subject:"My dovecot works fine against Active Directory 2003, but not against AD2008"

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-10-29 Thread Fran

Exactly, that's what I meant.

El 16/09/2015 a las 15:37, Shawn Heisey escribió:
> On 9/12/2015 12:31 AM, Mark Foley wrote:
>> Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
>> indicated to me you might be talking about Windows Small Business Server 
>> 2003 or
>> 2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 
>> AD/DC
>> on Linux. 
> The OP probably is referring to AD functional levels:
>
> https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx
>
> Thanks,
> Shawn
>

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-10-29 Thread Fran

I'm sorry for the late response, I missed this mail. I'll answer your
questions below. I'm sending a BCC of this mail to your personal
address, but it seems to have some problem because your server bounces it:

El 12/09/2015 a las 8:31, Mark Foley escribió:
> Fran - thanks for your reply. I'm cc'ing you directly on this as well as 
> posting
> to the list as I'm not sure how often you check the list and I'm down to 
> hanging
> by my last fingernail on this project.
>
> I have some preliminary questions interspersed below.
>
> Thanks, --Mark
>
> -Original Message-
>> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>>  against AD2008
>> To: dovecot@dovecot.org
>> From: Fran <cumc-436...@chguadalquivir.es>
>> Date: Thu, 10 Sep 2015 13:26:21 +0200
>>
>> Hi Mark,
>>
>> when I say AD 2003/8 I mean Active Directory 2003/8.
> Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
> indicated to me you might be talking about Windows Small Business Server 2003 
> or
> 2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 
> AD/DC
> on Linux. 

https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx



>> My configuration is attached.
> Thank you very much for that. If I make some headway, I'll likely have more
> questions on specifics.
>
>> I based my installation (dovecot+postfix) in the guides of this site:
>> http://www.linuxmail.info
>>
>> The LDAP part is this:
>> http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/
> If you were able to make sense out of these sites' tiny screen-shots and 
> one-line
> descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If
> there was more detailed narrative somewhere I couldn't find it. Also, I don't
> have jXplorer on my system, so probably I couldn't get too far anyway.

You don't need jXplorer at all, in fact I didn't use it. If you need to
browser throught your LDAP directory you can use any LDAP browser.
The descriptions of that site are short, that's true, but it contains
the essential info to adapt it to any similar environment. Don't take it
like a step by step guide, unless you use exactly the same environment
and versions, you won't find same files in same places. Try to
understand how differents parts work and adapt it to your environment.

>
> BIG QUESTIONS:
>
> 1. Are you using MS Outlook IMAP clients in your environment? If so, how are 
> you
> making them connect with LDAP? By checking the SPA checkbox?

There are Thunderbird, Roundcube, Outlook, IOS and Android clients on my
environment. All of them use standard IMAP connections. I don't
understand very well your question, the client doesn't need to connect
with LDAP, it's dovecot itself who connect with AD to validate the IMAP
user login.

>
> 2.  The mail_gid/mail_uid as vmail confuses me.  I see that setting a lot,
> including in your config.  http://wiki2.dovecot.org/VirtualUsers says, "You 
> can
> create, for example, one vmail user which owns all the mails, or you can 
> assign
> a separate UID for each user." I have assigned a separte UID for each based on
> the UID returned by `wbinfo -u `.  Does assigning separate UIDs mess
> up my ability to adapt your configuration?

I assigned one vmail user which owns all the mails. You can still use my
configuration for many other parts though.


>
> little questions:
>
> 3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " 
> quota"
> setting and all your plugin { quota_...} settings? I want to be as simple as
> possible to start.

You don't need that plugin if you don't plan to use it.

>
> 4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can 
> I
> omit the namespace inbox {} setting?
I don't think so. This is my in /etc/dovecot/conf.d/10-mail.conf
   
mail_home = /home/vmail//%Lu
mail_location = maildir:~/Maildir
mail_uid = 1000
mail_gid = 1000
   
 namespace inbox {
  # Namespace type: private, shared or public
  type = private
 
  inbox = yes

  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-16 Thread Shawn Heisey

On 9/12/2015 12:31 AM, Mark Foley wrote:
> Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
> indicated to me you might be talking about Windows Small Business Server 2003 
> or
> 2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 
> AD/DC
> on Linux. 

The OP probably is referring to AD functional levels:

https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx

Thanks,
Shawn

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-12 Thread Mark Foley

Fran - thanks for your reply. I'm cc'ing you directly on this as well as posting
to the list as I'm not sure how often you check the list and I'm down to hanging
by my last fingernail on this project.

I have some preliminary questions interspersed below.

Thanks, --Mark

-Original Message-
> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>   against AD2008
> To: dovecot@dovecot.org
> From: Fran <cumc-436...@chguadalquivir.es>
> Date: Thu, 10 Sep 2015 13:26:21 +0200
>
> Hi Mark,
>
> when I say AD 2003/8 I mean Active Directory 2003/8.

Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
indicated to me you might be talking about Windows Small Business Server 2003 or
2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 AD/DC
on Linux. 

>
> My configuration is attached.

Thank you very much for that. If I make some headway, I'll likely have more
questions on specifics.

>
> I based my installation (dovecot+postfix) in the guides of this site:
> http://www.linuxmail.info
>
> The LDAP part is this:
> http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

If you were able to make sense out of these sites' tiny screen-shots and 
one-line
descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If
there was more detailed narrative somewhere I couldn't find it. Also, I don't
have jXplorer on my system, so probably I couldn't get too far anyway.

BIG QUESTIONS:

1. Are you using MS Outlook IMAP clients in your environment? If so, how are you
making them connect with LDAP? By checking the SPA checkbox?

2.  The mail_gid/mail_uid as vmail confuses me.  I see that setting a lot,
including in your config.  http://wiki2.dovecot.org/VirtualUsers says, "You can
create, for example, one vmail user which owns all the mails, or you can assign
a separate UID for each user." I have assigned a separte UID for each based on
the UID returned by `wbinfo -u `.  Does assigning separate UIDs mess
up my ability to adapt your configuration?

little questions:

3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " 
quota"
setting and all your plugin { quota_...} settings? I want to be as simple as
possible to start.

4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can I
omit the namespace inbox {} setting?

These may seem like amaturish questions, but little details have foiled me a lot
on this Dovecot project. 

If I feel confident with the answers you provide here, I'll move on to trying
some things.

Thanks a lot for your help!!!

--Mark

>
> You can also use PAM to connect to AD
> (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/)
> but that way doesn't allow to retrieve custom fields from the AD (ex. a
> field to set quota per user), so I'm using the standard LDAP method.
>
> Regards
>
> El 10/09/2015 a las 4:51, Mark Foley escribió:
> > Fran and/or Matthias,
> >
> > Could you publish your doveconf -n? I can't get dovecot to authenticate 
> > with my
> > AD. Maybe you have a solution I could try.
> >
> > What mail client(s) are you using? I assume by "AD 2003/8" You mean 
> > SBS2003/8
> > and are therefore using Outlook?
> >
> > --Mark
> >
> > -Original Message-
[deleted]

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-10 Thread Matthias Lay

Hi Fran,


this is not a dovecot problem, thats a pure dns problem and can only
be fixed in your dns environment.


referrals are propagated in a "special" dns design in SRV records.
so the ldap client performs a dns lookup for this names and this is the
point of hanging (as in most "hanging cases", its dns).

see:
https://technet.microsoft.com/en-us/library/cc978014.aspx
https://technet.microsoft.com/en-us/library/cc961719.aspx
http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html

for information.


Greetz Matze




On Thu, 10 Sep 2015 13:10:57 +0200
Fran  wrote:

> Hi Matthias,
> 
> thank you very much! that fixed the problem.
> 
> I had workaround the problem by using "base = ou=, dc=dom",
> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because
> that also worked (I don't know why, but the problem happen if you use
> as base just the domain, but not if you add a second level). But that
> forced to me to use several userdb/passdb blocks definitions, one for
> each OU in which I have users, so I think that your fix is better.
> 
> I'm not able to understand the actual reason behind all this though...
> 
> What's the technical explanation behind this behaviour?? I mean, it
> seems to be that the problem is that the Domain controller (DC) was
> sending a "referrals" answer and dovecot auth made a connection to
> these others DC but something wrong happened (dovecot can't deal
> correctly with that kind of answers?? I don't know).
> 
> Anyways, as far as I know:
> 
> 1) A referral answer should be done by a DC when it can't provide the
> object that the client are requesting
> 2) REFERRALS off in ldap.conf means that the client should not follow
> referrals returned by the DC
> 
> So, if a referral answer is given from my DC, I think that is because
> such DC can't provide the object which the client is looking for, so,
> why works fine just by telling dovecot: "Don't follow referrals"?
> 
> Regards
> 
> 
> 
> El 09/09/2015 a las 17:22, Matthias Lay escribió:
> > hi,
> >
> > check your 
> >
> > /etc/openldap/ldap.conf
> >
> > for
> >
> > REFERRALS off
> >
> > I had this errors with "referrals on" in misconfigured dns
> > environments.
> >
> >
> > you can debug the dns packets by strace-ing the auth process
> >
> >
> >
> >
> > On Tue, 8 Sep 2015 11:00:37 +0200

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-10 Thread Fran

Hi Matthias,

thank you very much! that fixed the problem.

