Feature #1747

Mail-server: IMAP access for AD users

Added by Davide Principi over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:03/25/2013
Priority:NormalDue date:03/27/2013
Assignee:-% Done:

100%

Category:nethserver-mail-server
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Related issues

Related to NethServer 6 - Feature #1746: Samba: joining Active Directory domain CLOSED 03/29/2013 04/03/2013
Related to NethServer 6 - Feature #2000: SOGo: Active Directory integration CLOSED 06/10/2013 06/11/2013
Related to NethServer 6 - Task #2658: Test postfix-2.10.3-1 from EPEL CLOSED

Associated revisions

Revision 8b507540
Added by Davide Principi over 6 years ago

/etc/dovecot/dovecot.conf (30ads fragment): enable active directory configuration if smb/ServerRole prop is ADS. Refs #1747

Revision 69e90d76
Added by Davide Principi over 6 years ago

/etc/dovecot/active-directory.conf template: fixed "user" and "iterate" queries. Refs #1747

Revision 1a128fc5
Added by Davide Principi over 6 years ago

/etc/dovecot/dovecot.conf template (30ads): disabled smb/ServerRole = ADS configuration. Refs #1747

Revision 73382a1a
Added by Davide Principi over 6 years ago

/etc/dovecot/dovecot.conf template (70smtpauth): disable GSSAPI authentication method if samba role is not ADS. Refs #1747

Revision ccf84050
Added by Davide Principi over 6 years ago

dovecot.conf template: fixed auth service clients limit. Refs #1747

Fixes f597bb74509, rollbacks dovecot 2.1.1 dependency

Revision 3e0439e1
Added by Davide Principi over 6 years ago

/etc/sysconfig/dovecot template: Obtain Kerberos TGT on dovecot startup. Fixed file descriptor limit. Refs #1747

Revision 8f50e034
Added by Davide Principi over 6 years ago

/etc/dovecot/active-directory.conf template: read LDAP setup from `net ads` output. Refs #1747

Revision 947827f5
Added by Davide Principi over 6 years ago

/etc/dovecot/dovecot.conf template (30ads): add auth_gssapi_hostname, auth_krb5_keytab parameters. Refs #1747

Revision 8cef038d
Added by Davide Principi over 6 years ago

nethserver-samba-{save,update,adsjoin} events: add Active Directory LDAP as DB backend for dovecot users and postfix aliases when smb ServerRole is ADS. Refs #1747

Revision 0871386b
Added by Davide Principi over 6 years ago

Initial import of postfix-2.8.12-1.fc16.src.rpm contents from Fedora. Refs #1747

Revision d0f40084
Added by Davide Principi over 6 years ago

*.spec: Compile with USE_LDAP_SASL if both "ldap" and "sasl" options are enabled. Refs #1747

Revision c2b70133
Added by Davide Principi over 6 years ago

Source tarballs binary hashes. Refs #1747

Revision 2eff2ce0
Added by Davide Principi over 6 years ago

/etc/postfix/active-directory.cf template: LDAP table configuration for postfix >= 2.8 . Refs #1747

Revision 35d6f346
Added by Davide Principi over 6 years ago

/etc/postfix/chroot-update template: perform kerberos initialization at postfix daemon startup. Refs #1747

Revision 65923cca
Added by Davide Principi over 6 years ago

*.spec.in: increased dovecot and postfix version requirements. Refs #1747

Revision ad427175
Added by Davide Principi over 6 years ago

nethserver-mail-server-conf action: restart slapd cleanly. Refs #1747 #1722

Revision 59fee173
Added by Davide Principi over 6 years ago

smb.conf template: use Workgroup parameter prop for ADS and PDC roles only. Refs #1747

Revision a9debbb5
Added by Davide Principi over 6 years ago

/etc/dovecot/active-directory.conf template: added missing 'Bind Path' parameter to LDAP search base. Refs #1747

Revision d08031b4
Added by Davide Principi over 6 years ago

nethserver-mail-spam-expunge daily cronjob: import kerberos environment variables for dovecot if samba role is ADS. Refs #1747

History

#1 Updated by Davide Principi over 6 years ago

  • Due date set to 03/27/2013
  • Status changed from NEW to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 03/25/2013
  • % Done changed from 0 to 20

#3 Updated by Davide Principi over 6 years ago

Current dovecot version dovecot-2.0.9-5.el6.x86_64 is missing an important patch to make the LDAP client work with GSSAPI autentication.

http://www.dovecot.org/list/dovecot/2011-February/057122.html

To get the user list, the LDAP client executes queries specified into /etc/dovecot/active-directory.conf template.

#4 Updated by Davide Principi over 6 years ago

  • Assignee deleted (Davide Principi)
  • Target version changed from v6.4-beta1 to ~FUTURE
  • % Done changed from 20 to 30

Postponed...

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from ~FUTURE to v6.4-beta2

#6 Updated by Davide Principi over 6 years ago

  • Assignee set to Davide Principi
  • Estimated time changed from 24.00 to 32.00

Tested with dovecot-2.1.1-2_132.el6.x86_64.rpm: it works!

Now we need a cronjob to renew kerberos tickets and manage keytab permissions. Other services (httpd-auth, for instance) may use it, too.

#7 Updated by Davide Principi over 6 years ago

  • Status changed from ON_DEV to ON_QA
  • % Done changed from 30 to 80

In testing repo: nethserver-mail-server-1.4.0-1.ns6.noarch.rpm

#8 Updated by Davide Principi over 6 years ago

  • Assignee deleted (Davide Principi)

Test case

  • Prerequisite NethServer 6.4 beta1
  • Upgrade nethserver-mail-server, postfix, dovecot from nethserver-testing repo
  • Join an AD domain (see nethserver-samba and #1746)
  • Test GSSAPI authentication for dovecot and postfix, by installing the Mutt e-mail client or Thunderbird :
       # id aduser
    <should report aduser infos. aduser must be an Active Directory account>
       # echo helloworld | mail -s testad aduser
       # find /var/lib/nethserver/vmail/aduser
    <list aduser mailbox contents: helloworld message must be there>
       # yum install mutt
       # vi ~/.muttrc
    set spoolfile="imap://aduser@yourmailserver/INBOX" 
    set imap_authenticators="gssapi" 
       # kinit aduser@YOURREALM.TLD
       # mutt
    <aduser inbox must contain a message with subject "testad">
    

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee set to Giacomo Sanchietti

#10 Updated by Giacomo Sanchietti over 6 years ago

Test environment:

  • AD server: Windows 2008 r2 standard, IP 192.168.1.114, hostname w2k8.ads1.tld, real ads1.tld, domain nsrv1
  • NethServer: IP 192.168.1.110, hotname test.ads1.tld
  • Client: Windows XP SP2 Pro, IP with dhcp

After AD join, tested Dovecot access with mutt from NethServer.

Mutt configuration:

set spoolfile="imap://mario.rossi@test.ads1.tld/INBOX" 
set imap_authenticators="gssapi" 

Where mario.rossi is a user on AD server.

Thundebird on WinXP configuration:
  • Mail address:
  • IMAP server: test.ads1.tld, port 143 with STARTTLS
  • Authentication method: Kerberos /GSSAPI
Tested also Postifix access, within mutt (no configuration required) and Thundebird:
  • SMTP server: test.ads1.tld, port 587 with STARTTLS
  • Username: mario.rossi
  • Authentication method: Kerberos /GSSAPI

Note: Make sure NethServer is configured with same network domain of AD server

Marking as VERIFIED.

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 80 to 100

#12 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF