1 Topic by YetAnotherSined (edited by YetAnotherSined 2020-08-20 16:34:43)

  • YetAnotherSined
  • Member
  • Offline
  • Registered: 2020-08-20
  • Posts: 2

Topic: Problems with Active Directory users login

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail 1.3.1 OpenLDAP (check /etc/iredmail-release):
- Deployed with downloadable installer.
- CentOS 7.8.2003:
- Store mail accounts in AD LDAP
- Web server  Nginx:
- Manage mail accounts with iRedAdmin-Pro? No.
====
I made an Active Directory integration as described in this manual: https://docs.iredmail.org/active.directory.html, and i have a problem with Dovecot integration. In that manual, base of LDAP query is cn=users,dc=example,dc=com, but we have some OU with users in it. Like this:

dc=mydomain,dc=local
    |
    |__ou=department1
    |   |__cn=user1
    |   |__cn=user2
    |
    |__ou=department1
    |   |__cn=user1
    |   |__cn=user2
    |
    |__cn=users
         |__cn=testmail

I also create test user with "testmail" username in default "Users" container. With this configuration (user "testmail" in "users" container, LDAP query base = cn=users,dc=mydomain,dc=local) telnet login works fine:

telnet localhost 143
. login testmail@maildomain.com password
. OK Logged in

But when i change base from cn=users,dc=mydomain,dc=local to base = dc=mydomain,dc=local, telnet login fails:

telnet localhost 143
. login testmail@maildomain.com password
. NO [UNAVAILABLE] Temporary authentication failure.

If i also move testmail user into some department i get another massage:

telnet localhost 143
. login testmail@maildomain.com password
. NO [AUTHENTICATIONFAILED] Authentication failed.

dovecot-ldap.conf

hosts           = mydomain.local:389
ldap_version    = 3
auth_bind       = yes
dn              = cn=vmail,dc=mydomain,dc=local
dnpass          = password
base            = dc=mydomain,dc=local
scope           = subtree
deref           = never

# Below two are required by command 'doveadm mailbox ...'
iterate_attrs   = userPrincipalName=user
iterate_filter  = (&(userPrincipalName=*)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/,=mail=maildir:~/Maildir/

P.S. Yes, we have different domain names for mail and local domain, but thats another question, just ignore.
P.P.S. Sorry for bad english.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by YetAnotherSined

  • YetAnotherSined
  • Member
  • Offline
  • Registered: 2020-08-20
  • Posts: 2

Re: Problems with Active Directory users login

The problem has been partially solved. If you set the deref parameter to any value other than never, users in OUs become available.