I'm currently trying to set up a tvial/docker-mailserver image with an Active Directory.
My infrastructure consists of a Windows Server 2016 (IP: 10.100.100.1) and an Ubuntu server v18.04 (IP: 10.100.100.3).
The Docker is located into Ubuntu and the AD at located into Windows ( logic =) ).
My Docker-composer configuration for this container looks like this:
mailserver:
image: tvial/docker-mailserver
container_name: mailserver
domainname: ad.lan
restart: always
# volumes:
# - ./mail/maildata:/var/mail
# - ./mail/mailstate:/var/mail-state
# - ./mail/maillogs:/var/log/mail
# - ./mail/config/:/tmp/docker-mailserver/
ports:
- 25:25
- 143:143
- 587:587
- 993:993
environment:
- ENABLE_SPAMASSASSIN=0
- ENABLE_CLAMAV=0
- ENABLE_FAIL2BAN=0
- ENABLE_POSTGREY=0
- ONE_DIR=1
- DMS_DEBUG=1
- PERMIT_DOCKER=host
- POSTMASTER_ADDRESS=Administrateur@ad.lan
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000
- ENABLE_LDAP=1
- LDAP_SERVER_HOST=10.100.100.1
- LDAP_BIND_DN=CN=Administrateur,CN=Users,DC=ad,DC=lan
- LDAP_BIND_PW=*****
- LDAP_SEARCH_BASE=dc=ad,dc=lan
# - LDAP_QUERY_FILTER_USER=(&(objectClass=user)(mail=%s))
# - LDAP_QUERY_FILTER_GROUP=(&(objectclass=group)(mail=%s))
# - LDAP_QUERY_FILTER_ALIAS=(&(objectClass=user)(otherMailbox=%s))
# - LDAP_QUERY_FILTER_DOMAIN=(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_PROTO=
- SASLAUTHD_LDAP_SERVER=10.100.100.1
- SASLAUTHD_LDAP_BIND_DN=CN=Administrateur,CN=Users,DC=ad,DC=lan
- SASLAUTHD_LDAP_PASSWORD=*****
- SASLAUTHD_LDAP_SEARCH_BASE=dc=ad,dc=lan
- SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
- DOVECOT_PASS_ATTRS=uid=user,userPassword=password
- DOVECOT_USER_ATTRS=homeDirectory=home,qmailUID=uid,qmailGID=gid,mailMessageStore=mail
- DOVECOT_PASS_FILTER=(&(objectClass=user)(mail=%n))
- DOVECOT_USER_FILTER=(&(objectClass=user)(mail=%n))
cap_add:
- NET_ADMIN
For debugging I have disabled the mounting of volumes so as to be completely stateless from one restart of the container on the other.
My server ubuntu manages to contact the AD with the command:
ldapsearch -H ldap://10.100.100.1 -x -W -D "Administrateur@ad.lan" -b "dc=ad,dc=lan""(sAMAccountName=Administrateur)"
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=lan> with scope subtree
# filter: (sAMAccountName=Administrateur)
# requesting: ALL
#
# Administrateur, Users, ad.lan
dn: CN=Administrateur,CN=Users,DC=ad,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrateur
description:: Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=
distinguishedName: CN=Administrateur,CN=Users,DC=ad,DC=lan
instanceType: 4
whenCreated: 20191012140514.0Z
whenChanged: 20191116095120.0Z
uSNCreated: 8196
memberOf:: Q049UHJvcHJpw6l0YWlyZXMgY3LDqWF0ZXVycyBkZSBsYSBzdHJhdMOpZ2llIGRlIGd
yb3VwZSxDTj1Vc2VycyxEQz1hZCxEQz1sYW4=
memberOf: CN=Admins du domaine,CN=Users,DC=ad,DC=lan
memberOf:: Q049QWRtaW5pc3RyYXRldXJzIGRlIGzigJllbnRyZXByaXNlLENOPVVzZXJzLERDPWF
kLERDPWxhbg==
memberOf:: Q049QWRtaW5pc3RyYXRldXJzIGR1IHNjaMOpbWEsQ049VXNlcnMsREM9YWQsREM9bGF
u
memberOf: CN=Administrateurs,CN=Builtin,DC=ad,DC=lan
uSNChanged: 221259
name: Administrateur
objectGUID:: Wi34ux+F1kKwSOrt7+Ip/A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132180338869706594
