I am not experienced in this, so there might be some points that I am missing. Initially I tried to setup Cyrus Mail w/ SASL for AD authentication. After several tries, it failed to work.
I switched to Dovecot and authentication failed in Dovecot, too. So, I started troubleshooting:
- I created a user in AD and called it "vmail".
- ran `ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'dc=example,dc=com' "(userPrincipalName=testuser@example.com)" and entered the password. The results were successful (returned the ldap user attributes)
Then I ran
ldapwhoami -x -W -D cn=vmail,dc=example,dc=com -h ad.example.comand entered the password. However, this script fails withldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Dovecot and Postfix both fail on parameters similar to this. In Dovecot and Postfix I setup password attribute as userPassword=password. AD authentication works (e.g I can log in to my Windows machine that is connected to domain, using testuser@example.com).
The "vmail" user is a domain administrator and administrator (I wanted to be sure that being administrator has nothing to do with binding). I really started to think that the problem is in Windows Server not allowing authentication with Linux machines (is that a possibility?) because everything in Linux is correct (at least it looks like it is)
I am using CentOS 7.1.1503 (Core) if it matters.
EDIT: After more troubleshooting I have found that if I don't specify the domain controllers, ldapwhoami succeeds and returns the user:
ldamwhoami -x -W -D vmail -h ad.example.com
However, dovecot still doesn't work. I set base = (empty) to check it out and it still failed to authenticate.
