1 Topic by js

  • js
  • Member
  • Offline
  • Registered: 2014-02-27
  • Posts: 3

Topic: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP (AD)
- Linux/BSD distribution name and version: FreeBSD 10
- Related log if you're reporting an issue:
====

The iRedMail stock AD integration uses

pass_attrs      = userPassword=password
default_pass_scheme = CRYPT

However, while I can query the AD LDAP tree, the userPassword attribute is not available.

Is it possible to authenticate by binding to the AD server, using the client-supplied credentials (if necessary, looking up the proper DN)?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

js wrote:

pass_attrs      = userPassword=password
However, while I can query the AD LDAP tree, the userPassword attribute is not available.

It works with AD with the settings.

js wrote:

Is it possible to authenticate by binding to the AD server, using the client-supplied credentials (if necessary, looking up the proper DN)?

This is why below two parameters are used for:

dn              = vmail
dnpass          = passwd_of_vmail

3 Reply by js

  • js
  • Member
  • Offline
  • Registered: 2014-02-27
  • Posts: 3

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

That's not what I mean.

I can't get the userPassword back. Yes, I can lookup the user DN using an authenticated bind, and yes, if the AD server would supply the CRYPTed password dovecot could check crypt the user-supplied passphrase and check that it's right.

So what I'm looking for is:

- The AD server to perform an authenticated bind (with a "vmail" DN and passphrase stored in the config)
- To lookup the DN for the user with the sAMAccountName supplied in the user IMAP login
- To bind to AD using that DN, with the passphrase suppliedn in the user IMAP login

The Dovecot wiki suggests this is possible, but I don't have it working. Yet.  Can it be done?  How?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

I'm afraid that i don't understand what you want.

P.S. As far as i know, AD doesn't store user password in LDAP, so you won't find a LDAP attribute which stores user password.

5 Reply by basher

  • basher
  • Member
  • Offline
  • Registered: 2014-03-03
  • Posts: 1

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

My purpose for iRedMail is to enable internal email only to users for our CRM. I have an Exchange 2007 server on the AD domain for Executive users. I have successfully gotten iRedMail to authenticate with my AD domain, but I can not get email to deliver to local mailboxes, I'm thinking I have some domain names confused in my configuration. Here is my setup:

iRedMail Server: crmmail.mydomain.com (Used this domain just incase I want to give external email later)
AD Domain: domain.local
iRedMail Email domain: crmmail.com

I can successfully login to webmail with a user: jdoe@domain.local, I believe email is being sent to sdoe@mydomain.com instead of sdoe@crmmail.com by default.

Please help with trying to trouble shoot this issue.  I can post any configs or logs needed. Thanks!

6 Reply by js

  • js
  • Member
  • Offline
  • Registered: 2014-02-27
  • Posts: 3

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

ZhangHuangbin wrote:

I'm afraid that i don't understand what you want.

P.S. As far as i know, AD doesn't store user password in LDAP, so you won't find a LDAP attribute which stores user password.

We're misunderstanding something both, probably.

The AD integration on your site uses the following dovecot config:

  auth_bind = yes
  dn = vmail
  dnpass = vmailspassphrase

This makes dovecot perform an authenticated bind to lookup the user DN.  But you also have:

  pass_attrs      = userPassword=password
  default_pass_scheme = CRYPT

This makes dovecot fetch the "userPassword" LDAP attribute, and interpret it as a crypted password.
Dovecot will then check the crypted user-supplied password against the crypt stored in AD.

I'm not even sure AD does store the (crypted) password, but even if it does its schema doesn't expose it.  It might, to priviliged accounts; but this is the approach from the iRedMail AD integration instructions.

You're right, AD doesn't offer the userPassword (or it shouldn't, and if it did we shouldn't use it this way) -- but that's how it's done, according to the instructions I find.  And I'd like another way; I want dovecot to authenticate, using the user-supplied passphrase, to the DN obtained from AD by searching for it in the context of an authenticated bind (with preconfigured bind account).

How?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: LDAP/AD - iRedMail (Dovecot2) authentication using LDAP bind?

It does work with the settings mentioned in wiki tutorial: "pass_attrs      = userPassword=password". I cannot explain why it works, i think it's better to ask in Dovecot mailing list.