1 (edited by hata_ph 2014-06-19 10:25:12)

Topic: dovecot authenticate with AD on win2k8r2 [SOLVED]

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CentOS 6.5
- Related log if you're reporting an issue:
====

I am testing using iRedMail authenticate with AD on win2k8r2 and am failed to authenticate AD with dovecot.
I am using http://www.iredmail.org/wiki/index.php? … y.iRedMail as guide.
When I test dovecot via telnet, it just say "BYE Disconnected for inactivity during authentication".
Firewall on both AD and Centos is off.
Do anyone have any idea?

Jun 18 14:23:54 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth
Jun 18 14:23:54 auth: Debug: Module loaded: /usr/lib/dovecot/auth/libdriver_mysql.so
Jun 18 14:23:54 auth: Debug: Module loaded: /usr/lib/dovecot/auth/libdriver_pgsql.so
Jun 18 14:23:54 auth: Debug: Module loaded: /usr/lib/dovecot/auth/libdriver_sqlite.so
Jun 18 14:23:54 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth
Jun 18 14:23:54 auth: Debug: Module loaded: /usr/lib/dovecot/auth/libauthdb_ldap.so
Jun 18 14:23:54 auth: Debug: passwd-file /etc/dovecot/dovecot-master-users-password: Read 0 users in 0 secs
Jun 18 14:23:54 auth: Debug: auth client connected (pid=3865)
Jun 18 14:24:04 auth: Debug: client in: AUTH    1    PLAIN    service=imap    session=ZF2NThb83gAKCgEB    lip=10.10.1.50    rip=10.10.1.1    lport=143    rport=49374    resp=AHRlc3QxQGZhdGltYWgubGFuAEZhdGltYWgxMjM=
Jun 18 14:24:04 auth: Debug: ldap(test1@example.lan,10.10.1.1,<ZF2NThb83gAKCgEB>): bind search: base=dc=example,dc=lan filter=(&(mail=test1@example.lan)(objectClass=person))
Jun 18 14:24:04 auth: Debug: ldap(test1@example.lan,10.10.1.1,<ZF2NThb83gAKCgEB>): result: objectClass=top,top,top,top cn=test1 givenName=test1 distinguishedName=CN=test1,CN=Users,DC=example,DC=lan instanceType=4 whenCreated=20140617024241.0Z whenChanged=20140617031203.0Z displayName=test1 uSNCreated=24629 memberOf=CN=testgroups1,CN=Users,DC=fatimah,DC=lan uSNChanged=24644 name=test1 objectGUID=DŒ®<Õ?D’súG_Ri userAccountControl=66048 badPwdCount=0 codePage=0 countryCode=0 badPasswordTime=0 lastLogoff=0 lastLogon=0 pwdLastSet=130474465616476520 primaryGroupID=513 objectSid=<no values> accountExpires=9223372036854775807 logonCount=0 sAMAccountName=test1 sAMAccountType=805306368 objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=example,DC=lan dSCorePropagationData=20140617061111.0Z,20140617061111.0Z,20140617061111.0Z lastLogonTimestamp=130474467710343708 mail=test1@example.lan; objectGUID,uSNCreated,objectCategory,objectClass,primaryGroupID,cn,givenName,objectSid,sAMAccountType,dSCorePropagationData,userAccountControl,name,mail,codePage,lastLogon,logonCount,countryCode,lastLogoff,uSNChanged,pwdLastSet,distinguishedName,sAMAccountName,memberOf,whenChanged,instanceType,badPwdCount,accountExpires,whenCreated,displayName,badPasswordTime,lastLogonTimestamp unused
Jun 18 14:26:34 auth: Error: PLAIN(test1@example.lan,10.10.1.1,<ZF2NThb83gAKCgEB>): Request 3865.1 timed out after 150 secs, state=1
Jun 18 14:26:54 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 170 secs): user=<>, method=PLAIN, rip=10.10.1.1, lip=10.10.1.50, session=<ZF2NThb83gAKCgEB>
Jun 18 14:26:54 auth: Debug: client in: CANCEL    1

dovecot-ldap.conf

hosts           = adsvr.example.lan:389
ldap_version    = 3
auth_bind       = yes
dn              = cn=administrator,cn=users,dc=example,dc=lan
dnpass          = xxxxx
base            = dc=example,dc=lan
scope           = subtree
deref           = never

