Re: smtpauth - qmail-ldap with samba4

Thu, 29 Mar 2012 22:55:31 -0700 

Hi Bob,
By default qmail-ldap login to LDAP with by ldapuser/ldappasword defined in control/ files and get userPassword entry then compares passwords. If you enable ldaprebind, qmail-ldap first get DN of the smtp auth user from LDAP/AD with ldapuser/ldappasword in control/ files. and make a another connection to AD/LDAP with the smtp auth username's DN and password. 



By the way, Can you please tell us what you did to enable AD support in 
qmail-ldap?  I am trying to integrate all useful patches into qmail-ldap 
as a tarball.

I would like to enable AD support too.

Thanks


Ismail YENIGUL
Team Leader / Takim Lideri
SurGATE Labs
Phone :+90 216-4709423 | Mobile:+90 533 747 36 65
SurGATE: West Coast Labs Premium Anti-Spam Certificated
Twitter: http://www.twitter.com/surgate
Blog: http://www.surgate.com/blog

On 30.03.2012 07:13, Bob Miller wrote:

Gennedy,

Thank you so much, enabling ldaprebind solved the problem


On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote:

Hello Bob,

What state of ldapprebind file in qmail/control/ ?

Best wishes,
Gennady.

Bob Miller писал 30.03.2012 04:47:

Hi Nicolas,

Thank you for your response.

I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED".  In both
cases
the authentication failed, even though the correct search string
appears
to have been passed to samba4's ldb. it's as though qmail is able to
do
a lookup, but isn't able to verify that the password is correct...


On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia
Rojas
wrote:

Hi, check that your /var/qmail/control/qmail-smtpd.rules have
something like

:allow,SMTPAUTH=""



On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller<b...@computerisms.ca>
wrote:

greetings

I have been trying to get qmail-ldap to work with samba4's Active
Directory implementation.  It seems that all parts are working

with the

exception of smtpauth.

WHAT WORKS: When I send a mail to the system, it successfully

verifies

if a user exists and denies if the user doesn't exist.

qmail-ldaplookup

-m/-u both run without error and report what I would expect to

see.

When I set samba4 into a debug mode, I can see the ldb query

coming

through in the logs.  In fairness, those logs do not report

success or

failure of the lookup, or the values returned, but the fact that

things

work indicate the ldap communication to samba4 was a success.  I

also

take these successes to mean my ~controls/ldap* files are set up
correctly.  I can also use ldbsearch to verify my user/pass info

is

correct.

SMTPAUTH: I have compiled with TLS and enabled

SMTPAUTH="TLSREQUIRED", I

can verify the encryption is working because when I rename the

cert, I

get an error in qmail's logs when it is not working (presumably

thanks

to TLSDEBUG).  I gather from what I have read that that is all I

need to

do.  There were mentions in the life with qmail-ldap that some

extra

arguments are required in the run script, but I found some mailing

list

post that says that is not required.

BROKEN:When I try to send a authenticated mail using thunderbird,

I see

the following in qmail logs:

auth login
authentication failed: authentication failure

However, the samba4 logs continue to indicate a valid search query

is

being made.  When I base64-encode my user/pass and use telnet to

test

the smtp connection, I get the exact same symptoms as using

thunderbird;

the samba4 logs indicate a good search string and the qmail logs

say

authentication failure.

TRIED: I have scoured the mailing lists, there are those who say

active

directory works out of the box just by modifying qmail-ldap.h,

there are

those who say you need to modify qldap.c and/or qmail-ldaplookup.c

in

order to account for userAccountControl.  Over the last days, I

have

tried any patches/suggestions that could apply to samba4 (as

opposed to

windows server), but not one of them has solved this problem.

In the interest of not making this a novel nobody wants to read, I

will

leave out the remaining details on what I have done and which

articles I

have referenced, but I can make that info available.

If anyone can get me pointed in the right direction, I would truly
appreciate it...

--
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
b...@computerisms.ca
Network, Internet, Server,
and Open Source Solutions


























					Reply via email to