[Samba] Samba4 AD delegation to read userPassword attribute
Christian Hailer
Chrissi at amusing.de
Tue Jan 15 12:15:47 MST 2013
-------- Originalnachricht --------
Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute
Von: Christian Hailer <Chrissi at amusing.de>
An: Achim Gottinger <achim at ag-web.biz>
Cc:
Hi Achim,
thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user...
I tried to bind with the domain administrator account, there it doesn't work too.
Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a mistake somewhere...
Thanks in advance,
Christian
Achim Gottinger <achim at ag-web.biz> schrieb:
Running the environment you described (beside openchange). I guess you need
acl:read=false
in your smb.conf.
achim~
Am 14.01.2013 23:29, schrieb Christian Hailer:
> Hello Samba group,
>
> I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory.
>
> Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases?
>
> Fedora 17, latest updates applied
> Samba: Version 4.1.0pre1-GIT-813bd03
> dovecot-2.1.10-4.fc17.i686
>
> At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4:
>
> ...
> searchResDone
> resultCode: operationsError (1)
> matchedDN:
> Operation unavailable without authentication
> ...
>
> I defined the properties in dovecot-ldap.conf like this:
>
> ---------------------------------------------------
> uris = ldaps://192.168.0.1:636
> dn = cn=ldap,ou=USER,dc=example,dc=de
> dnpass = somepassword
>
> base = dc=example,dc=de
> scope = subtree
> deref = never
>
> user_attrs = sAMAccountName=uid,primaryGroupID=gid
> user_filter = (sAMAccountName=%u)
>
> pass_attrs = mail=user,userPassword=password
> pass_filter = (sAMAccountName=%u)
> ---------------------------------------------------
>
> So trying to authenticate to Dovecot with a telnet connection
>
>> telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
> 1 login someuser somepassword
>
> results in the error message "result: mail=someuser at example.de; userPassword missing"
>
> A tcpdump shows the following searchRequest:
>
> ---------------------------------------------------
> Lightweight Directory Access Protocol
> LDAPMessage searchRequest(2) "dc=example,dc=de" wholeSubtree
> ...
> Filter: (sAMAccountName=someuser)
> filter: equalityMatch (3)
> equalityMatch
> attributeDesc: sAMAccountName
> assertionValue: someuser
> attributes: 2 items
> AttributeDescription: mail
> AttributeDescription: userPassword
> ---------------------------------------------------
>
> As a result I get:
>
> ---------------------------------------------------
> Lightweight Directory Access Protocol
> LDAPMessage searchResEntry(2) "CN=someuser, OU=USER,DC=example,DC=de" [1 result]
> ...
> searchResEntry
> objectName: CN=someuser, OU=USER,DC=example,DC=de
> attributes: 1 item
> PartialAttributeList item mail
> type: mail
> vals: 1 item
> AttributeValue: someuser at exchange.de
> ---------------------------------------------------
>
> So unfortunately the "userPassword" attribute is missing. Now, I remembered the "Control Delegation Wizard" from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server.
>
> I delegated the appropriate permissions to the "ldap" user used in dovecot-ldap.conf above, but the behaviour did not change, the "userPassword" attribute won't be delivered to the "ldap" user.
>
> Is anybody out there who ran into the same problem?
>
> Best regards, Christian
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list