[Dovecot] LDAP auth with AD

Chris Visser chris.visser at rtt.co.za
Tue Aug 7 10:03:53 EEST 2012 

Hi,

I'm struggling to setup LDAP authentication with dovecot against an AD server.  When I attempt to bind using the same DN I use to do address lookups in exim and to do searches using ldap search on the command line I get the following in my logs:

Aug  7 08:55:58 mail-dev dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Aug  7 08:55:58 mail-dev dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug  7 08:55:58 mail-dev dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug  7 08:55:58 mail-dev dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so
Aug  7 08:55:58 mail-dev dovecot: auth: Debug: auth client connected (pid=1523)
Aug  7 08:55:58 mail-dev dovecot: auth: Error: LDAP: binding failed (dn CN=Linux Sync,CN=Users,DC=RTT,DC=co,DC=za): Invalid credentials, 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 

I'm running CentOS 6 and connect to a Windows 2008 R2 domain.
The output from dovecot -n:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) 
auth_debug = yes
auth_verbose = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
mbox_write_locks = fcntl
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}
userdb {
  args = uid=exim gid=exim home=/var/spool/mail/%Ld/%Ln
  driver = static
}

And my /etc/dovecot/dovecot-ldap.conf.ext:
hosts = dc01.mydomain.com 
base = dc=mydomain,dc=com
dn = CN=Linux Sync,CN=Users,DC=mydomain,DC=com
dnpass = mypass
deref = never
scope = subtree 
ldap_version = 3
auth_bind = no
pass_filter = (&(objectClass=person)(mail=%u))


Chris Visser
Linux/Network Infrastructure  

==================
Please read our Email Disclaimer :
http://www.rtt.co.za/disclaimer.html

More information about the dovecot mailing list