Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Exactly, that's what I meant. El 16/09/2015 a las 15:37, Shawn Heisey escribió: > On 9/12/2015 12:31 AM, Mark Foley wrote: >> Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers >> indicated to me you might be talking about Windows Small Business Server >> 2003 or >> 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 >> AD/DC >> on Linux. > The OP probably is referring to AD functional levels: > > https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx > > Thanks, > Shawn >
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
I'm sorry for the late response, I missed this mail. I'll answer your questions below. I'm sending a BCC of this mail to your personal address, but it seems to have some problem because your server bounces it: El 12/09/2015 a las 8:31, Mark Foley escribió: > Fran - thanks for your reply. I'm cc'ing you directly on this as well as > posting > to the list as I'm not sure how often you check the list and I'm down to > hanging > by my last fingernail on this project. > > I have some preliminary questions interspersed below. > > Thanks, --Mark > > -Original Message- >> Subject: Re: My dovecot works fine against Active Directory 2003, but not >> against AD2008 >> To: dovecot@dovecot.org >> From: Fran <cumc-436...@chguadalquivir.es> >> Date: Thu, 10 Sep 2015 13:26:21 +0200 >> >> Hi Mark, >> >> when I say AD 2003/8 I mean Active Directory 2003/8. > Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers > indicated to me you might be talking about Windows Small Business Server 2003 > or > 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 > AD/DC > on Linux. https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx >> My configuration is attached. > Thank you very much for that. If I make some headway, I'll likely have more > questions on specifics. > >> I based my installation (dovecot+postfix) in the guides of this site: >> http://www.linuxmail.info >> >> The LDAP part is this: >> http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ > If you were able to make sense out of these sites' tiny screen-shots and > one-line > descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If > there was more detailed narrative somewhere I couldn't find it. Also, I don't > have jXplorer on my system, so probably I couldn't get too far anyway. You don't need jXplorer at all, in fact I didn't use it. If you need to browser throught your LDAP directory you can use any LDAP browser. The descriptions of that site are short, that's true, but it contains the essential info to adapt it to any similar environment. Don't take it like a step by step guide, unless you use exactly the same environment and versions, you won't find same files in same places. Try to understand how differents parts work and adapt it to your environment. > > BIG QUESTIONS: > > 1. Are you using MS Outlook IMAP clients in your environment? If so, how are > you > making them connect with LDAP? By checking the SPA checkbox? There are Thunderbird, Roundcube, Outlook, IOS and Android clients on my environment. All of them use standard IMAP connections. I don't understand very well your question, the client doesn't need to connect with LDAP, it's dovecot itself who connect with AD to validate the IMAP user login. > > 2. The mail_gid/mail_uid as vmail confuses me. I see that setting a lot, > including in your config. http://wiki2.dovecot.org/VirtualUsers says, "You > can > create, for example, one vmail user which owns all the mails, or you can > assign > a separate UID for each user." I have assigned a separte UID for each based on > the UID returned by `wbinfo -u `. Does assigning separate UIDs mess > up my ability to adapt your configuration? I assigned one vmail user which owns all the mails. You can still use my configuration for many other parts though. > > little questions: > > 3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " > quota" > setting and all your plugin { quota_...} settings? I want to be as simple as > possible to start. You don't need that plugin if you don't plan to use it. > > 4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can > I > omit the namespace inbox {} setting? I don't think so. This is my in /etc/dovecot/conf.d/10-mail.conf mail_home = /home/vmail//%Lu mail_location = maildir:~/Maildir mail_uid = 1000 mail_gid = 1000 namespace inbox { # Namespace type: private, shared or public type = private inbox = yes mailbox Trash { auto = subscribe special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Junk { auto = subscribe special_use = \Junk