I had workaround the problem by using "base = ou=, dc=dom", instead
of "base = dc=dom" in the dovecot-ldap.conf.ext file, because that also
worked (I don't know why, but the problem happen if you use as base just
the domain, but not if you add a second level). But that forced to me to
use several userdb/passdb blocks definitions, one for each OU in which I
have users, so I think that your fix is better.

I'm not able to understand the actual reason behind all this though...

What's the technical explanation behind this behaviour?? I mean, it
seems to be that the problem is that the Domain controller (DC) was
sending a "referrals" answer and dovecot auth made a connection to these
others DC but something wrong happened (dovecot can't deal correctly
with that kind of answers?? I don't know).

Anyways, as far as I know:

1) A referral answer should be done by a DC when it can't provide the
object that the client are requesting
2) REFERRALS off in ldap.conf means that the client should not follow
referrals returned by the DC

So, if a referral answer is given from my DC, I think that is because
such DC can't provide the object which the client is looking for, so,
why works fine just by telling dovecot: "Don't follow referrals"?

Regards



El 09/09/2015 a las 17:22, Matthias Lay escribió:
> hi,
>
> check your 
>
> /etc/openldap/ldap.conf
>
> for
>
> REFERRALS off
>
> I had this errors with "referrals on" in misconfigured dns environments.
>
>
> you can debug the dns packets by strace-ing the auth process
>
>
>
>
> On Tue, 8 Sep 2015 11:00:37 +0200
> Fran  wrote:
>
>> Hello,
>>
>> my dovecot installation has been working fine against AD till we
>> upgrade from AD 2003 to AD 2008. As
>> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to
>> connect AD through 389 port. The port 3268 works fine though.
>>
>> (...)
>> Sep  7 19:02:05  dovecot: imap-login: Error:
>> master(imap): Auth request timed out (received 0/12 bytes)
>> Sep  7 19:02:05  dovecot: imap-login: Internal login
>> failure (pid=4846 id=1) (internal failure, 1 successful auths):
>> user=<>, method=PLAIN, rip=,
>> lip=, TLS, session=
>> (...)
>> Sep  7 19:02:06  dovecot: auth: Error:
>> ldap(,,): Connection appears
>> to be hanging, reconnecting
>> Sep  7 19:02:06  dovecot: auth: Error:
>> ldap(,,): LDAP search
>> returned multiple entries
>> (...)
>>
>> Is there a technical reason for this problem? Does it exist any
>> workaround?
>>
>> The use of Global Catalog (port 3268) is not a solution for me, since
>> it misses many attributes. (ex. I use the field "initials" to set the
>> quota and this field is not available through port 3268).
>>
>> I also noticed that, now, it uses any DC available in the domain, it
>> doesn't care what I configured in "hosts = " parameter.
>>
>> This is using "hosts = dc03.domain:389":
>> ---
>>
>> [root@ ~]# netstat -anp | grep dovecot | grep auth
>> tcp   22  0 :55217 
>> :389  ESTABLISHED 4872/dovecot/auth
>> tcp   22  0 :57645 
>> :389ESTABLISHED 4872/dovecot/auth
>> tcp0  0 :55216 
>> :389  ESTABLISHED 4872/dovecot/auth
>>
>> It looks like it does a look up for other domains controller (I don't
>> know how nor why) and it connect aleatory to any DC in my domain (in
>> this case dc06.domain, but it changes any time), additionally to the
>> configured one (dc03.domain).
>>
>> This is using "hosts = dc03.domain:3268":
>> 
>> [root@ ~]# netstat -anp | grep dovecot | grep auth
>> tcp0  0 :58485 
>> :3268 ESTABLISHED 4982/dovecot/auth
>>
>> In this case, only the configured server in host parameter is used (I
>> think this is the right behaviour)
>>
>>
>> Aditional info:
>> ---
>> CentOS Linux release 7.0.1406 (Core)
>>
>> dovecot 2.2.10
>>
>> Build options: ioloop=epoll notify=inotify ipv6 openssl
>> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox
>> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite
>> Passdb: checkpassword ldap pam passwd passwd-file shadow sql
>> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql
>>
>>
>> My /etc/dovecot/dovecot-ldap.conf.ext
>> --
>> #hosts = dc03.domain:3268
>> hosts = dc03.domain:389
>> #uris = ldap://dc03.domain
>> base = DC=domain
>> #tls = yes
>> tls = no
>> ldap_version = 3
>> auth_bind = yes
>> auth_bind_userdn = %u@domain
>> #auth_bind_userdn = DOMAIN\%u
>> dn = cn=,cn=Users,dc=domain
>> dnpass = 
>>
>> #scope   = subtree
>> #deref   = never
>>
>> user_filter =
>> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
>> pass_filter =
>>

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-10 Thread Fran

Hi Mark,

when I say AD 2003/8 I mean Active Directory 2003/8.

