Re: [Dovecot] Samba4 and user auth
Hi On Friday 28 June 2013 07:17:39 Carsten Laun-De Lellis wrote: Hi all I am trying to set up an email Server with a Samba4 AD as user Directory. Does anybody know a good how-to to setup user auth against AD ? Or could anyone tell me how to do it? I am having an email Server up and running with openldap but want to change to Samba4 AD, because of the openchange Integration. I would appreciate any help on this topic. I have an AD/Samba4 auth for dovecot, it works the same as any LDAP would (with authenticated lookups and auth_bind) I would suggest you try it, and ask if there are any issues. Pavel Herrmann
Re: [Dovecot] Samba4 and user auth
Hi On Monday 01 July 2013 12:36:39 Carsten Laun-De Lellis wrote: Hi Pavel Thankx for your reply. When you were setting up your ldap query what kind of password crypto did you specify plain ntlm gssapi or anything else? The password field in your query is userPassword or am I wrong here? the password field is hidden (only the user can see it) by default, and not stored as a unix-friendly value (anything a crypt() would understand) what I use is auth_bind (which uses user-supplied password to bind to the LDAP directory). what it means is that on every login there are 2 lookups (first one using your service DN to find the user DN, second one with your user DN to check the password) that also means that you need a password format that your LDAP can understand (mostly a plaintext password, or NTLM if your mail server is a Samba domain member). As long as you only offer IMAP/SSL I dont think plaintext (as in auth_mechanisms = plain) is an issue, security wise. as far as the service account (the one that is used to look up users) goes, I am using the default option (setting dn and dnpass variables), which I think is a simple bind. it is possible that it only works because Samba4 and dovecot run on the same machine. Pavel Herrmann I will try it again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [1] Am 2013-07-01 11:24, schrieb Pavel Herrmann: Hi On Friday 28 June 2013 07:17:39 Carsten Laun-De Lellis wrote: Hi all I am trying to set up an email Server with a Samba4 AD as user Directory. Does anybody know a good how-to to setup user auth against AD ? Or could anyone tell me how to do it? I am having an email Server up and running with openldap but want to change to Samba4 AD, because of the openchange Integration. I would appreciate any help on this topic. I have an AD/Samba4 auth for dovecot, it works the same as any LDAP would (with authenticated lookups and auth_bind) I would suggest you try it, and ask if there are any issues. Pavel Herrmann Links: -- [1] http://www.linkedin.com/in/carstenlaundelellis
[Dovecot] Quota based on LDAP group
Hi I have a setup where my dovecot (2.0, if that makes a difference) authenticates against an LDAP directory. In my scenario, I have two types of users, lets call them normal and privileged. What I need is for the normal user to have a fixed quota, but for the priviledged to have none. (The users do not exist on the underlying system, so I cant do quota based on FS) The issue is that my LDAP is actually an AD, and there is a fair amount of new accounts over the time (in other words, I cannot use LDAP attribute for storing quota, because the AD tools don't understand it, and I would have to add it manually for each new account). The approach I had in mind is using quota based on user group (I do have groups representing both normal and priviledged users), but I cannot find a way to set it up in dovecot. Am I missing something or does dovecot not support LDAP groups as attribute source? thanks Pavel Herrmann
Re: [Dovecot] Quota based on LDAP group
On Monday 24 of June 2013 23:01:54 Timo Sirainen wrote: On 24.6.2013, at 16.35, Pavel Herrmann morpheus.i...@gmail.com wrote: I have a setup where my dovecot (2.0, if that makes a difference) authenticates against an LDAP directory. In my scenario, I have two types of users, lets call them normal and privileged. What I need is for the normal user to have a fixed quota, but for the priviledged to have none. (The users do not exist on the underlying system, so I cant do quota based on FS) The issue is that my LDAP is actually an AD, and there is a fair amount of new accounts over the time (in other words, I cannot use LDAP attribute for storing quota, because the AD tools don't understand it, and I would have to add it manually for each new account). The approach I had in mind is using quota based on user group (I do have groups representing both normal and priviledged users), but I cannot find a way to set it up in dovecot. Am I missing something or does dovecot not support LDAP groups as attribute source? Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2. Sure, I am open to upgrading, if it solves the issue. I would actually need more than 2 requests, as AD supports recursive groups (a group being member of another group), which I do use. One possible issue is that from what I can see on the wiki does not really work with how groups in LDAP usually work. What I would need is the opposite direction - locate a group that has member=myUserDn attribute, look whether it has quota attribute set, if not use the group DN as myUserDn and repeat the search. Granted, AD has a backlink memberOf attribute, but I am still left with recursively looking up whether the group has a quota attribute, and whether it is a member of another group (cyclic membership is not possible AFAIK). Is this possible with Dovecot 2.2? thanks Pavel Herrmann
Re: [Dovecot] Quota based on LDAP group
Hi On Tuesday 25 of June 2013 00:13:05 Timo Sirainen wrote: On 25.6.2013, at 0.05, Pavel Herrmann morpheus.i...@gmail.com wrote: Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2. Sure, I am open to upgrading, if it solves the issue. I would actually need more than 2 requests, as AD supports recursive groups (a group being member of another group), which I do use. One possible issue is that from what I can see on the wiki does not really work with how groups in LDAP usually work. What I would need is the opposite direction - locate a group that has member=myUserDn attribute, look whether it has quota attribute set, if not use the group DN as myUserDn and repeat the search. Granted, AD has a backlink memberOf attribute, but I am still left with recursively looking up whether the group has a quota attribute, and whether it is a member of another group (cyclic membership is not possible AFAIK). Is this possible with Dovecot 2.2? http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb - Subqueries and pointers does what you need I think. My head can't really follow LDAP stuff well enough to say for sure. Yeah, I figured that one out. the thing I dont see is how I set this up to work recursively (until the quota attribute is found). What I need is something similar to postfix special_result_attribute and leaf_result_attribute options (with the exception that I need to select one/closest of the attributes found, whereas postfix gets them all) thanks Pavel Herrmann