[Dovecot] Dovecot deliver with AD LDAP userdb

Mark Schaub mark.schaub at sau24.org
Wed Oct 14 23:00:54 EEST 2009 

Good Afternoon,

I have my virtual users stored in an Active Directory database. As far
as mail info goes the 2 important fields are: mail (their primary
email address) and otherMailbox (a multivalue attribute containing
their mail aliases). Right now all email addresses belong in the same
domain and there are no immediate plans to change this.

If I use Postfix to do the lookups and delivery only using Dovecot for
passdb Pam driver and a static userdb then everything delivers fine to
mail and otherMailbox addresses. I have been working on switching over
to Dovecot's deliver process in order to integrate sieve capability. I
have configured userdb ldap and passdb ldap in Dovecot and have set up
master and client sockets. Before I describe my problem let me show
you my configuration (as I think the dovecot-ldap.conf in particular
needs to be explained). Here are the important parts of dovecot.conf:

auth default {
  socket listen {
    master {
        path = /usr/var/run/dovecot/auth-master
        mode = 0666
        user = vmail
        group = vmail
    }

    client {
        path = /var/spool/postfix/private/auth
        mode = 0666
        user = postfix
        group = postfix
    }
 }

 passdb ldap {
    args = /etc/dovecot-ldap.conf
  }
 userdb ldap {
    # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
    args = /etc/dovecot-ldap.conf
  }

and my dovecot -n:

lda:
  postmaster_address: postmaster at sau24.org
  mail_plugins: sieve
auth default:
  mechanisms: plain login
  debug: yes
  passdb:
    driver: ldap
    args: /etc/dovecot-ldap.conf
  userdb:
    driver: ldap
    args: /etc/dovecot-ldap.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 438
      user: postfix
      group: postfix
    master:
      path: /usr/var/run/dovecot/auth-master
      mode: 438
      user: vmail
      group: vmail
plugin:
  sieve: ~/.dovecot.sieve
  sieve_dir: ~/sieve
  sieve_storage: ~/sieve

Further, here is my dovecot-ldap.conf:

hosts = delldb.sau24.org:3268
base = dc=sau24, dc=org
ldap_version = 3
dn = cn=Mail User,cn=Users,dc=sau24,dc=org
dnpass = secret
auth_bind = yes
scope = subtree
user_attrs = sAMAccountName=home=/home/vmail/%$,=uid=501,=gid=501
pass_attrs = sAMAccountName=user
user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n at sau24.org)(otherMailbox=%n at sau24.org)))
pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n at sau24.org)(othermailbox=%n at sau24.org)))

Now, you'll notice that the user_filter and pass_filter have the
domain statically placed after the mail and othermailbox attributes.
This reason for this is that this ldap configuration is used for both
authentication purposes and local delivery, so its not always being
passed the domain info (for authentication it gets the users IP
address). Since all my users are on the same domain I can statically
set this here. This setup authenticates users to imap and pop (users
use their sAMAccountName as their username when they log in), and
pulls their correct home directory. Checking mail is not a problem at
all.

Further, this setup will deliver mail correctly to mail addressed to
the value in the "mail" attribute. The problem seems to be in the
otherMailbox attribute, it cannot lookup the users sAMAccountName
based off of the otherMailbox field. Here is what it looks like in the
logs for mail sent to my "mail" attribute (mark.schaub at sau24.org):

Oct 14 12:36:19 auth(default): Info: master in: USER    1
mark.schaub at sau24.org   service=deliver
Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub at sau24.org): user
search: base=dc=sau24, dc=org scope=subtree
filter=(&(objectclass=user)(|(sAMAccountName=mark.schaub)(mail=mark.schaub at sau24.org)(otherMailbox=mark.schaub at sau24.org)))
fields=sAMAccountName
Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub at sau24.org):
result: sAMAccountName(home=/home/vmail/%$)=/home/vmail/mschaub
Oct 14 12:36:19 auth(default): Info: master out: USER   1
mark.schaub at sau24.org   home=/home/vmail/mschaub        uid=501
gid=501
Oct 14 12:36:19 deliver(mark.schaub at sau24.org): Info: sieve:
msgid=<6b71e3a70910140936v4e8cd6fdwd847a1721a9d9786 at mail.gmail.com>:
stored mail into mailbox 'INBOX'

But this is what I get when I try to send to an address listed in my
otherMailbox field (tech at sau24.org):

Oct 14 12:30:58 auth(default): Info: master in: USER    1
tech at sau24.org  service=deliver
Oct 14 12:30:58 auth(default): Info: ldap(tech at sau24.org): user
search: base=dc=sau24, dc=org scope=subtree
filter=(&(objectclass=user)(|(sAMAccountName=tech)(mail=tech at sau24.org)(otherMailbox=tech at sau24.org)))
fields=sAMAccountName
Oct 14 12:30:58 auth(default): Info: ldap(tech at sau24.org): Unknown user
Oct 14 12:30:58 auth(default): Info: master out: NOTFOUND       1

As a test I tried modifying my dovecot-ldap.conf to use different
fields instead of otherMailbox. Sending to some of those attributes
worked, others didnt. I could use the "sn" and "givenName" attributes,
but "postalCode" and "title" would give the same error as
otherMailbox.

My question is this: is there something wrong with my configuration or
can Dovecot only query certain fields in the user_attr string?

Thanks,
~ Mark

More information about the dovecot mailing list