My configuration is attached.

I based my installation (dovecot+postfix) in the guides of this site:
http://www.linuxmail.info

The LDAP part is this:
http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

You can also use PAM to connect to AD
(http://www.linuxmail.info/active-directory-dovecot-pam-authentication/)
but that way doesn't allow to retrieve custom fields from the AD (ex. a
field to set quota per user), so I'm using the standard LDAP method.

Regards

El 10/09/2015 a las 4:51, Mark Foley escribió:
> Fran and/or Matthias,
>
> Could you publish your doveconf -n? I can't get dovecot to authenticate with 
> my
> AD. Maybe you have a solution I could try.
>
> What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8
> and are therefore using Outlook?
>
> --Mark
>
> -Original Message-
>> Date: Wed, 9 Sep 2015 17:22:34 +0200
>> From: Matthias Lay <matthias@securepoint.de>
>> To: Dovecot Mailing List <dovecot@dovecot.org>
>> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>>  against AD2008
>>
>>
>> hi,
>>
>> check your 
>>
>> /etc/openldap/ldap.conf
>>
>> for
>>
>> REFERRALS off
>>
>> I had this errors with "referrals on" in misconfigured dns environments.
>>
>>
>> you can debug the dns packets by strace-ing the auth process
>>
>>
>>
>>
>> On Tue, 8 Sep 2015 11:00:37 +0200
>> Fran <cumc-436...@chguadalquivir.es> wrote:
>>
>>> Hello,
>>>
>>> my dovecot installation has been working fine against AD till we
>>> upgrade from AD 2003 to AD 2008. As
>>> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to
>>> connect AD through 389 port. The port 3268 works fine though.
>>>
>>> (...)
>>> Sep  7 19:02:05  dovecot: imap-login: Error:
>>> master(imap): Auth request timed out (received 0/12 bytes)
>>> Sep  7 19:02:05  dovecot: imap-login: Internal login
>>> failure (pid=4846 id=1) (internal failure, 1 successful auths):
>>> user=<>, method=PLAIN, rip=,
>>> lip=, TLS, session=<T+grMCsfqgAKHyZV>
>>> (...)
>>> Sep  7 19:02:06  dovecot: auth: Error:
>>> ldap(,,): Connection appears
>>> to be hanging, reconnecting
>>> Sep  7 19:02:06  dovecot: auth: Error:
>>> ldap(,,<T+grMCsfqgAKHyZV>): LDAP search
>>> returned multiple entries
>>> (...)
>>>
>>> Is there a technical reason for this problem? Does it exist any
>>> workaround?
>>>
>>> The use of Global Catalog (port 3268) is not a solution for me, since
>>> it misses many attributes. (ex. I use the field "initials" to set the
>>> quota and this field is not available through port 3268).
>>>
>>> I also noticed that, now, it uses any DC available in the domain, it
>>> doesn't care what I configured in "hosts = " parameter.
>>>
>>> This is using "hosts = dc03.domain:389":
>>> ---
>>>
>>> [root@ ~]# netstat -anp | grep dovecot | grep auth
>>> tcp   22  0 :55217 
>>> :389  ESTABLISHED 4872/dovecot/auth
>>> tcp   22  0 :57645 
>>> :389ESTABLISHED 4872/dovecot/auth
>>> tcp0  0 :55216 
>>> :389  ESTABLISHED 4872/dovecot/auth
>>>
>>> It looks like it does a look up for other domains controller (I don't
>>> know how nor why) and it connect aleatory to any DC in my domain (in
>>> this case dc06.domain, but it changes any time), additionally to the
>>> configured one (dc03.domain).
>>>
>>> This is using "hosts = dc03.domain:3268":
>>> 
>>> [root@ ~]# netstat -anp | grep dovecot | grep auth
>>> tcp0  0 :58485 
>>> :3268 ESTABLISHED 4982/dovecot/auth
>>>
>>> In this case, only the configured server in host parameter is used (I
>>> think this is the right behaviour)
>>>
>>>
>>> Aditional info:
>>> ---
>>> CentOS Linux release 7.0.1406 (Core)
>>>
>>> dovecot 2.2.10
>>>
>>> Build options: ioloop=epoll notify=inotify ipv6 openssl
>>> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox
>>> cydir imapc pop3c raw fail SQL driver plugins: mysql post

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-10 Thread Fran

Thank again for the solution and for the explanation.

