 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
9 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Courier + AD| From | Sent On | Attachments |
|---|---|---|
| Renato Otranto Jr. | Aug 16, 2006 1:34 pm | |
| Sam Varshavchik | Aug 16, 2006 3:27 pm | |
| Renato Otranto Jr. | Aug 17, 2006 5:43 am | |
| Jay Lee | Aug 17, 2006 5:50 am | |
| Renato Otranto Jr. | Aug 17, 2006 5:58 am | |
| David Gomillion | Aug 17, 2006 8:53 am | |
| Renato Otranto Jr. | Aug 17, 2006 11:43 am | |
| Sam Varshavchik | Aug 17, 2006 3:44 pm | |
| Renato Otranto Jr. | Aug 18, 2006 1:58 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [courier-users] Courier + AD | Actions... |
|---|---|---|
| From: | Renato Otranto Jr. (rena...@rac.com.br) | |
| Date: | Aug 17, 2006 11:43:15 am | |
| List: | net.sourceforge.lists.courier-users | |
David Gomillion escreveu:
I'm top-posting because you did. But in the future, if you put your comments in-line, it will be easier to follow the thread. I'm just too lazy to fix it all...
Ok. Sorry
We're authenticating against AD in a Win2K server environment just fine. Here's part of my authldaprc
LDAP_URI [1]ldap://dc1.eyecarenow.domain, [2]ldap://dc2.eyecarenow.domain LDAP_PROTOCOL_VERSION 3 LDAP_BASEDN DC=eyecarenow,DC=domain LDAP_BINDDN ****user [3]account******@eyecarenow.domain LDAP_BINDPW *****valid password******* LDAP_TIMEOUT 5 LDAP_AUTHBIND 1 LDAP_MAIL mail LDAP_MAILROOT /var/quica/domains/eyecarenow.com LDAP_HOMEDIR sAMAccountName LDAP_GLOB_UID mailuser LDAP_GLOB_GID mailuser LDAP_FULLNAME name LDAP_TLS 0
My config file form is different from yours in the follows directives: LDAP_BINDDN cn=binduser,cn=Users,dc=domain,dc=com,dc=br LDAP_BINDPW binduserpass
Some points that may help: 1. I did NOT use SSL. We had a problem getting it to work with the kerberos libraries, or at least that's what I was told was the problem. We created a VLAN that only has a NIC in the DCs and the mail server to increase security as best as we could.
I already use a Courier authenticating against an Active Directory, and this solution does not use SSL too. So, I am using that authldaprc as model to write this, but both files has exactly the same parameters.
2. This places all mail in /var/quica/domains/eyecarenow.com/**username**/Maildir If you don't use quica to manage separate MySQL logins, you'll probably want to change this to something else.
No, I don't use.
3. We had to specify binddn, bindpw, AND authbind.
Ok. All these are ok.
4. In AD, make sure you set the email address for every user. There are other ways to set this up, but this is the way we chose, so we can host multiple domains (most in MySQL, only one in AD). 5. As you can see, our domain is 'eyecarenow.domain', so you'll need to change this to whatever your configuration is.
Ok. As I already said before, I have a Qmail with courier authenticating against an AD. This solution is on my production environment.
Is there any other component that I need to attach? I installed the GDBM libs and Openldap packages (both with the development packages).
My logs are not clear. With their, I can't know if the search in AD are ok and the problems are in result, or if the authdaemon can't talk to Microsoft solution.
Hope this helps, David
Renato Otranto Jr. wrote:
Ok Jay, thanks for your help...
But my DEBUG_LOGIN already is 2.
Thanks for the hint about SSL/TLS, but if I use the ldapsearch command, I can get the complete result about my search correctly. So, is this necessary to use the SSL/TLS with the authdaemonrc?
Jay Lee escreveu:
Renato Otranto Jr. wrote:
I removed the courier installation from debian packages and I am building just courier-authlib by now from the sources. I already compiled and installed it. I need to authenticate users against an Active Directory on MS Windows 2000 Server.
Good, get authtest working before even trying to use IMAP or POP3, if authtest doesn't work then nothing else will...
When I use the authtest command to test the authentication, I get the message "Authentication FAILED: Input/output error"
The logs shown as follows: Aug 17 09:37:54 racmail02 authdaemond: modules="authldap", daemons=5 Aug 17 09:37:54 racmail02 authdaemond: Installing libauthldap Aug 17 09:37:54 racmail02 authdaemond: Installation complete: authldap Aug 17 09:38:15 racmail02 authdaemond: received userid lookup request: teste Aug 17 09:38:15 racmail02 authdaemond: authldap: trying this module Aug 17 09:38:15 racmail02 authdaemond: selected ldap protocol version 3 Aug 17 09:38:15 racmail02 authdaemond: binding to LDAP server as DN 'cn=binduser, cn=Users, dc=example, dc=com, dc=br', password 'binduserpass' Aug 17 09:38:15 racmail02 authdaemond: using search filter: ([4]userPrincipalName=tes...@example.com.br) Aug 17 09:38:30 racmail02 authdaemond: ldap_search_st() failed Aug 17 09:38:30 racmail02 authdaemond: authldap: TEMPFAIL - no more modules will be tried
Set DEBUG_LOGIN=2 in authdaemonrc, restart authlib and repost this information (might want to blank out your passwords though).
I am not right if the authdaemon can not search in base or it searchs there, but the results are null. It is possible that any extra component should be installed.
Right off the bat, I recall hearing that MS Active Directories' LDAP requires SSL/TLS in order to connect and do anything useful. You may need to configure that.
Jay
------------------------------------------------------------------------
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo [5]http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ------------------------------------------------------------------------
_______________________________________________ courier-users mailing list [6]cour...@lists.sourceforge.net Unsubscribe: [7]https://lists.sourceforge.net/lists/listinfo/courier-users
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo [8]http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ courier-users mailing list [9]cour...@lists.sourceforge.net Unsubscribe: [10]https://lists.sourceforge.net/lists/listinfo/courier-users
References
Visible links 1. ldap:/dc1.eyecarenow.domain 2. ldap:/dc2.eyecarenow.domain 3. mailto:account******@eyecarenow.domain 4. mailto:userPrincipalName=tes...@example.com.br 5. http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 6. mailto:cour...@lists.sourceforge.net 7. https://lists.sourceforge.net/lists/listinfo/courier-users 8. http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 9. mailto:cour...@lists.sourceforge.net 10. https://lists.sourceforge.net/lists/listinfo/courier-users