# Below two are required by command 'doveadm mailbox ...'
#iterate_attrs   = mail=user
#iterate_filter  = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail))

#user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
#user_attrs      = mail=user,homeDirectory=home,=mail=maildir:~/Maildir/,mailQuota=quota_rule=*:bytes=%$
#pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
#pass_attrs      = mail=user,userPassword=password
user_filter     = (&(mail=%u)(objectClass=person))
pass_filter     = (&(mail=%u)(objectClass=person))
pass_attrs     = userPassword=password
default_pass_scheme = CRYPT
user_attrs     = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
#user_attrs     = homeDirectory=home,uidNumber=uid,gidNumber=gid
#auth_bind_userdn = example.lan\%u

dovecot.conf

# Listen addresses.
#   - '*' means all available IPv4 addresses.
#   - '[::]' means all available IPv6 addresses.
# Listen on all available addresses by default
listen = *

#base_dir = /var/run/dovecot
mail_plugins = quota

# Enabled mail protocols.
protocols = pop3 imap sieve lmtp

# User/group who owns the message files:
mail_uid = 2000
mail_gid = 2000

# Assign uid to virtual users.
first_valid_uid = 2000
last_valid_uid = 2000

# Logging. Reference: http://wiki2.dovecot.org/Logging
log_path = /var/log/dovecot.log
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
# Possible values: no, plain, sha1.
auth_verbose_passwords = no

# SSL: Global settings.
# Refer to wiki site for per protocol, ip, server name SSL settings:
# http://wiki2.dovecot.org/SSL/DovecotConfiguration
ssl = yes
verbose_ssl = no
#ssl_ca =</path/to/ca
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key

# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.
# Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted
# insecurely.
disable_plaintext_auth = no
# Allow plain text password per IP address/net
#remote 192.168.0.0/24 {
#   disable_plaintext_auth = no
#}

# Mail location and mailbox format.
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/

# Authentication related settings.
# Append this domain name if client gives empty realm.
auth_default_realm = 

# Authentication mechanisms.
auth_mechanisms = PLAIN LOGIN

# Limits the number of users that can be logging in at the same time.
# Default is 100.
# Note: this value can be overrided by "process_limit =" in service
#       protocol. e.g.
#       protocol imap-login {
#           process_limit = 500
#       }
#default_process_limit = 100

service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}

# LMTP server (Local Mail Transfer Protocol).
# Reference: http://wiki2.dovecot.org/LMTP
service lmtp {
    user = vmail

    # For higher volume sites, it may be desirable to increase the number of
    # active listener processes. A range of 5 to 20 is probably good for most
    # sites.
    process_min_avail = 5

    # Logging.
    # Require 'info_log_path =' in 'protocol lmtp {}' block.
    executable = lmtp -L

    # Listening on socket file and TCP
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        user = postfix
        group = postfix
        mode = 0600
    }

    inet_listener lmtp {
        #address = 192.168.0.24 127.0.0.1 ::1
        port = 24
    }
}

# Virtual mail accounts.
userdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
passdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}

# Master user.
# Master users are able to log in as other users. It's also possible to
# directly log in as any user using a master password, although this isn't
# recommended.
# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
auth_master_user_separator = *
passdb {
    driver = passwd-file
    args = /etc/dovecot/dovecot-master-users-password
    master = yes
}

plugin {
    auth_socket_path = /var/run/dovecot/auth-master

    quota = dict:user::proxy::quotadict
    quota_rule = *:storage=1G
    #quota_rule2 = *:messages=0
    #quota_rule3 = Trash:storage=1G
    #quota_rule4 = Junk:ignore

    # Quota warning.
    # If user suddenly receives a huge mail and the quota jumps from
    # 85% to 95%, only the 95% script is executed.
    quota_warning = storage=85%% quota-warning 85 %u
    quota_warning2 = storage=90%% quota-warning 90 %u
    quota_warning3 = storage=95%% quota-warning 95 %u