Fran

El 10/09/2015 a las 15:40, Matthias Lay escribió:
> Hi Fran,
>
>
> this is not a dovecot problem, thats a pure dns problem and can only
> be fixed in your dns environment.
>
>
> referrals are propagated in a "special" dns design in SRV records.
> so the ldap client performs a dns lookup for this names and this is the
> point of hanging (as in most "hanging cases", its dns).
>
> see:
> https://technet.microsoft.com/en-us/library/cc978014.aspx
> https://technet.microsoft.com/en-us/library/cc961719.aspx
> http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
>
> for information.
>
>
> Greetz Matze
>
>
>
>
> On Thu, 10 Sep 2015 13:10:57 +0200
> Fran  wrote:
>
>> Hi Matthias,
>>
>> thank you very much! that fixed the problem.
>>
>> I had workaround the problem by using "base = ou=, dc=dom",
>> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because
>> that also worked (I don't know why, but the problem happen if you use
>> as base just the domain, but not if you add a second level). But that
>> forced to me to use several userdb/passdb blocks definitions, one for
>> each OU in which I have users, so I think that your fix is better.
>>
>> I'm not able to understand the actual reason behind all this though...
>>
>> What's the technical explanation behind this behaviour?? I mean, it
>> seems to be that the problem is that the Domain controller (DC) was
>> sending a "referrals" answer and dovecot auth made a connection to
>> these others DC but something wrong happened (dovecot can't deal
>> correctly with that kind of answers?? I don't know).
>>
>> Anyways, as far as I know:
>>
>> 1) A referral answer should be done by a DC when it can't provide the
>> object that the client are requesting
>> 2) REFERRALS off in ldap.conf means that the client should not follow
>> referrals returned by the DC
>>
>> So, if a referral answer is given from my DC, I think that is because
>> such DC can't provide the object which the client is looking for, so,
>> why works fine just by telling dovecot: "Don't follow referrals"?
>>
>> Regards
>>
>>
>>
>> El 09/09/2015 a las 17:22, Matthias Lay escribió:
>>> hi,
>>>
>>> check your 
>>>
>>> /etc/openldap/ldap.conf
>>>
>>> for
>>>
>>> REFERRALS off
>>>
>>> I had this errors with "referrals on" in misconfigured dns
>>> environments.
>>>
>>>
>>> you can debug the dns packets by strace-ing the auth process
>>>
>>>
>>>
>>>
>>> On Tue, 8 Sep 2015 11:00:37 +0200

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-09 Thread Matthias Lay


hi,

check your 

/etc/openldap/ldap.conf

for

REFERRALS off

I had this errors with "referrals on" in misconfigured dns environments.


you can debug the dns packets by strace-ing the auth process




On Tue, 8 Sep 2015 11:00:37 +0200
Fran  wrote:

> Hello,
> 
> my dovecot installation has been working fine against AD till we
> upgrade from AD 2003 to AD 2008. As
> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to
> connect AD through 389 port. The port 3268 works fine though.
> 
> (...)
> Sep  7 19:02:05  dovecot: imap-login: Error:
> master(imap): Auth request timed out (received 0/12 bytes)
> Sep  7 19:02:05  dovecot: imap-login: Internal login
> failure (pid=4846 id=1) (internal failure, 1 successful auths):
> user=<>, method=PLAIN, rip=,
> lip=, TLS, session=
> (...)
> Sep  7 19:02:06  dovecot: auth: Error:
> ldap(,,): Connection appears
> to be hanging, reconnecting
> Sep  7 19:02:06  dovecot: auth: Error:
> ldap(,,): LDAP search
> returned multiple entries
> (...)
> 
> Is there a technical reason for this problem? Does it exist any
> workaround?
> 
> The use of Global Catalog (port 3268) is not a solution for me, since
> it misses many attributes. (ex. I use the field "initials" to set the
> quota and this field is not available through port 3268).
> 
> I also noticed that, now, it uses any DC available in the domain, it
> doesn't care what I configured in "hosts = " parameter.
> 
> This is using "hosts = dc03.domain:389":
> ---
> 
> [root@ ~]# netstat -anp | grep dovecot | grep auth
> tcp   22  0 :55217 
> :389  ESTABLISHED 4872/dovecot/auth
> tcp   22  0 :57645 
> :389ESTABLISHED 4872/dovecot/auth
> tcp0  0 :55216 
> :389  ESTABLISHED 4872/dovecot/auth
> 
> It looks like it does a look up for other domains controller (I don't
> know how nor why) and it connect aleatory to any DC in my domain (in
> this case dc06.domain, but it changes any time), additionally to the
> configured one (dc03.domain).
> 
> This is using "hosts = dc03.domain:3268":
> 
> [root@ ~]# netstat -anp | grep dovecot | grep auth
> tcp0  0 :58485 
> :3268 ESTABLISHED 4982/dovecot/auth
> 
> In this case, only the configured server in host parameter is used (I
> think this is the right behaviour)
> 
> 
> Aditional info:
> ---
> CentOS Linux release 7.0.1406 (Core)
> 
> dovecot 2.2.10
> 
> Build options: ioloop=epoll notify=inotify ipv6 openssl
> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox
> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite
> Passdb: checkpassword ldap pam passwd passwd-file shadow sql
> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql
> 
> 
> My /etc/dovecot/dovecot-ldap.conf.ext
> --
> #hosts = dc03.domain:3268
> hosts = dc03.domain:389
> #uris = ldap://dc03.domain
> base = DC=domain
> #tls = yes
> tls = no
> ldap_version = 3
> auth_bind = yes
> auth_bind_userdn = %u@domain
> #auth_bind_userdn = DOMAIN\%u
> dn = cn=,cn=Users,dc=domain
> dnpass = 
> 
> #scope   = subtree
> #deref   = never
> 
> user_filter =
> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> pass_filter =
> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> pass_attrs  = userPassword=password
> user_attrs  = Initials=quota_rule=*:storage=%$MB
> ---
> 
> 
> --
> Log trace using PORT 389:
> --
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x10, ret=1: before/accept initialization []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 read client hello A []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 write server hello A []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 write certificate A []
> Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Sep  7 19:00:35  dovecot: auth: Debug: Read auth token
> secret

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-09 Thread Mark Foley

Fran and/or Matthias,

Could you publish your doveconf -n? I can't get dovecot to authenticate with my
AD. Maybe you have a solution I could try.

What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8
and are therefore using Outlook?

--Mark

-Original Message-
> Date: Wed, 9 Sep 2015 17:22:34 +0200
> From: Matthias Lay <matthias@securepoint.de>
> To: Dovecot Mailing List <dovecot@dovecot.org>
> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>   against AD2008
>
>
> hi,
>
> check your 
>
> /etc/openldap/ldap.conf
>
> for
>
> REFERRALS off
>
> I had this errors with "referrals on" in misconfigured dns environments.
>
>
> you can debug the dns packets by strace-ing the auth process
>
>
>
>
> On Tue, 8 Sep 2015 11:00:37 +0200
> Fran <cumc-436...@chguadalquivir.es> wrote:
>
> > Hello,
> > 
> > my dovecot installation has been working fine against AD till we
> > upgrade from AD 2003 to AD 2008. As
> > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to
> > connect AD through 389 port. The port 3268 works fine though.
> > 
> > (...)
> > Sep  7 19:02:05  dovecot: imap-login: Error:
> > master(imap): Auth request timed out (received 0/12 bytes)
> > Sep  7 19:02:05  dovecot: imap-login: Internal login
> > failure (pid=4846 id=1) (internal failure, 1 successful auths):
> > user=<>, method=PLAIN, rip=,
> > lip=, TLS, session=<T+grMCsfqgAKHyZV>
> > (...)
> > Sep  7 19:02:06  dovecot: auth: Error:
> > ldap(,,): Connection appears
> > to be hanging, reconnecting
> > Sep  7 19:02:06  dovecot: auth: Error:
> > ldap(,,<T+grMCsfqgAKHyZV>): LDAP search
> > returned multiple entries
> > (...)
> > 
> > Is there a technical reason for this problem? Does it exist any
> > workaround?
> > 
> > The use of Global Catalog (port 3268) is not a solution for me, since
> > it misses many attributes. (ex. I use the field "initials" to set the
> > quota and this field is not available through port 3268).
> > 
> > I also noticed that, now, it uses any DC available in the domain, it
> > doesn't care what I configured in "hosts = " parameter.
> > 
> > This is using "hosts = dc03.domain:389":
> > ---
> > 
> > [root@ ~]# netstat -anp | grep dovecot | grep auth
> > tcp   22  0 :55217 
> > :389  ESTABLISHED 4872/dovecot/auth
> > tcp   22  0 :57645 
> > :389ESTABLISHED 4872/dovecot/auth
> > tcp0  0 :55216 
> > :389  ESTABLISHED 4872/dovecot/auth
> > 
> > It looks like it does a look up for other domains controller (I don't
> > know how nor why) and it connect aleatory to any DC in my domain (in
> > this case dc06.domain, but it changes any time), additionally to the
> > configured one (dc03.domain).
> > 
> > This is using "hosts = dc03.domain:3268":
> > 
> > [root@ ~]# netstat -anp | grep dovecot | grep auth
> > tcp0  0 :58485 
> > :3268 ESTABLISHED 4982/dovecot/auth
> > 
> > In this case, only the configured server in host parameter is used (I
> > think this is the right behaviour)
> > 
> > 
> > Aditional info:
> > ---
> > CentOS Linux release 7.0.1406 (Core)
> > 
> > dovecot 2.2.10
> > 
> > Build options: ioloop=epoll notify=inotify ipv6 openssl
> > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox
> > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite
> > Passdb: checkpassword ldap pam passwd passwd-file shadow sql
> > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql
> > 
> > 
> > My /etc/dovecot/dovecot-ldap.conf.ext
> > --
> > #hosts = dc03.domain:3268
> > hosts = dc03.domain:389
> > #uris = ldap://dc03.domain
> > base = DC=domain
> > #tls = yes
> > tls = no
> > ldap_version = 3
> > auth_bind = yes
> > auth_bind_userdn = %u@domain
> > #auth_bind_userdn = DOMAIN\%u
> > dn = cn=,cn=Users,dc=domain
> > dnpass = 
> > 
> > #scope   = subtree
> > #deref   = never
> > 
> > user_filter =
> > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> > pass_filter =
> > (&(userPrincipalName=%u@domai