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
On 9/12/2015 12:31 AM, Mark Foley wrote: > Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers > indicated to me you might be talking about Windows Small Business Server 2003 > or > 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 > AD/DC > on Linux. The OP probably is referring to AD functional levels: https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx Thanks, Shawn
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Fran - thanks for your reply. I'm cc'ing you directly on this as well as posting to the list as I'm not sure how often you check the list and I'm down to hanging by my last fingernail on this project. I have some preliminary questions interspersed below. Thanks, --Mark -Original Message- > Subject: Re: My dovecot works fine against Active Directory 2003, but not > against AD2008 > To: dovecot@dovecot.org > From: Fran <cumc-436...@chguadalquivir.es> > Date: Thu, 10 Sep 2015 13:26:21 +0200 > > Hi Mark, > > when I say AD 2003/8 I mean Active Directory 2003/8. Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers indicated to me you might be talking about Windows Small Business Server 2003 or 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 AD/DC on Linux. > > My configuration is attached. Thank you very much for that. If I make some headway, I'll likely have more questions on specifics. > > I based my installation (dovecot+postfix) in the guides of this site: > http://www.linuxmail.info > > The LDAP part is this: > http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ If you were able to make sense out of these sites' tiny screen-shots and one-line descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If there was more detailed narrative somewhere I couldn't find it. Also, I don't have jXplorer on my system, so probably I couldn't get too far anyway. BIG QUESTIONS: 1. Are you using MS Outlook IMAP clients in your environment? If so, how are you making them connect with LDAP? By checking the SPA checkbox? 2. The mail_gid/mail_uid as vmail confuses me. I see that setting a lot, including in your config. http://wiki2.dovecot.org/VirtualUsers says, "You can create, for example, one vmail user which owns all the mails, or you can assign a separate UID for each user." I have assigned a separte UID for each based on the UID returned by `wbinfo -u `. Does assigning separate UIDs mess up my ability to adapt your configuration? little questions: 3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " quota" setting and all your plugin { quota_...} settings? I want to be as simple as possible to start. 4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can I omit the namespace inbox {} setting? These may seem like amaturish questions, but little details have foiled me a lot on this Dovecot project. If I feel confident with the answers you provide here, I'll move on to trying some things. Thanks a lot for your help!!! --Mark > > You can also use PAM to connect to AD > (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/) > but that way doesn't allow to retrieve custom fields from the AD (ex. a > field to set quota per user), so I'm using the standard LDAP method. > > Regards > > El 10/09/2015 a las 4:51, Mark Foley escribió: > > Fran and/or Matthias, > > > > Could you publish your doveconf -n? I can't get dovecot to authenticate > > with my > > AD. Maybe you have a solution I could try. > > > > What mail client(s) are you using? I assume by "AD 2003/8" You mean > > SBS2003/8 > > and are therefore using Outlook? > > > > --Mark > > > > -Original Message- [deleted]
