crit> ponyboy dovecot: auth: Fatal: master:
service(auth): child 7245 killed with signal 11 (core not dumped - set service
auth { drop_priv_before_exec=yes })
Mar 5 09:57:36 <mail.info> ponyboy dovecot: imap-login: Internal login
failure (pid=7247 id=1) (internal failure, 1 successful auths): user=<js>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7248, secured,
session=<z1dLNtjzJwB/AAAB>
I find this intriguing -- "1 successful auths", so says imap-login, with auth
dying horribly. I smell a rat. Something's wrong here...
signature.asc
Description: OpenPGP digital signature
