[Samba] Samba4 AD delegation to read userPassword attribute

[Achim Gottinger]

Am 15.01.2013 20:02, schrieb Christian Hailer:
> Hi Achim,
>
> thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute still can't be read by the "ldap" user...
> I tried to bind with the domain administrator account, there it doesn't work too.
>
> Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made a  mistake somewhere...
I use different configs for passdb and userdb for Dovecot. Dovecot 
stores all mail's as user vmail.vmail(999:999) in 
/var/lib/vmail/[username]/mail here so you might have to modify the 
user_attrs mappings.
With these separate config for userdb and passdb, auth_bind works for 
passdb and pass_attrs are not necessary.

dovecot-ldap.conf

passdb {

   driver = ldap

   args = /etc/dovecot/dovecot-ldap-passdb.conf.ext

}

userdb {

   driver = ldap

   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext

}

dovecot-ldap-passdb.conf.ext
-----------------------------------

hosts = localhost

auth_bind = yes

auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de

ldap_version = 3

base = cn=Users,dc=example,dc=de

pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

-----------------------------------

dovecot-ldap-userdb.conf.ext

-----------------------------------
hosts = localhost

dn = cn=ldap,cn=Users,dc=example,dc=de

dnpass = password

ldap_version = 3

base = cn=Users,dc=example,dc=de

user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail

user_filter = (&(objectClass=person)(cn=%u)(mail=*))

# Attributes and filter to get a list of all users

iterate_attrs = cn=user

iterate_filter = (objectClass=person)

-----------------------------------