[Samba] Samba4 AD delegation to read userPassword attribute

Hector Suarez Planas hector.suarez at codesa.co.cu
Sat Nov 29 14:04:53 MST 2014


Greetings.

This thread is old, I know, but I have a question.

> PERFECT! It works!!! Thank you very much!!!

> Best regards, Christian

> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Achim
> Gottinger
> Gesendet: Dienstag, 15. Januar 2013 21:42
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba4 AD delegation to read userPassword attribute

> Am 15.01.2013 20:02, schrieb Christian Hailer:
>> Hi Achim,
>>
>> thank you for this information! Unfortunately it doesn't work in my environment, the userPassword attribute
>> still can't be read by the "ldap" user...
>> I tried to bind with the domain administrator account, there it doesn't work too.
>>
>> Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and smb.conf files? Maybe I made
>> a  mistake somewhere...
>> I use different configs for passdb and userdb for Dovecot. Dovecot stores all mail's as user vmail.vmail
>> (999:999) in /var/lib/vmail/[username]/mail here so you might have to modify the user_attrs mappings.
>> With these separate config for userdb and passdb, auth_bind works for passdb and pass_attrs are not
>> necessary.

>> dovecot-ldap.conf

>> passdb {

>>    driver = ldap

>>    args = /etc/dovecot/dovecot-ldap-passdb.conf.ext

>> }

>> userdb {

>>    driver = ldap

>>    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext

>> }

>> dovecot-ldap-passdb.conf.ext
>> -----------------------------------

>> hosts = localhost

>> auth_bind = yes

>> auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de

>> ldap_version = 3

>> base = cn=Users,dc=example,dc=de

>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

>> -----------------------------------

>> dovecot-ldap-userdb.conf.ext

>> -----------------------------------
>> hosts = localhost

>> dn = cn=ldap,cn=Users,dc=example,dc=de

>> dnpass = password

>> ldap_version = 3

>> base = cn=Users,dc=example,dc=de

>> user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail

>> user_filter = (&(objectClass=person)(cn=%u)(mail=*))

>> # Attributes and filter to get a list of all users

>> iterate_attrs = cn=user

>> iterate_filter = (objectClass=person)

>> -----------------------------------

Does work well this configuration with CRAM-MD5 auth mechanism?

I'm configuring Dovecot + Samba 4 AD and I gave an error with the passwords. I using Thunderbird (IMAPS [SSL/TLS] and encrypted passwords). Plain authentication works fine, STARTTLS works fine, but SSL/TLS fails.

:|


More information about the samba mailing list