[Dovecot] Please help: LDAP configuration _almost_ works.
jackmc at lorentz.com
Fri Apr 11 18:43:12 EEST 2008
Hmmm... Perhaps my understanding is wrong. Below is the thought
process that brought me here...
userPassword: this is not included _because_ I am using auth_bind.
dovecot is not going to check the userPassword field itself; instead, it
is going to try and use the password supplied by the user to
authenticate to the LDAP server, using:
dn: dovecot needs a dn with which to search the database to find the
user's DN based on their email.
An illustration. As an end user, suppose the information that I am to
use to connect is:
Username: jackmc at lorentz.com
The sequence that I am trying to make occur is this:
1. User sends "jackmc at lorentz.com", "test123" to dovecot
2. Dovecot searches ldap for a user with this email address.
Specifically, the user needs to be in "ou=users, dc=lorentz,
dc=com" (and not any subtree; only in the top level). This base DN is
based on the username supplied: lorentz.com is converted to LDAP fomat.
In order to search for for this, Dovecot needs access to the LDAP
database. To this end, I have created a DN "cn=varmail, ou=users,
dc=lorentz, dc=com" which can search all domains for the "mail" field.
Thus, dovecot will bind using the varmail DN and then search onelevel
of "ou=users, dc=lorentz, dc=com" for an inetOrgPerson entry whose mail
field is jackmc at lorentz.com. As demonstrated by the ldapsearch in my
earlier email, this will return the entry for "cn=Jack McKinney,
ou=users, dc=lorentz, dc=com".
Now that dovecot knows what the user's DN is, it will make a new
connection to the LDAP server (this is my understanding of "auth_bind =
yes") using "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" and the
password "test123". If this LDAP connection authenticates, then the
user is granted access to email (the email location is specified in a
static userdb in my dovecot.conf).
Thus, dovecot never needs to see the userPassword field. Indeed, by
design, varmail does not have access to this field. Dovecot is supposed
to determine the DN for the user based on the supplied username (which
in this case is an email address) and then use that DN and the password
supplied by the user to try and authenticate to LDAP. If it succeeds,
then the user can access their email.
On Fri, 2008-04-11 at 09:20 +0200, Steffen Kaiser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Tue, 8 Apr 2008, Jack McKinney wrote:
> > hosts = ldap.lrtz
> > dn = cn=varmail,ou=users,dc=lorentz,dc=com
> > dnpass = *********
> > ldap_version = 3
> > auth_bind = yes
> > pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu))
> > base = ou=users, dc=%Dd
> > scope = onelevel
> Your configuration looks bad:
> You use auth_bind, but the displayed LDAP item does not contain no
> "userPassword" attribute and you've specified "dn", not necessary for
> auth_bind's. And you have no pass_attrs config.
> I guess the first step is to set auth_bind = no
> and add the password attribute to the user.
> Or keep the auth_bind = yes and add a userPassword attribute to the user,
> so each user can bind itself to his/her LDAP item.
> Wiki: http://wiki.dovecot.org/AuthDatabase/LDAP
> > The OpenLDAP log shows that the query is received and that it
> > returns a match:
> > Apr 3 08:13:30 fourier slapd: conn=7 op=3 SRCH
> > base="ou=users,dc=lorentz,dc=com" scope=1 deref=0
> > filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))"
> > Apr 3 08:13:30 fourier slapd: conn=7 op=3 SRCH attr=uid
> > Apr 3 08:13:30 fourier slapd: conn=7 op=3 SEARCH RESULT tag=101
> > err=0 nentries=1 text=
> Well, does nentries=1 really indicates one _match_ or just one returned
> item/packet? If I use ldapsearch -x uid=nonexisting , I get: "#
> numResponses: 1" in the last line, but no hit.
> You also see that the search is attr=uid, why?
> I do _not_ know why Dovecot just hangs, this is probably a bug due to the
> configuration glitches.
> - --
> Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> -----END PGP SIGNATURE-----
jackmc at lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz
Beware geeks bearing diffs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080411/0cb8ba5a/attachment.bin
More information about the dovecot