lastLogoff: 0
lastLogon: 132184557184373662
pwdLastSet: 132153036785420852
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA3tGWHhIC6goYjgyq9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 227
sAMAccountName: Administrateur
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=lan
isCriticalSystemObject: TRUE
dSCorePropagationData: 20191013141413.0Z
dSCorePropagationData: 20191013141413.0Z
dSCorePropagationData: 20191012140800.0Z
dSCorePropagationData: 16010101181216.0Z
lastLogonTimestamp: 132183714800509241
# search reference
ref: ldap://ForestDnsZones.ad.lan/DC=ForestDnsZones,DC=ad,DC=lan
# search reference
ref: ldap://DomainDnsZones.ad.lan/DC=DomainDnsZones,DC=ad,DC=lan
# search reference
ref: ldap://ad.lan/CN=Configuration,DC=ad,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
The user I use for connection tests has the following profile:
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=lan> with scope subtree
# filter: (sAMAccountName=flavien)
# requesting: ALL
#
# Flavien PERIER, Utilisateurs, ad.lan
dn: CN=Flavien PERIER,OU=Utilisateurs,DC=ad,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Flavien PERIER
sn: PERIER
givenName: Flavien
initials: FP
distinguishedName: CN=Flavien PERIER,OU=Utilisateurs,DC=ad,DC=lan
instanceType: 4
whenCreated: 20191013140726.0Z
whenChanged: 20191117093634.0Z
displayName: Flavien PERIER
uSNCreated: 20511
memberOf: CN=Dossier de partage,OU=Utilisateurs,DC=ad,DC=lan
uSNChanged: 249944
name: Flavien PERIER
objectGUID:: oQdAXod2WEK60hd8pA5H5A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\10.100.100.1\PartageSMB\flavien
homeDrive: Z:
badPasswordTime: 132163352342778737
lastLogoff: 0
lastLogon: 132180202493587284
pwdLastSet: 132154492469652506
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA3tGWHhIC6goYjgyqTwQAAA==
accountExpires: 9223372036854775807
logonCount: 39
sAMAccountName: flavien
sAMAccountType: 805306368
userPrincipalName: flavien@ad.lan
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=lan
dSCorePropagationData: 20191016125749.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132175020376094249
mail: flavien@ad.lan
# search reference
ref: ldap://ForestDnsZones.ad.lan/DC=ForestDnsZones,DC=ad,DC=lan
# search reference
ref: ldap://DomainDnsZones.ad.lan/DC=DomainDnsZones,DC=ad,DC=lan
# search reference
ref: ldap://ad.lan/CN=Configuration,DC=ad,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
And the docker log returns when trying to connect to the flavian or flavien@ad.lan account are:
Nov 17 11:12:09 1f8e63c913db dovecot: auth: ldap(flavien@ad.lan,172.18.0.1,<AVTq5oiX1ICsEgAB>): unknown user (SHA1 of given password: *****)
Nov 17 11:12:11 1f8e63c913db dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<flavien@ad.lan>, method=PLAIN, rip=172.18.0.1, lip=172.18.0.6, session=<AVTq5oiX1ICsEgAB>
Nov 17 11:12:41 1f8e63c913db dovecot: auth: ldap(flavien,172.18.0.1,<tsze6IiX4oCsEgAB>): unknown user (SHA1 of given password: *****)
Nov 17 11:12:43 1f8e63c913db dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<flavien>, method=PLAIN, rip=172.18.0.1, lip=172.18.0.6, session=<tsze6IiX4oCsEgAB>
If anyone had any idea what to change in the configuration?