[Dovecot] dovecot with ldap and allow_nets

Marc Cuypers m.cuypers at mgvd.be
Tue Nov 27 10:20:11 EET 2007 

Timo Sirainen schreef:
> On Fri, 2007-11-23 at 16:12 +0100, Marc Cuypers wrote:
>> Some of the mail users may only login from the LAN, while others can 
>> login from the LAN and the internet.
>>
>> I've read about allow_nets but i can't find very much info when dovecot 
>> is used with ldap.  Can someone give me a direction (url, configuration 
>> file, ...).
> 
> You'll have to store the allow_nets field to LDAP using some name and
> tell Dovecot to use it in pass_attrs. On LDAP side you probably need
> some special schema (don't ask me about that) or you need to use some
> other existing field for that purpose.
> 
> pass_attrs anyway goes something like:
> 
> pass_attrs = uid=user,userPassword=password,someField=allow_nets
> 

I already added the field allownets to the ldap database.
Then i compiled dovecot 1.0.7 on a test machine and set dovecot up to 
use ldap.
# dovecot --version
1.0.7

The LAN is using the addresses in the range 10.0.0.0/24.  The test 
machine (server) is 10.0.0.224 and the client is 10.0.0.110
Even when allow_nets contains 127.0.0.1/8, 192.168.1.0/24, i get access. 
  With this setting I thought i only could login from 127.0.0.1 and from 
the network 192.168.1.0/24.

Hereunder the logs and de configuration files.

<dovecot.log>
dovecot: 2007-11-27 09:04:14 Info: auth(default): client in: AUTH 
1       PLAIN   service=IMAP    secured lip=10.0.0.224  rip=10.0.0.110
dovecot: 2007-11-27 09:04:14 Info: auth(default): client out: CONT      1
dovecot: 2007-11-27 09:04:14 Info: auth(default): client in: CONT<hidden>
dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): 
bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be
dovecot: 2007-11-27 09:04:14 Info: auth(default): client out: OK 
1       user=marc
dovecot: 2007-11-27 09:04:14 Info: auth(default): master in: REQUEST 
3       14412   1
dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): 
user search: base=ou=accounts,ou=people,dc=mgvd,dc=be scope=subtree 
filter=(&(objectClass=postfixmail)(uid=marc)) fields=allownets
dovecot: 2007-11-27 09:04:15 Info: auth(default): master out: USER 
3       marc    allow_nets=127.0.0.1/8, 192.168.1.1     uid=5001 
gid=5002
dovecot: 2007-11-27 09:04:15 Info: imap-login: Login: user=<marc>, 
method=PLAIN, rip=10.0.0.110, lip=10.0.0.224, TLS
dovecot: 2007-11-27 09:04:15 Info: auth(default): new auth connection: 
pid=14463
</dovecot.log>

Configuration files used

<dovecot.conf>
protocols = imaps
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/mail/%u/Maildir
mail_extra_groups = mail
protocol imap {
}

protocol pop3 {
   pop3_uidl_format = %08Xu%08Xv
}
auth_debug = yes
auth default {
   mechanisms = plain login
   passdb ldap {
                 args = /etc/dovecot/dovecot-ldap.conf
   }

   userdb ldap {
                 args = /etc/dovecot/dovecot-ldap.conf
   }
   user = root
   socket listen {
     client {
                         path = /var/spool/postfix/private/auth
                         mode = 0660
                         user = postfix
                         group = postfix
     }
   }
}
dict {
}
plugin {
}
</dovecot.conf>

<dovecot-ldap.conf>
hosts = 127.0.0.1
dn=cn=manager,dc=mgvd,dc=be
dnpass = <password>
auth_bind = no
auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be
base = ou=accounts,ou=people,dc=mgvd,dc=be
scope = subtree
user_attrs = allownets=allow_nets
user_filter = (&(objectClass=postfixmail)(uid=%u))
pass_attrs = uid=user,userPassword=password,allownets=allow_nets
pass_filter = (&(objectClass=postfixmail)(uid=%u))
user_global_uid = 5001
user_global_gid = 5002
</dovecot-ldap.conf>

--
Marc

More information about the dovecot mailing list