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Fran, this is not a dovecot problem, thats a pure dns problem and can only be fixed in your dns environment. referrals are propagated in a "special" dns design in SRV records. so the ldap client performs a dns lookup for this names and this is the point of hanging (as in most "hanging cases", its dns). see: https://technet.microsoft.com/en-us/library/cc978014.aspx https://technet.microsoft.com/en-us/library/cc961719.aspx http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html for information. Greetz Matze On Thu, 10 Sep 2015 13:10:57 +0200 Franwrote: > Hi Matthias, > > thank you very much! that fixed the problem. > > I had workaround the problem by using "base = ou=, dc=dom", > instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because > that also worked (I don't know why, but the problem happen if you use > as base just the domain, but not if you add a second level). But that > forced to me to use several userdb/passdb blocks definitions, one for > each OU in which I have users, so I think that your fix is better. > > I'm not able to understand the actual reason behind all this though... > > What's the technical explanation behind this behaviour?? I mean, it > seems to be that the problem is that the Domain controller (DC) was > sending a "referrals" answer and dovecot auth made a connection to > these others DC but something wrong happened (dovecot can't deal > correctly with that kind of answers?? I don't know). > > Anyways, as far as I know: > > 1) A referral answer should be done by a DC when it can't provide the > object that the client are requesting > 2) REFERRALS off in ldap.conf means that the client should not follow > referrals returned by the DC > > So, if a referral answer is given from my DC, I think that is because > such DC can't provide the object which the client is looking for, so, > why works fine just by telling dovecot: "Don't follow referrals"? > > Regards > > > > El 09/09/2015 a las 17:22, Matthias Lay escribió: > > hi, > > > > check your > > > > /etc/openldap/ldap.conf > > > > for > > > > REFERRALS off > > > > I had this errors with "referrals on" in misconfigured dns > > environments. > > > > > > you can debug the dns packets by strace-ing the auth process > > > > > > > > > > On Tue, 8 Sep 2015 11:00:37 +0200
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Matthias, thank you very much! that fixed the problem. I had workaround the problem by using "base = ou=, dc=dom", instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because that also worked (I don't know why, but the problem happen if you use as base just the domain, but not if you add a second level). But that forced to me to use several userdb/passdb blocks definitions, one for each OU in which I have users, so I think that your fix is better. I'm not able to understand the actual reason behind all this though... What's the technical explanation behind this behaviour?? I mean, it seems to be that the problem is that the Domain controller (DC) was sending a "referrals" answer and dovecot auth made a connection to these others DC but something wrong happened (dovecot can't deal correctly with that kind of answers?? I don't know). Anyways, as far as I know: 1) A referral answer should be done by a DC when it can't provide the object that the client are requesting 2) REFERRALS off in ldap.conf means that the client should not follow referrals returned by the DC So, if a referral answer is given from my DC, I think that is because such DC can't provide the object which the client is looking for, so, why works fine just by telling dovecot: "Don't follow referrals"? Regards El 09/09/2015 a las 17:22, Matthias Lay escribió: > hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Franwrote: > >> Hello, >> >> my dovecot installation has been working fine against AD till we >> upgrade from AD 2003 to AD 2008. As >> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to >> connect AD through 389 port. The port 3268 works fine though. >> >> (...) >> Sep 7 19:02:05 dovecot: imap-login: Error: >> master(imap): Auth request timed out (received 0/12 bytes) >> Sep 7 19:02:05 dovecot: imap-login: Internal login >> failure (pid=4846 id=1) (internal failure, 1 successful auths): >> user=<>, method=PLAIN, rip=, >> lip=, TLS, session= >> (...) >> Sep 7 19:02:06 dovecot: auth: Error: >> ldap(,,): Connection appears >> to be hanging, reconnecting >> Sep 7 19:02:06 dovecot: auth: Error: >> ldap(,, ): LDAP search >> returned multiple entries >> (...) >> >> Is there a technical reason for this problem? Does it exist any >> workaround? >> >> The use of Global Catalog (port 3268) is not a solution for me, since >> it misses many attributes. (ex. I use the field "initials" to set the >> quota and this field is not available through port 3268). >> >> I also noticed that, now, it uses any DC available in the domain, it >> doesn't care what I configured in "hosts = " parameter. >> >> This is using "hosts = dc03.domain:389": >> --- >> >> [root@ ~]# netstat -anp | grep dovecot | grep auth >> tcp 22 0 :55217 >> :389 ESTABLISHED 4872/dovecot/auth >> tcp 22 0 :57645 >> :389ESTABLISHED 4872/dovecot/auth >> tcp0 0 :55216 >> :389 ESTABLISHED 4872/dovecot/auth >> >> It looks like it does a look up for other domains controller (I don't >> know how nor why) and it connect aleatory to any DC in my domain (in >> this case dc06.domain, but it changes any time), additionally to the >> configured one (dc03.domain). >> >> This is using "hosts = dc03.domain:3268": >> >> [root@ ~]# netstat -anp | grep dovecot | grep auth >> tcp0 0 :58485 >> :3268 ESTABLISHED 4982/dovecot/auth >> >> In this case, only the configured server in host parameter is used (I >> think this is the right behaviour) >> >> >> Aditional info: >> --- >> CentOS Linux release 7.0.1406 (Core) >> >> dovecot 2.2.10 >> >> Build options: ioloop=epoll notify=inotify ipv6 openssl >> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox >> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite >> Passdb: checkpassword ldap pam passwd passwd-file shadow sql >> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql >> >> >> My /etc/dovecot/dovecot-ldap.conf.ext >> -- >> #hosts = dc03.domain:3268 >> hosts = dc03.domain:389 >> #uris = ldap://dc03.domain >> base = DC=domain >> #tls = yes >> tls = no >> ldap_version = 3 >> auth_bind = yes >> auth_bind_userdn = %u@domain >> #auth_bind_userdn = DOMAIN\%u >> dn = cn=,cn=Users,dc=domain >> dnpass = >> >> #scope = subtree >> #deref = never >> >> user_filter = >> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) >> pass_filter = >>
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Mark, when I say AD 2003/8 I mean Active Directory 2003/8. My configuration is attached. I based my installation (dovecot+postfix) in the guides of this site: http://www.linuxmail.info The LDAP part is this: http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ You can also use PAM to connect to AD (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/) but that way doesn't allow to retrieve custom fields from the AD (ex. a field to set quota per user), so I'm using the standard LDAP method. Regards El 10/09/2015 a las 4:51, Mark Foley escribió: > Fran and/or Matthias, > > Could you publish your doveconf -n? I can't get dovecot to authenticate with > my > AD. Maybe you have a solution I could try. > > What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8 > and are therefore using Outlook? > > --Mark > > -Original Message- >> Date: Wed, 9 Sep 2015 17:22:34 +0200 >> From: Matthias Lay <matthias@securepoint.de> >> To: Dovecot Mailing List <dovecot@dovecot.org> >> Subject: Re: My dovecot works fine against Active Directory 2003, but not >> against AD2008 >> >> >> hi, >> >> check your >> >> /etc/openldap/ldap.conf >> >> for >> >> REFERRALS off >> >> I had this errors with "referrals on" in misconfigured dns environments. >> >> >> you can debug the dns packets by strace-ing the auth process >> >> >> >> >> On Tue, 8 Sep 2015 11:00:37 +0200 >> Fran <cumc-436...@chguadalquivir.es> wrote: >> >>> Hello, >>> >>> my dovecot installation has been working fine against AD till we >>> upgrade from AD 2003 to AD 2008. As >>> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to >>> connect AD through 389 port. The port 3268 works fine though. >>> >>> (...) >>> Sep 7 19:02:05 dovecot: imap-login: Error: >>> master(imap): Auth request timed out (received 0/12 bytes) >>> Sep 7 19:02:05 dovecot: imap-login: Internal login >>> failure (pid=4846 id=1) (internal failure, 1 successful auths): >>> user=<>, method=PLAIN, rip=, >>> lip=, TLS, session=<T+grMCsfqgAKHyZV> >>> (...) >>> Sep 7 19:02:06 dovecot: auth: Error: >>> ldap(,,): Connection appears >>> to be hanging, reconnecting >>> Sep 7 19:02:06 dovecot: auth: Error: >>> ldap(,,<T+grMCsfqgAKHyZV>): LDAP search >>> returned multiple entries >>> (...) >>> >>> Is there a technical reason for this problem? Does it exist any >>> workaround? >>> >>> The use of Global Catalog (port 3268) is not a solution for me, since >>> it misses many attributes. (ex. I use the field "initials" to set the >>> quota and this field is not available through port 3268). >>> >>> I also noticed that, now, it uses any DC available in the domain, it >>> doesn't care what I configured in "hosts = " parameter. >>> >>> This is using "hosts = dc03.domain:389": >>> --- >>> >>> [root@ ~]# netstat -anp | grep dovecot | grep auth >>> tcp 22 0 :55217 >>> :389 ESTABLISHED 4872/dovecot/auth >>> tcp 22 0 :57645 >>> :389ESTABLISHED 4872/dovecot/auth >>> tcp0 0 :55216 >>> :389 ESTABLISHED 4872/dovecot/auth >>> >>> It looks like it does a look up for other domains controller (I don't >>> know how nor why) and it connect aleatory to any DC in my domain (in >>> this case dc06.domain, but it changes any time), additionally to the >>> configured one (dc03.domain). >>> >>> This is using "hosts = dc03.domain:3268": >>> >>> [root@ ~]# netstat -anp | grep dovecot | grep auth >>> tcp0 0 :58485 >>> :3268 ESTABLISHED 4982/dovecot/auth >>> >>> In this case, only the configured server in host parameter is used (I >>> think this is the right behaviour) >>> >>> >>> Aditional info: >>> --- >>> CentOS Linux release 7.0.1406 (Core) >>> >>> dovecot 2.2.10 >>> >>> Build options: ioloop=epoll notify=inotify ipv6 openssl >>> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox >>> cydir imapc pop3c raw fail SQL driver plugins: mysql post
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Thank again for the solution and for the explanation. Fran El 10/09/2015 a las 15:40, Matthias Lay escribió: > Hi Fran, > > > this is not a dovecot problem, thats a pure dns problem and can only > be fixed in your dns environment. > > > referrals are propagated in a "special" dns design in SRV records. > so the ldap client performs a dns lookup for this names and this is the > point of hanging (as in most "hanging cases", its dns). > > see: > https://technet.microsoft.com/en-us/library/cc978014.aspx > https://technet.microsoft.com/en-us/library/cc961719.aspx > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html > > for information. > > > Greetz Matze > > > > > On Thu, 10 Sep 2015 13:10:57 +0200 > Franwrote: > >> Hi Matthias, >> >> thank you very much! that fixed the problem. >> >> I had workaround the problem by using "base = ou=, dc=dom", >> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because >> that also worked (I don't know why, but the problem happen if you use >> as base just the domain, but not if you add a second level). But that >> forced to me to use several userdb/passdb blocks definitions, one for >> each OU in which I have users, so I think that your fix is better. >> >> I'm not able to understand the actual reason behind all this though... >> >> What's the technical explanation behind this behaviour?? I mean, it >> seems to be that the problem is that the Domain controller (DC) was >> sending a "referrals" answer and dovecot auth made a connection to >> these others DC but something wrong happened (dovecot can't deal >> correctly with that kind of answers?? I don't know). >> >> Anyways, as far as I know: >> >> 1) A referral answer should be done by a DC when it can't provide the >> object that the client are requesting >> 2) REFERRALS off in ldap.conf means that the client should not follow >> referrals returned by the DC >> >> So, if a referral answer is given from my DC, I think that is because >> such DC can't provide the object which the client is looking for, so, >> why works fine just by telling dovecot: "Don't follow referrals"? >> >> Regards >> >> >> >> El 09/09/2015 a las 17:22, Matthias Lay escribió: >>> hi, >>> >>> check your >>> >>> /etc/openldap/ldap.conf >>> >>> for >>> >>> REFERRALS off >>> >>> I had this errors with "referrals on" in misconfigured dns >>> environments. >>> >>> >>> you can debug the dns packets by strace-ing the auth process >>> >>> >>> >>> >>> On Tue, 8 Sep 2015 11:00:37 +0200
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
