headers
Bob Miller | 30 Mar 2012 01:10
Picon

smtpauth - qmail-ldap with samba4

greetings

I have been trying to get qmail-ldap to work with samba4's Active
Directory implementation.  It seems that all parts are working with the
exception of smtpauth.  

WHAT WORKS: When I send a mail to the system, it successfully verifies
if a user exists and denies if the user doesn't exist.  qmail-ldaplookup
-m/-u both run without error and report what I would expect to see.
When I set samba4 into a debug mode, I can see the ldb query coming
through in the logs.  In fairness, those logs do not report success or
failure of the lookup, or the values returned, but the fact that things
work indicate the ldap communication to samba4 was a success.  I also
take these successes to mean my ~controls/ldap* files are set up
correctly.  I can also use ldbsearch to verify my user/pass info is
correct.

SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I
can verify the encryption is working because when I rename the cert, I
get an error in qmail's logs when it is not working (presumably thanks
to TLSDEBUG).  I gather from what I have read that that is all I need to
do.  There were mentions in the life with qmail-ldap that some extra
arguments are required in the run script, but I found some mailing list
post that says that is not required.  

BROKEN:When I try to send a authenticated mail using thunderbird, I see
the following in qmail logs:

auth login
authentication failed: authentication failure
(Continue reading)

Permalink | Reply |
headers
Nicolas de Bari Embriz Garcia Rojas | 30 Mar 2012 02:12

Re: smtpauth - qmail-ldap with samba4

Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like

:allow,SMTPAUTH=""

On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller <bob <at> computerisms.ca> wrote:
> greetings
>
> I have been trying to get qmail-ldap to work with samba4's Active
> Directory implementation.  It seems that all parts are working with the
> exception of smtpauth.
>
> WHAT WORKS: When I send a mail to the system, it successfully verifies
> if a user exists and denies if the user doesn't exist.  qmail-ldaplookup
> -m/-u both run without error and report what I would expect to see.
> When I set samba4 into a debug mode, I can see the ldb query coming
> through in the logs.  In fairness, those logs do not report success or
> failure of the lookup, or the values returned, but the fact that things
> work indicate the ldap communication to samba4 was a success.  I also
> take these successes to mean my ~controls/ldap* files are set up
> correctly.  I can also use ldbsearch to verify my user/pass info is
> correct.
>
> SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I
> can verify the encryption is working because when I rename the cert, I
> get an error in qmail's logs when it is not working (presumably thanks
> to TLSDEBUG).  I gather from what I have read that that is all I need to
> do.  There were mentions in the life with qmail-ldap that some extra
> arguments are required in the run script, but I found some mailing list
> post that says that is not required.
>
(Continue reading)

Permalink | Reply |
headers
Bob Miller | 30 Mar 2012 02:47
Picon

Re: smtpauth - qmail-ldap with samba4

Hi Nicolas,

Thank you for your response.  

I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED".  In both cases
the authentication failed, even though the correct search string appears
to have been passed to samba4's ldb. it's as though qmail is able to do
a lookup, but isn't able to verify that the password is correct...

On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas
wrote:
> Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like
> 
> :allow,SMTPAUTH=""
> 
> 
> 
> On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller <bob <at> computerisms.ca> wrote:
> > greetings
> >
> > I have been trying to get qmail-ldap to work with samba4's Active
> > Directory implementation.  It seems that all parts are working with the
> > exception of smtpauth.
> >
> > WHAT WORKS: When I send a mail to the system, it successfully verifies
> > if a user exists and denies if the user doesn't exist.  qmail-ldaplookup
> > -m/-u both run without error and report what I would expect to see.
> > When I set samba4 into a debug mode, I can see the ldb query coming
> > through in the logs.  In fairness, those logs do not report success or
> > failure of the lookup, or the values returned, but the fact that things
(Continue reading)

Permalink | Reply |
headers
Геннадий Марченко | 30 Mar 2012 05:54
Picon
Favicon

Re: smtpauth - qmail-ldap with samba4

Hello Bob,

What state of ldapprebind file in qmail/control/ ?

Best wishes,
Gennady.

Bob Miller писал 30.03.2012 04:47:
> Hi Nicolas,
>
> Thank you for your response.
>
> I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED".  In both 
> cases
> the authentication failed, even though the correct search string 
> appears
> to have been passed to samba4's ldb. it's as though qmail is able to 
> do
> a lookup, but isn't able to verify that the password is correct...
>
>
> On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia 
> Rojas
> wrote:
>> Hi, check that your /var/qmail/control/qmail-smtpd.rules have 
>> something like
>>
>> :allow,SMTPAUTH=""
>>
>>
(Continue reading)

Permalink | Reply |
headers
Bob Miller | 30 Mar 2012 06:13
Picon

Re: smtpauth - qmail-ldap with samba4

Gennedy,

Thank you so much, enabling ldaprebind solved the problem

On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote:
> Hello Bob,
> 
> What state of ldapprebind file in qmail/control/ ?
> 
> Best wishes,
> Gennady.
> 
> Bob Miller писал 30.03.2012 04:47:
> > Hi Nicolas,
> >
> > Thank you for your response.
> >
> > I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED".  In both 
> > cases
> > the authentication failed, even though the correct search string 
> > appears
> > to have been passed to samba4's ldb. it's as though qmail is able to 
> > do
> > a lookup, but isn't able to verify that the password is correct...
> >
> >
> > On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia 
> > Rojas
> > wrote:
> >> Hi, check that your /var/qmail/control/qmail-smtpd.rules have
(Continue reading)

Permalink | Reply |
headers
Ismail YENIGUL | 30 Mar 2012 07:55

Re: smtpauth - qmail-ldap with samba4

Hi Bob,

By default qmail-ldap login to LDAP with by ldapuser/ldappasword defined 
in control/ files and get userPassword entry then  compares passwords.
If you enable ldaprebind, qmail-ldap first get DN of the smtp auth user 
from LDAP/AD  with ldapuser/ldappasword  in control/  files.
and make a another connection to AD/LDAP with the smtp auth username's 
DN and password.

By the way, Can you please tell us what you did to enable AD support in 
qmail-ldap?  I am trying to integrate all useful patches into qmail-ldap 
as a tarball.
I would like to enable AD support too.

Thanks

Ismail YENIGUL
Team Leader / Takim Lideri
SurGATE Labs
Phone :+90 216-4709423 | Mobile:+90 533 747 36 65
SurGATE: West Coast Labs Premium Anti-Spam Certificated
Twitter: http://www.twitter.com/surgate
Blog: http://www.surgate.com/blog

On 30.03.2012 07:13, Bob Miller wrote:
> Gennedy,
>
> Thank you so much, enabling ldaprebind solved the problem
>
>
(Continue reading)

Permalink | Reply |
headers
Bob Miller | 2 Apr 2012 21:18
Picon

Re: smtpauth - qmail-ldap with samba4

Hi Ismail

> By the way, Can you please tell us what you did to enable AD support in 
> qmail-ldap?  I am trying to integrate all useful patches into qmail-ldap 
> as a tarball.
> I would like to enable AD support too.

I got most of my info from the mailing list archives for qmail-ldap.

There are several posts with people who say it is possible to query AD
just by changing the ldap values in qmail-ldap.h.  I can confirm that,
because that is what I have working.  For example, set "#define
LDAP_UID" as sAMAccountName or userPrincipalName depending on how you
want your users to log in.  

There is a thread where I found a patch to deal with the
userAccountControl attribute of AD.  

http://marc.info/?l=qmail-ldap&m=117031804500233&w=2

I wasn't able to get these patches working off the bat, but now that I
have a working system, I may go back and take another crack at them.  In
the meantime, I have set LDAP_ISACTIVE to userAccountControl, and
ISACTIVE_ACTIVE to 66048 and ISACTIVE_BOUNCE to 66050 (the correct
valued for a normal AD user account with password never expires), which
gives me the same results as these patches, except that I can't have
some users with passwords that never expire and some that do. 

I found another thread:
(Continue reading)

Permalink | Reply |

Gmane