[Samba] Samba4 AD delegation to read userPassword attribute

Tue Jan 15 05:44:46 MST 2013

Running the environment you described (beside openchange). I guess you need

  acl:read=false

in your smb.conf.

achim~

Am 14.01.2013 23:29, schrieb Christian Hailer:
> Hello Samba group,
>
> I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory.
>
> Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases?
>
> Fedora 17, latest updates applied
> Samba: Version 4.1.0pre1-GIT-813bd03
> dovecot-2.1.10-4.fc17.i686
>
> At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4:
>
> ...
> searchResDone
> resultCode: operationsError (1)
> matchedDN:
> Operation unavailable without authentication
> ...
>
> I defined the  properties in dovecot-ldap.conf like this:
>
> ---------------------------------------------------
> uris = ldaps://192.168.0.1:636
> dn = cn=ldap,ou=USER,dc=example,dc=de
> dnpass = somepassword
>
> base = dc=example,dc=de
> scope = subtree
> deref = never
>
> user_attrs = sAMAccountName=uid,primaryGroupID=gid
> user_filter = (sAMAccountName=%u)
>
> pass_attrs = mail=user,userPassword=password
> pass_filter = (sAMAccountName=%u)
> ---------------------------------------------------
>
> So trying to authenticate to Dovecot with a telnet connection
>
>> telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
> 1 login someuser somepassword
>
> results in the error message "result: mail=someuser at example.de; userPassword missing"
>
> A tcpdump shows the following searchRequest:
>
> ---------------------------------------------------
> Lightweight Directory Access Protocol
>    LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree
>    ...
>    Filter: (sAMAccountName=someuser)
>      filter: equalityMatch (3)
>       equalityMatch
>         attributeDesc: sAMAccountName
>         assertionValue: someuser
>    attributes: 2 items
>      AttributeDescription: mail
>      AttributeDescription: userPassword
> ---------------------------------------------------
>
> As a result I get:
>
> ---------------------------------------------------
> Lightweight Directory Access Protocol
>    LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result]
>    ...
>    searchResEntry
>      objectName: CN=someuser, OU=USER,DC=example,DC=de
>      attributes: 1 item
>        PartialAttributeList item mail
>          type: mail
>          vals: 1 item
>            AttributeValue: someuser at exchange.de
> ---------------------------------------------------
>
> So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server.
>
> I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user.
>
> Is anybody out there who ran into the same problem?
>
> Best regards, Christian
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>