hi, check your /etc/openldap/ldap.conf for REFERRALS off I had this errors with "referrals on" in misconfigured dns environments. you can debug the dns packets by strace-ing the auth process On Tue, 8 Sep 2015 11:00:37 +0200 Franwrote: > Hello, > > my dovecot installation has been working fine against AD till we > upgrade from AD 2003 to AD 2008. As > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to > connect AD through 389 port. The port 3268 works fine though. > > (...) > Sep 7 19:02:05 dovecot: imap-login: Error: > master(imap): Auth request timed out (received 0/12 bytes) > Sep 7 19:02:05 dovecot: imap-login: Internal login > failure (pid=4846 id=1) (internal failure, 1 successful auths): > user=<>, method=PLAIN, rip=, > lip=, TLS, session= > (...) > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): Connection appears > to be hanging, reconnecting > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,, ): LDAP search > returned multiple entries > (...) > > Is there a technical reason for this problem? Does it exist any > workaround? > > The use of Global Catalog (port 3268) is not a solution for me, since > it misses many attributes. (ex. I use the field "initials" to set the > quota and this field is not available through port 3268). > > I also noticed that, now, it uses any DC available in the domain, it > doesn't care what I configured in "hosts = " parameter. > > This is using "hosts = dc03.domain:389": > --- > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp 22 0 :55217 > :389 ESTABLISHED 4872/dovecot/auth > tcp 22 0 :57645 > :389ESTABLISHED 4872/dovecot/auth > tcp0 0 :55216 > :389 ESTABLISHED 4872/dovecot/auth > > It looks like it does a look up for other domains controller (I don't > know how nor why) and it connect aleatory to any DC in my domain (in > this case dc06.domain, but it changes any time), additionally to the > configured one (dc03.domain). > > This is using "hosts = dc03.domain:3268": > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp0 0 :58485 > :3268 ESTABLISHED 4982/dovecot/auth > > In this case, only the configured server in host parameter is used (I > think this is the right behaviour) > > > Aditional info: > --- > CentOS Linux release 7.0.1406 (Core) > > dovecot 2.2.10 > > Build options: ioloop=epoll notify=inotify ipv6 openssl > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > My /etc/dovecot/dovecot-ldap.conf.ext > -- > #hosts = dc03.domain:3268 > hosts = dc03.domain:389 > #uris = ldap://dc03.domain > base = DC=domain > #tls = yes > tls = no > ldap_version = 3 > auth_bind = yes > auth_bind_userdn = %u@domain > #auth_bind_userdn = DOMAIN\%u > dn = cn=,cn=Users,dc=domain > dnpass = > > #scope = subtree > #deref = never > > user_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_attrs = userPassword=password > user_attrs = Initials=quota_rule=*:storage=%$MB > --- > > > -- > Log trace using PORT 389: > -- > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 read client hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write server hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write certificate A [] > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libauthdb_ldap.so > Sep 7 19:00:35 dovecot: auth: Debug: Read auth token > secret
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Fran and/or Matthias, Could you publish your doveconf -n? I can't get dovecot to authenticate with my AD. Maybe you have a solution I could try. What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8 and are therefore using Outlook? --Mark -Original Message- > Date: Wed, 9 Sep 2015 17:22:34 +0200 > From: Matthias Lay <matthias@securepoint.de> > To: Dovecot Mailing List <dovecot@dovecot.org> > Subject: Re: My dovecot works fine against Active Directory 2003, but not > against AD2008 > > > hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Fran <cumc-436...@chguadalquivir.es> wrote: > > > Hello, > > > > my dovecot installation has been working fine against AD till we > > upgrade from AD 2003 to AD 2008. As > > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to > > connect AD through 389 port. The port 3268 works fine though. > > > > (...) > > Sep 7 19:02:05 dovecot: imap-login: Error: > > master(imap): Auth request timed out (received 0/12 bytes) > > Sep 7 19:02:05 dovecot: imap-login: Internal login > > failure (pid=4846 id=1) (internal failure, 1 successful auths): > > user=<>, method=PLAIN, rip=, > > lip=, TLS, session=<T+grMCsfqgAKHyZV> > > (...) > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,,): Connection