[Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)

Jack McKinney jackmc at lorentz.com
Wed Apr 16 16:42:01 EEST 2008


	It seems that Rob and I are doing almost exactly the same thing except:

- He uses AD, I use OpenLDAP
- His works, mine doesn't.

	I have:
- Red Hat Linux release 7.2 (Enigma)
- OpenLDAP 2.3.38
- Dovecot 1.0.12, 1.0.13, and 1.1.rc4 (they all fail the same way).

	Sigh... Rob, It sounds like you are trying to do EXACTLY what I am
trying to do:

1. My users login with their email address.

2a. My users are all over the tree in the sense that you cannot
determine the DN from the email alone.  E.g., I am jackmc at lorentz.com,
but my DN is "cn=Jack McKinney, ou=users, dc=lorentz, dc=com".  Thus, I
need to do a lookup to get the DN to use for auth_bind. However,

2b. My users have contact databases under their DNs.  For example, all
of my contacts are in ou=AddressBook,cn=Jack McKinney, ou=users,
dc=lorentz, dc=com. If I did a subtree search, then
mail=jackmc at lorentz.com would pick up my DN, plus the DN of any entry in
anyone's addressbook for me.  I.e., if foo at example.com had an account on
my system, and they had an entry in their addressbook, then the subtree
query for mail=jackmc at lorentz.com would turn up two entries:

dn: cn=Jack McKinney, ou=users, dc=lorentz, dc=com
dn: cn=Jack McKinney, ou=AddressBook, cn=Foo Bar, ou=users, dc=example,
 dc=com

	Thus, I do a query with base "ou=users, dc=%Dd" and scope = onelevel,
so that only the real users are matched.

3. My users do not have any logins on the system.  Just like a web
server is just a web server and not a login system, the same with my
email: all mail lives under the same username and group
(varmail/varmail), and everyone's maildir
is /var/mail/domain/user/Maildir/

	My config is almost exactly the same as yours, except that I use static
userdb and I do not have (nor do I understand the need for; see my
previous post) pass_attrs.  I tried putting them in matching yours, but
it still fails the same way: OpenLDAP receives the query and (according
to its logs) responds with nentries=1 (i.e., exactly one match, as
expected). However, dovecot never sees the response from OpenLDAP.