My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-08 Thread Fran

Hello,

my dovecot installation has been working fine against AD till we upgrade
from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP
said, now I'm not able to connect AD through 389 port. The port 3268
works fine though.

(...)
Sep  7 19:02:05  dovecot: imap-login: Error:
master(imap): Auth request timed out (received 0/12 bytes)
Sep  7 19:02:05  dovecot: imap-login: Internal login
failure (pid=4846 id=1) (internal failure, 1 successful auths):
user=<>, method=PLAIN, rip=,
lip=, TLS, session=
(...)
Sep  7 19:02:06  dovecot: auth: Error:
ldap(,,): Connection appears
to be hanging, reconnecting
Sep  7 19:02:06  dovecot: auth: Error:
ldap(,,): LDAP search returned
multiple entries
(...)

Is there a technical reason for this problem? Does it exist any workaround?

The use of Global Catalog (port 3268) is not a solution for me, since it
misses many attributes. (ex. I use the field "initials" to set the quota
and this field is not available through port 3268).

I also noticed that, now, it uses any DC available in the domain, it
doesn't care what I configured in "hosts = " parameter.

This is using "hosts = dc03.domain:389":
---

[root@ ~]# netstat -anp | grep dovecot | grep auth
tcp   22  0 :55217 
:389  ESTABLISHED 4872/dovecot/auth
tcp   22  0 :57645 
:389ESTABLISHED 4872/dovecot/auth
tcp0  0 :55216 
:389  ESTABLISHED 4872/dovecot/auth

It looks like it does a look up for other domains controller (I don't
know how nor why) and it connect aleatory to any DC in my domain (in
this case dc06.domain, but it changes any time), additionally to the
configured one (dc03.domain).

This is using "hosts = dc03.domain:3268":

[root@ ~]# netstat -anp | grep dovecot | grep auth
tcp0  0 :58485 
:3268 ESTABLISHED 4982/dovecot/auth

In this case, only the configured server in host parameter is used (I
think this is the right behaviour)


Aditional info:
---
CentOS Linux release 7.0.1406 (Core)

dovecot 2.2.10

Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL driver plugins: mysql postgresql sqlite
Passdb: checkpassword ldap pam passwd passwd-file shadow sql
Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql


My /etc/dovecot/dovecot-ldap.conf.ext
--
#hosts = dc03.domain:3268
hosts = dc03.domain:389
#uris = ldap://dc03.domain
base = DC=domain
#tls = yes
tls = no
ldap_version = 3
auth_bind = yes
auth_bind_userdn = %u@domain
#auth_bind_userdn = DOMAIN\%u
dn = cn=,cn=Users,dc=domain
dnpass = 

#scope   = subtree
#deref   = never

user_filter =
(&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
pass_filter =
(&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
pass_attrs  = userPassword=password
user_attrs  = Initials=quota_rule=*:storage=%$MB
---


--
Log trace using PORT 389:
--
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before/accept initialization []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 read client hello A []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write server hello A []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write certificate A []
Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
from directory: /usr/lib64/dovecot/auth
Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
from directory: /usr/lib64/dovecot/auth
Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Sep  7 19:00:35  dovecot: auth: Debug: Read auth token
secret from /var/run/dovecot/auth-token-secret.dat
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write key exchange A []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write server done A []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 flush data []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A []
Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv3 read client

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-08 Thread Fran

I've logged a session using the option debug_level = -1.

The log is attached.

I still don't understand what is happening and why all my domain
controllers are being used even when I just use one of them in "host"
parameter in my /etc/dovecot/dovecot-ldap.conf.ext.

Thanks in advance,
Regards



El 08/09/2015 a las 11:00, Fran escribió:
> Hello,
>
> my dovecot installation has been working fine against AD till we upgrade
> from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP
> said, now I'm not able to connect AD through 389 port. The port 3268
> works fine though.
>
> (...)
> Sep  7 19:02:05  dovecot: imap-login: Error:
> master(imap): Auth request timed out (received 0/12 bytes)
> Sep  7 19:02:05  dovecot: imap-login: Internal login
> failure (pid=4846 id=1) (internal failure, 1 successful auths):
> user=<>, method=PLAIN, rip=,
> lip=, TLS, session=
> (...)
> Sep  7 19:02:06  dovecot: auth: Error:
> ldap(,,): Connection appears
> to be hanging, reconnecting
> Sep  7 19:02:06  dovecot: auth: Error:
> ldap(,,): LDAP search returned
> multiple entries
> (...)
>
> Is there a technical reason for this problem? Does it exist any workaround?
>
> The use of Global Catalog (port 3268) is not a solution for me, since it
> misses many attributes. (ex. I use the field "initials" to set the quota
> and this field is not available through port 3268).
>
> I also noticed that, now, it uses any DC available in the domain, it
> doesn't care what I configured in "hosts = " parameter.
>
> This is using "hosts = dc03.domain:389":
> ---
>
> [root@ ~]# netstat -anp | grep dovecot | grep auth
> tcp   22  0 :55217 
> :389  ESTABLISHED 4872/dovecot/auth
> tcp   22  0 :57645 
> :389ESTABLISHED 4872/dovecot/auth
> tcp0  0 :55216 
> :389  ESTABLISHED 4872/dovecot/auth
>
> It looks like it does a look up for other domains controller (I don't
> know how nor why) and it connect aleatory to any DC in my domain (in
> this case dc06.domain, but it changes any time), additionally to the
> configured one (dc03.domain).
>
> This is using "hosts = dc03.domain:3268":
> 
> [root@ ~]# netstat -anp | grep dovecot | grep auth
> tcp0  0 :58485 
> :3268 ESTABLISHED 4982/dovecot/auth
>
> In this case, only the configured server in host parameter is used (I
> think this is the right behaviour)
>
>
> Aditional info:
> ---
> CentOS Linux release 7.0.1406 (Core)
>
> dovecot 2.2.10
>
> Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> SQL driver plugins: mysql postgresql sqlite
> Passdb: checkpassword ldap pam passwd passwd-file shadow sql
> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql
>
>
> My /etc/dovecot/dovecot-ldap.conf.ext
> --
> #hosts = dc03.domain:3268
> hosts = dc03.domain:389
> #uris = ldap://dc03.domain
> base = DC=domain
> #tls = yes
> tls = no
> ldap_version = 3
> auth_bind = yes
> auth_bind_userdn = %u@domain
> #auth_bind_userdn = DOMAIN\%u
> dn = cn=,cn=Users,dc=domain
> dnpass = 
>
> #scope   = subtree
> #deref   = never
>
> user_filter =
> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> pass_filter =
> (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> pass_attrs  = userPassword=password
> user_attrs  = Initials=quota_rule=*:storage=%$MB
> ---
>
>
> --
> Log trace using PORT 389:
> --
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x10, ret=1: before/accept initialization []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 read client hello A []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 write server hello A []
> Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: SSLv3 write certificate A []
> Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Sep  7 19:00:35  dovecot: auth: Debug: Loading modules
> from directory: /usr/lib64/dovecot/auth
> Sep  7 19:00:35  dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Sep  7 19:00:35  dovecot: auth:

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

My dovecot works fine against Active Directory 2003, but not against AD2008

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

12 matches

Site Navigation

Mail list logo

Footer information