appears > > to be hanging, reconnecting > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,,<T+grMCsfqgAKHyZV>): LDAP search > > returned multiple entries > > (...) > > > > Is there a technical reason for this problem? Does it exist any > > workaround? > > > > The use of Global Catalog (port 3268) is not a solution for me, since > > it misses many attributes. (ex. I use the field "initials" to set the > > quota and this field is not available through port 3268). > > > > I also noticed that, now, it uses any DC available in the domain, it > > doesn't care what I configured in "hosts = " parameter. > > > > This is using "hosts = dc03.domain:389": > > --- > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp 22 0 :55217 > > :389 ESTABLISHED 4872/dovecot/auth > > tcp 22 0 :57645 > > :389ESTABLISHED 4872/dovecot/auth > > tcp0 0 :55216 > > :389 ESTABLISHED 4872/dovecot/auth > > > > It looks like it does a look up for other domains controller (I don't > > know how nor why) and it connect aleatory to any DC in my domain (in > > this case dc06.domain, but it changes any time), additionally to the > > configured one (dc03.domain). > > > > This is using "hosts = dc03.domain:3268": > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp0 0 :58485 > > :3268 ESTABLISHED 4982/dovecot/auth > > > > In this case, only the configured server in host parameter is used (I > > think this is the right behaviour) > > > > > > Aditional info: > > --- > > CentOS Linux release 7.0.1406 (Core) > > > > dovecot 2.2.10 > > > > Build options: ioloop=epoll notify=inotify ipv6 openssl > > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox > > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite > > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > > > > My /etc/dovecot/dovecot-ldap.conf.ext > > -- > > #hosts = dc03.domain:3268 > > hosts = dc03.domain:389 > > #uris = ldap://dc03.domain > > base = DC=domain > > #tls = yes > > tls = no > > ldap_version = 3 > > auth_bind = yes > > auth_bind_userdn = %u@domain > > #auth_bind_userdn = DOMAIN\%u > > dn = cn=,cn=Users,dc=domain > > dnpass = > > > > #scope = subtree > > #deref = never > > > > user_filter = > > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > > pass_filter = > > (&(userPrincipalName=%u@domai
My dovecot works fine against Active Directory 2003, but not against AD2008
Hello, my dovecot installation has been working fine against AD till we upgrade from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to connect AD through 389 port. The port 3268 works fine though. (...) Sep 7 19:02:05 dovecot: imap-login: Error: master(imap): Auth request timed out (received 0/12 bytes) Sep 7 19:02:05 dovecot: imap-login: Internal login failure (pid=4846 id=1) (internal failure, 1 successful auths): user=<>, method=PLAIN, rip=, lip=, TLS, session=(...) Sep 7 19:02:06 dovecot: auth: Error: ldap(,,): Connection appears to be hanging, reconnecting Sep 7 19:02:06 dovecot: auth: Error: ldap(,, ): LDAP search returned multiple entries (...) Is there a technical reason for this problem? Does it exist any workaround? The use of Global Catalog (port 3268) is not a solution for me, since it misses many attributes. (ex. I use the field "initials" to set the quota and this field is not available through port 3268). I also noticed that, now, it uses any DC available in the domain, it doesn't care what I configured in "hosts = " parameter. This is using "hosts = dc03.domain:389": --- [root@ ~]# netstat -anp | grep dovecot | grep auth tcp 22 0 :55217 :389 ESTABLISHED 4872/dovecot/auth tcp 22 0 :57645 :389ESTABLISHED 4872/dovecot/auth tcp0 0 :55216 :389 ESTABLISHED 4872/dovecot/auth It looks like it does a look up for other domains controller (I don't know how nor why) and it connect aleatory to any DC in my domain (in this case dc06.domain, but it changes any time), additionally to the configured one (dc03.domain). This is using "hosts = dc03.domain:3268": [root@ ~]# netstat -anp | grep dovecot | grep auth tcp0 0 :58485 :3268 ESTABLISHED 4982/dovecot/auth In this case, only the configured server in host parameter is used (I think this is the right behaviour) Aditional info: --- CentOS Linux release 7.0.1406 (Core) dovecot 2.2.10 Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite Passdb: