[Samba] ldapsearch with ldaps

Stefan Kania stefan at kania-online.de
Mon Aug 29 18:46:49 UTC 2022 

Thank you for the info, we will try it. Dovecot is not my major topic
and the documentation is terrible :-)


Am 29.08.22 um 20:23 schrieb Kees van Vloten via samba:
> This is how got it done:
> 
> dovecot.conf
> 
> auth_realms = SAMDOM.COM
> auth_default_realm = SAMDOM.COM
> auth_gssapi_hostname = mailserver.samdom.com
> auth_krb5_keytab = /etc/keytab/dovecot.keytab
> auth_mechanisms = gssapi gss-spnego plain
> 
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   #args = /etc/dovecot/ldap_user_to_principal.conf.ext
>   driver = ldap
>   pass = yes
> }
> passdb {
>   driver = pam
> }
> 
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> 
> For user without a Krb5-ticket:
> 
> /etc/pam.d/dovecot
> 
> #%PAM-1.0
> 
> auth sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
> keytab=/etc/keytab/dovecot.keytab
> auth required pam_deny.so
> 
> account sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
> keytab=/etc/keytab/dovecot.keytab
> account required pam_deny.so
> 
> /etc/dovecot/dovecot-ldap.conf.ext
> 
> # This file is commonly accessed via passdb {} or userdb {} section in
> dovecot.conf
> uris = ldap://sambadc1.samdom.com/ ldap://sambadc2.samdom.com/
> tls = yes
> auth_bind = no
> ldap_version = 3
> base = OU=Groupware,DC=samdom,DC=com
> scope = subtree
> 
> # User account must be enabled and nested member of the group
> 'mail_user-<mail-domain>'
> pass_filter =
> (&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
> Domains,OU=Groups,DC=samdom,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> 
> pass_attrs = \
>     =user=%{ldap:mail}, \
>     =nopassword=Y, \
>     =k5principals=%{ldap:userPrincipalName}
> 
> # User account details:
> # This is: user or group (functional mailbox) with the %u as
> mail-address in 'mail'
> #   No check on locked account here, otherwise mail will not be
> delivered when account is locked
> # Test userdb lookup: doveadm user -u "<user>@<samdom>"
> user_filter =
> (|(&(objectClass=user)(mail=%u))(&(objectClass=group)(mail=%u)))
> user_attrs = \
>     =user=%{ldap:mail}, \
>     =uid=vmail, \
>     =gid=vmail, \
>     =home=/srv/mail/vmail
> 
> # Attributes and filter to get a list of all users
> # This is: all user objects under basedn and all function mailboxes
> (groups with name: 'mail_box_<mail-address>'
> # Test iterator: doveadm user -u "*"
> iterate_filter =
> (|(objectClass=user)(&(objectClass=group)(sAMAccountName=mail_box-*)))
> iterate_attrs = \
>     =user=%{ldap:mail}
> 
> The config is inspired by:
> https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice
> 
> 
> This is the same link Rowland also posted earlier in this thread.
> 
> 
> - Kees
> 
> 
> On 29-08-2022 16:42, Sami Hulkko via samba wrote:
>> Hi,
>>
>> One can also use pam auth on Dovecot if dovecot server has samba users
>> via libpam-winbind.
>>
>> SH
>>
>> On 29/08/2022 12:35, Rowland Penny via samba wrote:
>>> On Mon, 2022-08-29 at 11:26 +0200, Stefan Kania via samba wrote:
>>>> Am 29.08.22 um 11:19 schrieb Rowland Penny via samba:
>>>>> Then consider using kerberos instead, it is much more 'the word we
>>>>> will
>>>>> not use' :-)
>>>> We would like to, but dovecot can't use Kerberos to query the LDAP
>>>> from
>>>> AD :-(
>>> I know it has been sometime since I set up a mailserver, but dovecot
>>> could use kerberos the last time I did. A quick internet search turned
>>> this up:
>>>
>>> https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice.
>>>
>>>
>>> This was top of the list, there were others, 3,980,000 to be precise.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20220829/ba69a153/OpenPGP_signature.sig>

More information about the samba mailing list