Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba4 AD delegation to read userPassword attribute
298 views
Skip to first unread message
Christian Hailer
Jan 14, 2013, 5:29:49 PM1/14/13
to
Hello Samba group,
I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory.
Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases?
Fedora 17, latest updates applied
Samba: Version 4.1.0pre1-GIT-813bd03
dovecot-2.1.10-4.fc17.i686
At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4:
...
searchResDone
resultCode: operationsError (1)
matchedDN:
Operation unavailable without authentication
...
I defined the properties in dovecot-ldap.conf like this:
---------------------------------------------------
uris = ldaps://192.168.0.1:636
dn = cn=ldap,ou=USER,dc=example,dc=de
dnpass = somepassword
base = dc=example,dc=de
scope = subtree
deref = never
user_attrs = sAMAccountName=uid,primaryGroupID=gid
user_filter = (sAMAccountName=%u)
pass_attrs = mail=user,userPassword=password
pass_filter = (sAMAccountName=%u)
---------------------------------------------------
So trying to authenticate to Dovecot with a telnet connection
>telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
1 login someuser somepassword
results in the error message "result: mail=some...@example.de; userPassword missing"
A tcpdump shows the following searchRequest:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree
...
Filter: (sAMAccountName=someuser)
filter: equalityMatch (3)
equalityMatch
attributeDesc: sAMAccountName
assertionValue: someuser
attributes: 2 items
AttributeDescription: mail
AttributeDescription: userPassword
---------------------------------------------------
As a result I get:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result]
...
searchResEntry
objectName: CN=someuser, OU=USER,DC=example,DC=de
attributes: 1 item
PartialAttributeList item mail
type: mail
vals: 1 item
AttributeValue: some...@exchange.de
---------------------------------------------------
So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server.
I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user.
Is anybody out there who ran into the same problem?
Best regards, Christian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory.
Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases?
Fedora 17, latest updates applied
Samba: Version 4.1.0pre1-GIT-813bd03
dovecot-2.1.10-4.fc17.i686
At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4:
...
searchResDone
resultCode: operationsError (1)
matchedDN:
Operation unavailable without authentication
...
I defined the properties in dovecot-ldap.conf like this:
---------------------------------------------------
uris = ldaps://192.168.0.1:636
dn = cn=ldap,ou=USER,dc=example,dc=de
dnpass = somepassword
base = dc=example,dc=de
scope = subtree
deref = never
user_attrs = sAMAccountName=uid,primaryGroupID=gid
user_filter = (sAMAccountName=%u)
pass_attrs = mail=user,userPassword=password
pass_filter = (sAMAccountName=%u)
---------------------------------------------------
So trying to authenticate to Dovecot with a telnet connection
>telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
1 login someuser somepassword
results in the error message "result: mail=some...@example.de; userPassword missing"
A tcpdump shows the following searchRequest:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree
...
Filter: (sAMAccountName=someuser)
filter: equalityMatch (3)
equalityMatch
attributeDesc: sAMAccountName
assertionValue: someuser
attributes: 2 items
AttributeDescription: mail
AttributeDescription: userPassword
---------------------------------------------------
As a result I get:
---------------------------------------------------
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result]
...
searchResEntry
objectName: CN=someuser, OU=USER,DC=example,DC=de
attributes: 1 item
PartialAttributeList item mail
type: mail
vals: 1 item
AttributeValue: some...@exchange.de
---------------------------------------------------
So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server.
I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user.
Is anybody out there who ran into the same problem?
Best regards, Christian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
Jan 15, 2013, 7:44:46 AM1/15/13
to
Running the environment you described (beside openchange). I guess you need
acl:read=false
in your smb.conf.
achim~
acl:read=false
in your smb.conf.
achim~
Christian Hailer
Jan 15, 2013, 2:15:47 PM1/15/13
to
-------- Originalnachricht --------
Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute
Von: Christian Hailer <Chr...@amusing.de>
An: Achim Gottinger <ac...@ag-web.biz>
Cc:
Hi Achim,
thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user...
I tried to bind with the domain administrator account, there it doesn't work too.
Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere...
Thanks in advance,
Christian
Achim Gottinger <ac...@ag-web.biz> schrieb:
Achim Gottinger
Jan 15, 2013, 3:41:47 PM1/15/13
to
Am 15.01.2013 20:02, schrieb Christian Hailer:
> Hi Achim,
>
> thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user...
> I tried to bind with the domain administrator account, there it doesn't work too.
>
> Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere...
I use different configs for passdb and userdb for Dovecot. Dovecot
> Hi Achim,
>
> thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user...
> I tried to bind with the domain administrator account, there it doesn't work too.
>
> Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere...
stores all mail's as user vmail.vmail(999:999) in
/var/lib/vmail/[username]/mail here so you might have to modify the
user_attrs mappings.
With these separate config for userdb and passdb, auth_bind works for
passdb and pass_attrs are not necessary.
dovecot-ldap.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}
dovecot-ldap-passdb.conf.ext
-----------------------------------
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de
ldap_version = 3
base = cn=Users,dc=example,dc=de
pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
-----------------------------------
dovecot-ldap-userdb.conf.ext
-----------------------------------
hosts = localhost
dn = cn=ldap,cn=Users,dc=example,dc=de
dnpass = password
ldap_version = 3
base = cn=Users,dc=example,dc=de
user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail
user_filter = (&(objectClass=person)(cn=%u)(mail=*))
# Attributes and filter to get a list of all users
iterate_attrs = cn=user
iterate_filter = (objectClass=person)
-----------------------------------
Christian Hailer
Jan 15, 2013, 5:38:11 PM1/15/13
to
PERFECT! It works!!! Thank you very much!!!
Best regards, Christian
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Achim Gottinger
Gesendet: Dienstag, 15. Januar 2013 21:42
An: sa...@lists.samba.org
Best regards, Christian
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Achim Gottinger
Gesendet: Dienstag, 15. Januar 2013 21:42
An: sa...@lists.samba.org
Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute
0 new messages