    # Plugin: expire.
    #expire = Trash 7 Trash/* 7 Junk 30
    #expire_dict = proxy::expire

    # ACL and share folder
    acl = vfile
    acl_shared_dict = proxy::acl

    # By default Dovecot doesn't allow using the IMAP "anyone" or
    # "authenticated" identifier, because it would be an easy way to spam
    # other users in the system. If you wish to allow it,
    #acl_anyone = allow

    # Pigeonhole managesieve service.
    # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
    # Per-user sieve settings.
    sieve_dir = /%Lh/sieve
    sieve = /%Lh/sieve/dovecot.sieve

    # Global sieve settings.
    sieve_global_dir = /var/vmail/sieve
    sieve_default = /var/vmail/sieve/dovecot.sieve
    #sieve_before =
    #sieve_after =
}

service quota-warning {
    executable = script /usr/local/bin/dovecot-quota-warning.sh
    unix_listener quota-warning {
        user = vmail
        group = vmail
        mode = 0660
    }
}

service dict {
    unix_listener dict {
        mode = 0660
        user = vmail
        group = vmail
    }
}

dict {
    #expire = db:/var/lib/dovecot/expire/expire.db
    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
    acl = mysql:/etc/dovecot/dovecot-share-folder.conf
}

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = $mail_plugins sieve
    auth_socket_path = /var/run/dovecot/auth-master
    log_path = /var/log/dovecot-sieve.log
    lda_mailbox_autocreate = yes
    postmaster_address = root
}

protocol lmtp {
    # Log file
    info_log_path = /var/log/dovecot-lmtp.log

    # Plugins
    mail_plugins = quota sieve
    postmaster_address = postmaster

    lmtp_save_to_detail_mailbox = yes
    recipient_delimiter = +
}

protocol imap {
    mail_plugins = $mail_plugins imap_quota
    imap_client_workarounds = tb-extra-mailbox-sep

    # Maximum number of IMAP connections allowed for a user from each IP address.
    # NOTE: The username is compared case-sensitively.
    # Default is 10.
    # Increase it to avoid issue like below:
    # "Maximum number of concurrent IMAP connections exceeded"
    #mail_max_userip_connections = 20
}
protocol pop3 {
    mail_plugins = $mail_plugins
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv

    # Maximum number of IMAP connections allowed for a user from each IP address.
    # NOTE: The username is compared case-sensitively.
    # Default is 10.
    #mail_max_userip_connections = 20
}

# Login processes. Refer to Dovecot wiki for more details:
# http://wiki2.dovecot.org/LoginProcess
service imap-login {
    service_count = 1

    # To avoid startup latency for new client connections, set process_min_avail
    # to higher than zero. That many idling processes are always kept around
    # waiting for new connections.
    #process_min_avail = 0

    # number of simultaneous IMAP connections
    #process_limit = $default_process_limit
    process_limit = 500

    # vsz_limit should be fine at its default 64MB value
    #vsz_limit = 64M
}
service pop3-login {
    service_count = 1

    # number of simultaneous POP3 connections
    #process_limit = 500
}

namespace {
    type = private
    separator = /
    prefix =
    #location defaults to mail_location.
    inbox = yes

    mailbox Sent {
        auto = subscribe
        special_use = \Sent
    }
    # This is an alias mailbox for "Sent".
    # Reference: http://wiki2.dovecot.org/MailboxSettings
    mailbox "Sent Messages" {
        auto = no
        special_use = \Sent
    }

    mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
    }
    mailbox Trash {
        auto = subscribe
        special_use = \Trash
    }

    mailbox Junk {
        auto = subscribe
        special_use = \Junk
    }
    # Alias mailbox for "Junk".
    mailbox Spam {
        auto = no
        special_use = \Junk
    }
}

namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
    # this namespace should handle its own subscriptions or not.
    subscriptions = yes
    list = children
}

# Public mailboxes.
# Refer to Dovecot wiki page for more details:
# http://wiki2.dovecot.org/SharedMailboxes/Public
#namespace {
#    type = public
#    separator = /
#    prefix = Public/
#
#    # CONTROL=: Mark this public folder as read-only mailbox
#    # INDEX=: Per-user \Seen flag
#    location = maildir:/var/vmail/public/:CONTROL=~/Maildir/public:INDEX=~/Maildir/public
#
#    # Allow users to subscribe to the public folders.
#    subscriptions = yes
#}

2

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

hata_ph wrote:

Jun 18 14:24:04 auth: Debug: ldap(test1@example.lan,10.10.1.1,<ZF2NThb83gAKCgEB>): result: objectClass=top,top,top,top cn=test1 givenName=test1 distinguishedName=CN=test1,CN=Users,DC=example,DC=lan instanceType=4 whenCreated=20140617024241.0Z whenChanged=20140617031203.0Z displayName=test1 uSNCreated=24629 memberOf=CN=testgroups1,CN=Users,DC=fatimah,DC=lan uSNChanged=24644 name=test1 objectGUID=DŒ®<Õ?D’súG_Ri userAccountControl=66048 badPwdCount=0 codePage=0 countryCode=0 badPasswordTime=0 lastLogoff=0 lastLogon=0 pwdLastSet=130474465616476520 primaryGroupID=513 objectSid=<no values> accountExpires=9223372036854775807 logonCount=0 sAMAccountName=test1 sAMAccountType=805306368 objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=example,DC=lan dSCorePropagationData=20140617061111.0Z,20140617061111.0Z,20140617061111.0Z lastLogonTimestamp=130474467710343708 mail=test1@example.lan; objectGUID,uSNCreated,objectCategory,objectClass,primaryGroupID,cn,givenName,objectSid,sAMAccountType,dSCorePropagationData,userAccountControl,name,mail,codePage,lastLogon,logonCount,countryCode,lastLogoff,uSNChanged,pwdLastSet,distinguishedName,sAMAccountName,memberOf,whenChanged,instanceType,badPwdCount,accountExpires,whenCreated,displayName,badPasswordTime,lastLogonTimestamp unused
Jun 18 14:26:34 auth: Error: PLAIN(test1@example.lan,10.10.1.1,<ZF2NThb83gAKCgEB>): Request 3865.1 timed out after 150 secs, state=1

Looks like it returns one ldap object, is it the right account you expect?

I have no idea why it occur, but why it says "timed out after 150 secs"?

3 (edited by hata_ph 2014-06-18 16:36:17)

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

yes, the username is correct and i got no idea about the timeout error...
I have already off firewall on both win2k8r2 and centos... sad
Hoping all the gurus can help me out...

4

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

I have no idea at all. All i can suggest is trying to narrow down the LDAP base dn in LDAP query. For example, in dovecot-ldap.conf:

hata_ph wrote:

base            = dc=example,dc=lan

If all your users are stored under cn=users,dc=example,dc=lan, it's better to use this one instead of the root dn 'dc=example,dc=lan'.

5

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

WOW...cn=users,dc=example,dc=lan work.
Thanks for the advise smile

6 (edited by hata_ph 2014-06-19 16:51:37)

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

I also notice if you are authenticated postfix/dovecot over AD, you can disable openldap entirely too... smile
btw, do iredadmin and iredapd still work after authenticate with AD?

7

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

hata_ph wrote:

btw, do iredadmin and iredapd still work after authenticate with AD?

Neither one works with AD.

Both iRedAdmin and iRedAPD require some attributes provided by iRedMail LDAP schema, but obviously it's not available in AD.
What features in iRedAPD do you need? it should be easy to modify iRedAPD to work with AD (less work than iRedAdmin), but i didn't try it before.

8 (edited by hata_ph 2014-06-20 09:42:00)

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

Nothing in particular about iredapd as I was just wondering what needed and no needed when switch over to AD. Want to disable some unwanted services/processes...

Btw, I figure out how to configure per-user quota limit via AD. Add/modify below user_attrs with maxStorage to your dovecot-ldap.conf

user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/,maxStorage=quota_rule=*:bytes=%$

Make sure your AD users have maxStorage attribute. You can use adsiedit.msc to manually key in the maxStorage value in bytes format. Restart dovecot and double check the disk usage limit in roundcubemail...

9

Re: dovecot authenticate with AD on win2k8r2 [SOLVED]

Thanks for sharing. smile