Postfix/Dovecot multiple authentication against Active Directory
Solution was pretty simple.. Just as @sam_pan_mariusz sugested instead of IP address I've putted DNS name. Runned some testing and everything works as it should.
Related videos on Youtube
Martynas Smilgevičius
Updated on September 18, 2022Comments
-
Martynas Smilgevičius almost 2 years
So I have working mail server which authenticates against active directory. Everything works fine until I try to add a secondary authentication backend..
Server info:
Server OS: CentOS 7.1.1503 Postfix version: 2.10.1 Dovecot version: 2.2.10
At the moment mine configuration looks like this:
Postfix Configuration files:
/etc/postfix/main.cf
virtual_mailbox_base = /homes/vmail/homes virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf virtual_uid_maps = static:989 virtual_gid_maps = static:987
ldap-users-primary.cf
server_host = 192.168.250.200 search_base = cn=Users, dc=domain, dc=local version = 3 query_filter = (&(objectclass=person)(mail=%s)) result_attribute = samaccountname result_format = %s/ bind = yes bind_dn = [email protected] bind_pw = password
ldap-groups-primary.cf
server_host = 192.168.250.200 search_base = ou=Email_Groups, dc=domain,dc=local version = 3 query_filter = (&(objectclass=group)(mail=%s)) leaf_result_attribute = mail special_result_attribute = member bind = yes bind_dn = [email protected] bind_pw = password start_tls = no
Dovecot configuration files:
/etc/dovecot/conf.d/10-auth.conf
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-primary.conf } userdb { driver = static args = uid=989 gid=987 home=/homes/vmail/homes/%u }
dovecot-ldap-primary.conf
hosts = 192.168.250.200 base = cn=Users, dc=domain, dc=local ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u
All the above setup is working fine and doesn't cause any problems. Until I try to add secondary domain controller..
To do that I have created new configuration files: ldap-users-secondary.cf, ldap-groups-secondary.cf, dovecot-ldap-secondary.conf.
The only thing that is different in those files are and IP address of server (it just points to secondary domain controller). If I use those files alone everything works just fine. But if I modify /etc/postfix/main.cf like this:
virtual_mailbox_base = /homes/vmail/homes virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf, ldap:/etc/postfix/ldap-users-secondary.cf virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf, ldap:/etc/postfix/ldap-groups-secondary.cf virtual_uid_maps = static:989 virtual_gid_maps = static:987
And /etc/dovecot/conf.d/10-auth.conf
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-primary.conf } passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-secondary.conf } userdb { driver = static args = uid=989 gid=987 home=/homes/vmail/homes/%u }
It just stops working and starts giving out these errors:
NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <[email protected]>: Temporary lookup failure;
Anyone can help me with this?
-
sam_pan_mariusz over 8 yearsSo this is a secondary controller of the same domain, am I right? So why don't you just put a DNS name instead of IP address? This way you're gonna provide redundancy without introducing another config file.
-
Martynas Smilgevičius over 8 yearsYes, you're right... And probably this is going to fix this issue since in this case DNS will take care of which server is getting requests.. Feeling a bit stupid tho that I didn't came up with such a simple solution. Going to test it later to see if it works as it should.
-
user145837 about 7 yearsi'm sorry, but there are arguments against just using dns as a crutch here. the original question is much more interesting. why does postfix not allow multiple ldap sources? at least dovecot allows multiple ldap hosts in a config file. DNS round-robin'ing actually will just hand out the ip of the dead LDAP server 1/number-of-servers of the time.
-
-
user145837 about 7 yearsthis is more of a bad work-around than a solution.