checkpassword ldap pam passwd passwd-file shadow sql Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql My /etc/dovecot/dovecot-ldap.conf.ext -- #hosts = dc03.domain:3268 hosts = dc03.domain:389 #uris = ldap://dc03.domain base = DC=domain #tls = yes tls = no ldap_version = 3 auth_bind = yes auth_bind_userdn = %u@domain #auth_bind_userdn = DOMAIN\%u dn = cn=,cn=Users,dc=domain dnpass = #scope = subtree #deref = never user_filter = (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) pass_filter = (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) pass_attrs = userPassword=password user_attrs = Initials=quota_rule=*:storage=%$MB --- -- Log trace using PORT 389: -- Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [] Sep 7 19:00:35 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Sep 7 19:00:35 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Sep 7 19:00:35 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
I've logged a session using the option debug_level = -1. The log is attached. I still don't understand what is happening and why all my domain controllers are being used even when I just use one of them in "host" parameter in my /etc/dovecot/dovecot-ldap.conf.ext. Thanks in advance, Regards El 08/09/2015 a las 11:00, Fran escribió: > Hello, > > my dovecot installation has been working fine against AD till we upgrade > from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP > said, now I'm not able to connect AD through 389 port. The port 3268 > works fine though. > > (...) > Sep 7 19:02:05 dovecot: imap-login: Error: > master(imap): Auth request timed out (received 0/12 bytes) > Sep 7 19:02:05 dovecot: imap-login: Internal login > failure (pid=4846 id=1) (internal failure, 1 successful auths): > user=<>, method=PLAIN, rip=, > lip=, TLS, session=> (...) > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): Connection appears > to be hanging, reconnecting > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,, ): LDAP search returned > multiple entries > (...) > > Is there a technical reason for this problem? Does it exist any workaround? > > The use of Global Catalog (port 3268) is not a solution for me, since it > misses many attributes. (ex. I use the field "initials" to set the quota > and this field is not available through port 3268). > > I also noticed that, now, it uses any DC available in the domain, it > doesn't care what I configured in "hosts = " parameter. > > This is using "hosts = dc03.domain:389": > --- > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp 22 0 :55217 > :389 ESTABLISHED 4872/dovecot/auth > tcp 22 0 :57645 > :389ESTABLISHED 4872/dovecot/auth > tcp0 0 :55216 > :389 ESTABLISHED 4872/dovecot/auth > > It looks like it does a look up for other domains controller (I don't > know how nor why) and it connect aleatory to any DC in my domain (in > this case dc06.domain, but it changes any time), additionally to the > configured one (dc03.domain). > > This is using "hosts = dc03.domain:3268": > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp0 0 :58485 > :3268 ESTABLISHED 4982/dovecot/auth > > In this case, only the configured server in host parameter is used (I > think this is the right behaviour) > > > Aditional info: > --- > CentOS Linux release 7.0.1406 (Core) > > dovecot 2.2.10 > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > SQL driver plugins: mysql postgresql sqlite > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > My /etc/dovecot/dovecot-ldap.conf.ext > -- > #hosts = dc03.domain:3268 > hosts = dc03.domain:389 > #uris = ldap://dc03.domain > base = DC=domain > #tls = yes > tls = no > ldap_version = 3 > auth_bind = yes > auth_bind_userdn = %u@domain > #auth_bind_userdn = DOMAIN\%u > dn = cn=,cn=Users,dc=domain > dnpass = > > #scope = subtree > #deref = never > > user_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_attrs = userPassword=password > user_attrs = Initials=quota_rule=*:storage=%$MB > --- > > > -- > Log trace using PORT 389: > -- > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 read client hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write server hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write certificate A [] > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libauthdb_ldap.so > Sep 7 19:00:35 dovecot: auth: