Feature #1747
Mail-server: IMAP access for AD users
Status: | CLOSED | Start date: | 03/25/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 03/27/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-server | |||
Target version: | v6.4-beta2 | |||
Resolution: | NEEDINFO: | No |
Related issues
Associated revisions
/etc/dovecot/dovecot.conf (30ads fragment): enable active directory configuration if smb/ServerRole prop is ADS. Refs #1747
/etc/dovecot/active-directory.conf template: fixed "user" and "iterate" queries. Refs #1747
/etc/dovecot/dovecot.conf template (30ads): disabled smb/ServerRole = ADS configuration. Refs #1747
/etc/dovecot/dovecot.conf template (70smtpauth): disable GSSAPI authentication method if samba role is not ADS. Refs #1747
dovecot.conf template: fixed auth service clients limit. Refs #1747
Fixes f597bb74509, rollbacks dovecot 2.1.1 dependency
/etc/sysconfig/dovecot template: Obtain Kerberos TGT on dovecot startup. Fixed file descriptor limit. Refs #1747
/etc/dovecot/active-directory.conf template: read LDAP setup from `net ads` output. Refs #1747
/etc/dovecot/dovecot.conf template (30ads): add auth_gssapi_hostname, auth_krb5_keytab parameters. Refs #1747
nethserver-samba-{save,update,adsjoin} events: add Active Directory LDAP as DB backend for dovecot users and postfix aliases when smb ServerRole is ADS. Refs #1747
Initial import of postfix-2.8.12-1.fc16.src.rpm contents from Fedora. Refs #1747
Merged sources from http://repos.fedorapeople.org/. Refs #1747
*.spec: Compile with USE_LDAP_SASL if both "ldap" and "sasl" options are enabled. Refs #1747
Source tarballs binary hashes. Refs #1747
/etc/postfix/active-directory.cf template: LDAP table configuration for postfix >= 2.8 . Refs #1747
/etc/postfix/chroot-update template: perform kerberos initialization at postfix daemon startup. Refs #1747
*.spec.in: increased dovecot and postfix version requirements. Refs #1747
smb.conf template: use Workgroup parameter prop for ADS and PDC roles only. Refs #1747
/etc/dovecot/active-directory.conf template: added missing 'Bind Path' parameter to LDAP search base. Refs #1747
nethserver-mail-spam-expunge daily cronjob: import kerberos environment variables for dovecot if samba role is ADS. Refs #1747
History
#1 Updated by Davide Principi over 8 years ago
- Due date set to 03/27/2013
- Status changed from NEW to ON_DEV
- Assignee set to Davide Principi
- Start date set to 03/25/2013
- % Done changed from 0 to 20
#3 Updated by Davide Principi over 8 years ago
Current dovecot version dovecot-2.0.9-5.el6.x86_64
is missing an important patch to make the LDAP client work with GSSAPI autentication.
http://www.dovecot.org/list/dovecot/2011-February/057122.html
To get the user list, the LDAP client executes queries specified into /etc/dovecot/active-directory.conf template.
#4 Updated by Davide Principi over 8 years ago
- Assignee deleted (
Davide Principi) - Target version changed from v6.4-beta1 to ~FUTURE
- % Done changed from 20 to 30
Postponed...
#5 Updated by Giacomo Sanchietti over 8 years ago
- Target version changed from ~FUTURE to v6.4-beta2
#6 Updated by Davide Principi about 8 years ago
- Assignee set to Davide Principi
- Estimated time changed from 24.00 to 32.00
Tested with dovecot-2.1.1-2_132.el6.x86_64.rpm
: it works!
Now we need a cronjob to renew kerberos tickets and manage keytab permissions. Other services (httpd-auth, for instance) may use it, too.
#7 Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to ON_QA
- % Done changed from 30 to 80
In testing
repo: nethserver-mail-server-1.4.0-1.ns6.noarch.rpm
#8 Updated by Davide Principi about 8 years ago
- Assignee deleted (
Davide Principi)
Test case
- Prerequisite NethServer 6.4 beta1
- Upgrade nethserver-mail-server, postfix, dovecot from
nethserver-testing
repo - Join an AD domain (see nethserver-samba and #1746)
- Test GSSAPI authentication for dovecot and postfix, by installing the Mutt e-mail client or Thunderbird :
# id aduser <should report aduser infos. aduser must be an Active Directory account> # echo helloworld | mail -s testad aduser # find /var/lib/nethserver/vmail/aduser <list aduser mailbox contents: helloworld message must be there> # yum install mutt # vi ~/.muttrc set spoolfile="imap://aduser@yourmailserver/INBOX" set imap_authenticators="gssapi" # kinit aduser@YOURREALM.TLD # mutt <aduser inbox must contain a message with subject "testad">
#9 Updated by Giacomo Sanchietti about 8 years ago
- Assignee set to Giacomo Sanchietti
#10 Updated by Giacomo Sanchietti about 8 years ago
Test environment:
- AD server: Windows 2008 r2 standard, IP 192.168.1.114, hostname w2k8.ads1.tld, real ads1.tld, domain nsrv1
- NethServer: IP 192.168.1.110, hotname test.ads1.tld
- Client: Windows XP SP2 Pro, IP with dhcp
After AD join, tested Dovecot access with mutt from NethServer.
Mutt configuration:
set spoolfile="imap://mario.rossi@test.ads1.tld/INBOX" set imap_authenticators="gssapi"
Where mario.rossi is a user on AD server.
Thundebird on WinXP configuration:- Mail address: mario.rossi@ads1.tld
- IMAP server: test.ads1.tld, port 143 with STARTTLS
- Authentication method: Kerberos /GSSAPI
- SMTP server: test.ads1.tld, port 587 with STARTTLS
- Username: mario.rossi
- Authentication method: Kerberos /GSSAPI
Note: Make sure NethServer is configured with same network domain of AD server
Marking as VERIFIED.
#11 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 80 to 100
#12 Updated by Davide Principi about 8 years ago
- Status changed from VERIFIED to CLOSED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 90 to 100
Moved to nethserver-updates repository