[Samba] ldapsearch with ldaps

Kees van Vloten keesvanvloten at gmail.com
Mon Aug 29 19:24:21 UTC 2022 

It took me a really long time to get a working solution for Dovecot + 
Postfix (+ Sogo), where everything is single-signon with Krb5 (authn) + 
LDAP (authz).

So if I can save you time and frustration by posting my configs, I am 
happy to help :-)

There another thing that you may find helpful: I have put interactive 
users and groups under "OU=Groupware,DC=samdom,DC=com", so that there is 
a single basedn that is the startpoint for interactive-user and group 
searches. At this basedn all Windows-AD stuff is invisible and also Sogo 
(+TB-Lightening) is limited to a single search-root.

- Kees


On 29-08-2022 20:46, Stefan Kania via samba wrote:
> Thank you for the info, we will try it. Dovecot is not my major topic
> and the documentation is terrible :-)
>
>
> Am 29.08.22 um 20:23 schrieb Kees van Vloten via samba:
>> This is how got it done:
>>
>> dovecot.conf
>>
>> auth_realms = SAMDOM.COM
>> auth_default_realm = SAMDOM.COM
>> auth_gssapi_hostname = mailserver.samdom.com
>> auth_krb5_keytab = /etc/keytab/dovecot.keytab
>> auth_mechanisms = gssapi gss-spnego plain
>>
>> passdb {
>>    args = /etc/dovecot/dovecot-ldap.conf.ext
>>    #args = /etc/dovecot/ldap_user_to_principal.conf.ext
>>    driver = ldap
>>    pass = yes
>> }
>> passdb {
>>    driver = pam
>> }
>>
>> userdb {
>>    args = /etc/dovecot/dovecot-ldap.conf.ext
>>    driver = ldap
>>
>> For user without a Krb5-ticket:
>>
>> /etc/pam.d/dovecot
>>
>> #%PAM-1.0
>>
>> auth sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
>> keytab=/etc/keytab/dovecot.keytab
>> auth required pam_deny.so
>>
>> account sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
>> keytab=/etc/keytab/dovecot.keytab
>> account required pam_deny.so
>>
>> /etc/dovecot/dovecot-ldap.conf.ext
>>
>> # This file is commonly accessed via passdb {} or userdb {} section in
>> dovecot.conf
>> uris = ldap://sambadc1.samdom.com/ ldap://sambadc2.samdom.com/
>> tls = yes
>> auth_bind = no
>> ldap_version = 3
>> base = OU=Groupware,DC=samdom,DC=com
>> scope = subtree
>>
>> # User account must be enabled and nested member of the group
>> 'mail_user-<mail-domain>'
>> pass_filter =
>> (&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
>> Domains,OU=Groups,DC=samdom,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>>
>> pass_attrs = \
>>      =user=%{ldap:mail}, \
>>      =nopassword=Y, \
>>      =k5principals=%{ldap:userPrincipalName}
>>
>> # User account details:
>> # This is: user or group (functional mailbox) with the %u as
>> mail-address in 'mail'
>> #   No check on locked account here, otherwise mail will not be
>> delivered when account is locked
>> # Test userdb lookup: doveadm user -u "<user>@<samdom>"
>> user_filter =
>> (|(&(objectClass=user)(mail=%u))(&(objectClass=group)(mail=%u)))
>> user_attrs = \
>>      =user=%{ldap:mail}, \
>>      =uid=vmail, \
>>      =gid=vmail, \
>>      =home=/srv/mail/vmail
>>
>> # Attributes and filter to get a list of all users
>> # This is: all user objects under basedn and all function mailboxes
>> (groups with name: 'mail_box_<mail-address>'
>> # Test iterator: doveadm user -u "*"
>> iterate_filter =
>> (|(objectClass=user)(&(objectClass=group)(sAMAccountName=mail_box-*)))
>> iterate_attrs = \
>>      =user=%{ldap:mail}
>>
>> The config is inspired by:
>> https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice
>>
>>
>> This is the same link Rowland also posted earlier in this thread.
>>
>>
>> - Kees
>>
>>
>> On 29-08-2022 16:42, Sami Hulkko via samba wrote:
>>> Hi,
>>>
>>> One can also use pam auth on Dovecot if dovecot server has samba users
>>> via libpam-winbind.
>>>
>>> SH
>>>
>>> On 29/08/2022 12:35, Rowland Penny via samba wrote:
>>>> On Mon, 2022-08-29 at 11:26 +0200, Stefan Kania via samba wrote:
>>>>> Am 29.08.22 um 11:19 schrieb Rowland Penny via samba:
>>>>>> Then consider using kerberos instead, it is much more 'the word we
>>>>>> will
>>>>>> not use' :-)
>>>>> We would like to, but dovecot can't use Kerberos to query the LDAP
>>>>> from
>>>>> AD :-(
>>>> I know it has been sometime since I set up a mailserver, but dovecot
>>>> could use kerberos the last time I did. A quick internet search turned
>>>> this up:
>>>>
>>>> https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice.
>>>>
>>>>
>>>> This was top of the list, there were others, 3,980,000 to be precise.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>

More information about the samba mailing list