[Dovecot] dovecot + Active Directory + LDA

Christian Lyra lyra at pop-pr.rnp.br
Sun Apr 4 23:50:02 EEST 2010


Hi there,

I´m working on a setup with postfix (2.5.5) + dovecot (1.2.11) using a
Active Directory user backend. At first, I used the instructions found
here[1] to do the base configuration. As I understand, I need to use
dovecot as a LDA to be able to use the quota plugin and have a
per-user quota configuration, and this led me to two distinct (and
opposed) configuration options. It seems that the usual dovecot + AD
configuration uses the "auth_bind = yes" option, where the dovecot
tries to bind to AD using user credentials. *But* to be able to use
LDA, dovecot cant rely on user credentials, as there´s none when a
mail arrives, so one need to use "auth_bind = no" and choose a "user"
to bind to AD, using the dn and dnpass options. Am I right until here?

I could just use auth_bind=no *IF* the "dn" user has the necessary
privileges to read other AD users passwords (like a administrator
user). Is this correct? Well, antecipating that the AD sysadmin guy
will not be happy with this, I thought that maybe I could "mix" the
two configurations, since I dont need the user password to find user
mailbox (while delivering), but I do while doing his authentication. I
may use one configuration for userdb, and another for passdb. BUT
(again!) there´s another problem, since delivering needs "email"
(user at domain) and authentication needs "user" values (and, it´s
perfectly valid that one should use "John Doe" as user, and foo at bar as
email!). So, I messed a little with user filters and got this
configuration:

dovecot.conf:

mail_uid = 1001
mail_gid = 1001

passdb ldap {
    args = /etc/dovecot/dovecot-ldap-pass.conf
  }

userdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }

dovecot-ldap-pass.conf:
hosts = 10.x.x.x
base = dc=mydomain,dc=com,dc=br
ldap_version = 3
auth_bind = yes
auth_bind_userdn = mydomain\%u

dovecot-ldap-pass.conf:
hosts = 10.x.x.x
auth_bind = no
dn = cn=Unprivleged User,cn=Users,dc=mydomain,dc=com,dc=br
dnpass = 123456
ldap_version = 3
base = dc=mydomain,dc=com,dc=br
deref = never
scope = subtree
user_attrs = sAMAccountName=mail=maildir:/var/vmail/%$/Maildir
user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)))
pass_attrs = sAMAaccountName=user,userPassword=password
pass_filter = (&(objectClass=person)(sAMAaccountName=%u))


The "pass_attrs and pass_filter" in dovecot-ldap-pass.conf is not
used. The clever part, or the incredible stupid one, is the the filter
 (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) which means
"find some person with email=something OR some person with
username=user". I´m not sure of the full implications this could
have... Anyway, it´s working, as the system accepts emails and the
user can retrieve it using pop3.

Is there a better way to doing all this? Is it safe to bind dovecot to
AD with the necessary privileges to read user passwords? I´m no AD
expert, but can this special user be "read-only" ?

thanks in advance

[1] http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

-- 
Christian Lyra


More information about the dovecot mailing list