On Wed, 2008-04-16 at 11:17 +0000, Rob Coward wrote:
> On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote:
> > dear Rob, thank you for support!
> > there are small differences in mine and yours config, like:
> > 
> > - you do not have auth_bind_userdn defined. if i comment my out i cannot 
> > authenticate at all - log file:
> > auth(default): ldap(wojtek,192.168.0.200): unknown user
> > dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
> 
> Our initial connection is made using the "dn" and "dnpass" settings.
> This looks up the user's dn based on the "(&(objectClass=user)(mail=%
> u))" search criteria.
> 
> My understanding of the auth_bind_userdn setting is that it is only
> useful if all your users are in a specific tree in the ldap, so that you
> can specify (from
> http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=%
> 28auth_bind_userdn%29 ) auth_bind_userdn = uid=%
> u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
> 
> This I believe saves the first lookup to find the dn of the user trying
> to login. Our users are spread throughout our tree, hence using the
> initial lookup as the 'dn'/'dnpass' user to find our user's dn.
> 
> If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a
> suitable unprivileged user to allow the initial lookup of the logging-in
> user's dn ?
> 
> > 
> > - you have user_attrs = mail=user, me: user_attrs = 
> > homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
> > 
> 
> Our users login with their email address as the userid - hence
> "mail=user" telling dovecot that the userid is stored in the 'mail'
> attribute in the ldap results. We dont bother with 'home' or 'uid' as
> they are all virtual users, using a fixed uid set by "user_global_uid =
> dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n"
> 
> > - i did not have deref = never. do you know what does it do? i do not 
> > understand man ldapsearch explanation :(
> 
> something to do with following links to other ldap servers I think. Dont
> think its strictly necessary in a single server setup.
> 
> > 
> > Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? 
> > maybe i am making some simple mistake with my ldap config...
> 
> As I said, we use Active Directory (running on Win2k3 servers I
> believe), not slapd.
> 
> Regards,
> Rob
> 
> 
> > Rob Coward wrote:
> > > I cant help you with what is going wrong for you, but we use dovecot
> > > very successfully with ldap lookups against Active Directory, using
> > > auth_bind=yes, and it does not require anonymous connections. The
> > > initial connection is by an un-privileged user that searches for the
> > > user, then a 2nd connection is used, authenticating against AD as the
> > > looked up user using the password supplied to dovecot.
> > > 
> > > Our setup looks like this:
> > > 
> > > # rpm -q dovecot
> > > dovecot-1.0-1.2.0.el5
> > > 
> > > # dovecot -n
> > > # /etc/dovecot.conf
> > > protocols: imap pop3
> > > login_dir: /var/run/dovecot/login
> > > login_executable(default): /usr/libexec/dovecot/imap-login
> > > login_executable(imap): /usr/libexec/dovecot/imap-login
> > > login_executable(pop3): /usr/libexec/dovecot/pop3-login
> > > login_user: dovecotlogin
> > > login_process_size: 64
> > > login_processes_count: 10
> > > login_max_processes_count: 64
> > > first_valid_uid: 97
> > > default_mail_env: maildir:/data/shared/mailstore/%d/%n
> > > mail_location: maildir:/data/shared/mailstore/%d/%n
> > > mail_executable(default): /usr/libexec/dovecot/imap
> > > mail_executable(imap): /usr/libexec/dovecot/imap
> > > mail_executable(pop3): /usr/libexec/dovecot/pop3
> > > mail_plugin_dir(default): /usr/lib64/dovecot/imap
> > > mail_plugin_dir(imap): /usr/lib64/dovecot/imap
> > > mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
> > > auth default:
> > >   passdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap.conf
> > >   passdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap-fr.conf
> > >   passdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap-se.conf
> > >   userdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap.conf
> > >   userdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap-fr.conf
> > >   userdb:
> > >     driver: ldap
> > >     args: /etc/dovecot-ldap-se.conf
> > > 
> > > # cat /etc/dovecot-ldap.conf
> > > hosts = ad.our.net
> > > dn=CN=Lookup,CN=Users,DC=our,DC=net
> > > dnpass=XXXXXXXX
> > > auth_bind = yes
> > > ldap_version = 3
> > > base = OU=Stores,OU=UK,DC=our,DC=net
> > > deref = never
> > > scope = subtree
> > > user_attrs = mail=user
> > > user_filter = (&(objectClass=user)(mail=%u))
> > > pass_attrs = mail=user,userPassword=password,mail=userdb_user
> > > pass_filter = (&(objectClass=user)(mail=%u))
> > > user_global_uid = dovecot
> > > user_global_gid = dovecot
> > > 
> > > We use multiple userdb / passdb definitions and ldap configs in order to
> > > limit the searches of our AD schema to specific sub-trees, both for
> > > performance and as there are other users elsewhere in our schema that we
> > > dont want dovecot to allow to connect.
> > > 
> > > Hope this helps you.
> > > Rob
> > > 
> > > On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
> > >>>> /etc/ldap/sldap.conf:
> > >>>> access to attr=uid,homeDirectory,uidNumber
> > >>>>         by anonymous read
> > >>> 	I do not have this in my configuration, and dovecot does indeed use the
> > >>> credential I provide to successfully query LDAP for the user based on
> > >>> the (mail=%u) criteria.  However, it does not see the reply.
> > >>> 	The fact that it does perform the query successfully implies to me that
> > >>> it does not use an anonymous connection.  Very puzzling.
> > >>
> > >> i have no idea what dovecot is doing :-) from the log file it looks like 
> > >> there are 2 queries to ldap: 1. to check provided password for provided 
> > >> user name, 2. to find a user related information (and from what Steffen 
> > >> wrote this one is done with anonymous user - correct?).
> > >>
> > >> [on the margin: why isn't it done in one query: get me the user related 
> > >> information, i am binding with provided user and with provided password. 
> > >> this way it would be one query for two things.]
> > >>
> > >> in my case, i cannot list user related information from ldap in 
> > >> anonymous connection even from command line, using: ldapsearch -x -b 
> > >> 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' 
> > >> homeDirectory
> > >>
> > >> so i guess that i have to workout ldap settings for anonymous query. my 
> > >> /etc/ldap/slapd.conf related to access permissions is:
> > >>
> > >> access to dn.children="ou=Users,dc=frontline" 
> > >> attrs=uid,homeDirectory,uidNumber
> > >>         by anonymous read
> > >> access to attrs=userPassword,sambaNTPassword,sambaLMPassword
> > >>          by dn="cn=admin,dc=frontline" write
> > >>          by anonymous auth
> > >>          by self write
> > >>          by * none
> > >> access to dn.children="ou=Users,dc=frontline"
> > >>          by dn="cn=root,ou=Users,dc=frontline" read
> > >>          by anonymous auth
> > >>          by self write
> > >> access to dn.base="" by * read
> > >> access to *
> > >>          by dn="cn=admin,dc=frontline" write
> > >>          by * read
> > >>
> > >> maybe the problem is here... any hints please?
> > >>
> > >> regards, Wojtek
> > > 
> 
> 
> Please consider the environment before printing this email. 
> 
> 
> GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 
> 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
> 
> This e-mail and any files transmitted with it are confidential and intended solely for the use of the 
> individual or entity to whom they are addressed. If you have received this e-mail in error please 
> notify the system manager at:  
>  
>         mailto:postmaster at game.co.uk
>  
> The recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore 
> THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of 
> any information contained in the message or assume any liability for it or for its transmission, reception or storage.  
> 
> This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
>  
> http://www.game.co.uk
> http://www.gamegroup.plc.uk 
> 
> Registered Number: 1937170
> Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
-- 
Jack McKinney
GPG 1024D/99C6A174
jackmc at lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz
Beware geeks bearing diffs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080416/2bd5703a/attachment.bin 


More information about the dovecot mailing list