LDAP authentication is available in Dovecot starting version 1.0. Since Active Directory is an implementation of LDAP directory services, we can use the LDAP authentication to authenticate Dovecot against an Active Directory server. But for users of Dovecot prior to 1.0 or those having problems with LDAP authentication, we can instead use the Kerberos authentication mechanism in Windows via the Linux PAM.

Setup and Configure Kerberos

The steps below describes how to configure Kerberos using the GUI tool. You can apply the changes manually by editing the file /etc/krb5.conf.

ImportantThe Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

Authentication1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.
Authentication2. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.
Kerberos Settings3. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

NoteTo make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This is how the Windows workstation is able to find the domain controller during domain logon. If it does not work, something is wrong with your DNS setting. You could either fix your DNS settings or manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

Authentication4. Uncheck the Enable Kerberos Support and click Ok. We don’t actually want to use Kerberos authentication in Linux, we just want the tool to setup Kerberos for us.
Terminal5. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

Configuring Dovecot PAM

Edit pam dovecot1. Edit the file /etc/pam.d/dovecot and replace the content with the lines below.
auth        sufficient   pam_krb5.so no_user_check validate
account     sufficient   pam_permit.so
Edit dovecot.conf2. Edit the file /etc/dovecot.conf and change the value of the following keys below
passdb pam {
}

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%Lu
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

Service Configuration3. Restart the dovecot service. Learn how to start and stop services here.
Terminal4. You should now be able to login using the user names found in your Active Directory server. See Test Dovecot using Telnet and try using Active Directory user names instead of the system user names.
NoteIf you encounter any problems, check the log file at /var/log/maillog.

Visit the forum to ask for help or to give a comment.

***
Posted on 4/12/2008 and last updated on 11/7/2009
Filed under Active Directory , CentOS 5 , Dovecot , Kerberos , Red Hat Enterprise Linux 5