Problem to configure dovecot-ldap.conf.ext

Günther J. Niederwimmer gjn at gjn.priv.at
Tue Oct 25 13:25:36 UTC 2016 

Hello Steffen and List,

Thanks for the answer and help,

I mean I found the biggest problem it is "auth_bind_userdn = "

please read the rest ;-)

Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
> On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
> > I setup ldap (FreeIPA) to have a user for dovecot that can (read search
> > compare) all attributes that I need for dovecot.
> > 
> > I must also have  mailAlternateAddress
> > 
> > When I make a ldapsearch with this user, I found all I need to configure
> > dovecot.
> > 
> > doveadm auth test office
> > and
> > doveadm auth test office at examle.com
> > 
> > with success authentication
> > 
> > but when I make a
> > doveadm auth test info at example.co (mailAlternateAddress)
> 
> I guess the missing 'm' in .co is a typo?

;-) Yes 

> Do you find
> doveadm user -u office
> doveadm user -u office at examle.com
> doveadm user -u info at example.com

yes this is working with all user ?

doveadm user -u office
userdb: office
  user      : office
  home      : /srv/vmail/office
  uid       : 10000
  gid       : 10000

doveadm user -u info at example.com
userdb: info at example.com
  user      : office
  home      : /srv/vmail/office
  uid       : 10000
  gid       : 10000

 
> > I have a broken authentication
> > 
> > Can any give me a hint what is wrong, or is this not possible ?
> 
> Show us your LDAP record of this user.
this is a result from ldapsearch with dovecots special user, from the dovecot 
system!

ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 
'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 
'dc=example,dc=com' 'mail=office at example.com'

I can also search for 'mailAlternateAddress=info at example.com' with the same 
result.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: mail=office at example.com
# requesting: ALL
#

# office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com
st: AUSTRIA
l: Salzburg
postalCode: 5020
krbPasswordExpiration: 20380101000000Z
krbLastPwdChange: 20160929133721Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com
mailAlternateAddress: info at example.com
displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
uid: office
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: mailrecipient
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
initials: GN
gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
sn: Niederwimmer
homeDirectory: /home/office
mail: office at example.com
krbPrincipalName: office at example.COM
givenName:: R8O8bnRoZXIgSi4=
cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc
uidNumber: 1507800005
gidNumber: 1507800005

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


 
> > # Distinguished Name - the username used to login to the LDAP server.
> > # Leave it commented out to bind anonymously (useful with auth_bind=yes).
> > dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > 
> > # Password for LDAP server, if dn is specified.
> > dnpass = 'XXXXXXXXXXXXXX'
> > 
> > # Use SASL binding instead of the simple binding. Note that this changes
> > # ldap_version automatically to be 3 if it's lower. Also note that SASL
> > binds # and auth_bind=yes don't work together.
> > sasl_bind = yes
> > # SASL mechanism name to use.
> > sasl_mech = gssapi
> > # SASL realm to use.
> > sasl_realm = EXAMPLE.COM
> > # SASL authorization ID, ie. the dnpass is for this "master user", but the
> > # dn is still the logged in user. Normally you want to keep this empty.
> > sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM
> 
> Dunno with SASL and Co.

OK, OK this was a Test and I reverting this ;-).
Now I have 
#sals_bind = yes

This is my next Problem, to find out is this correct working on my system ;-).

> > # Use authentication binding for verifying password's validity. This works
> > by # logging into LDAP server using the username and password given by
> > client. # The pass_filter is used to find the DN for the user. Note that
> > the pass_attrs # is still used, only the password field is ignored in it.
> > Before doing any # search, the binding is switched back to the default
> > DN.
> > auth_bind = yes
> > 
> > # If authentication binding is used, you can save one LDAP request per
> > login # if users' DN can be specified with a common template. The
> > template can use # the standard %variables (see user_filter). Note that
> > you can't
> > # use any pass_attrs if you use this setting.
> > #
> > # If you use this setting, it's a good idea to use a different
> > # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long
> > as # the filename is different in userdb's args). That way one connection
> > is used # only for LDAP binds and another connection is used for user
> > lookups. # Otherwise the binding is changed to the default DN before each
> > user lookup. #
> > # For example:
> > #   auth_bind_userdn = cn=%u,ou=people,o=org
> > #
> > auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
> 
> That one looks strange, you really have an account (uid=office at examle.com)
> ?

I mean I don't understand this in the Moment (?), but I can comment out this ?

I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."

now the tests are WORKING !!!

now I have to find out the correct syntax for auth_bind_userdn !!! when it is 
possible ?

> > # Search scope: base, onelevel, subtree
> > scope = subtree
> > #scope = onelevel
> > 
> > # User attributes are given in LDAP-name=dovecot-internal-name list. The
> > # internal names are:
> > #   uid - System UID
> > #   gid - System GID
> > #   home - Home directory
> > #   mail - Mail location
> > #
> > # There are also other special fields which can be returned, see
> > # http://wiki2.dovecot.org/UserDatabase/ExtraFields
> > #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
> > user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
> > 
> > # Filter for user lookup. Some variables can be used (see
> > # http://wiki2.dovecot.org/Variables for full list):
> > #   %u - username
> > #   %n - user part in user at domain, same as %u if there's no domain
> > #   %d - domain part in user at domain, empty if user there's no domain
> > user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> > (mailAlternateAddress=%Lu)))
> 
> If doveadm user -u info at example.co
> returns your entry, this filter is OK.

Yes, this filter is OK ;-) 

> > # Password checking attributes:
> > #  user: Virtual user name (user at domain), if you wish to change the
> > #        user-given username to something else
> > #  password: Password, may optionally start with {type}, eg. {crypt}
> > # There are also other special fields which can be returned, see
> > # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
> > pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
> 
> you cannot return two values for user, I guess you like to have "uid", so
> 
> pass_attrs = uid=user,userPassword=password

OK, I change it back, this are only tests to found the correct setup for 
dovecot 
 
> > # Filter for password lookups
> > #pass_filter = (&(objectClass=posixAccount)(uid=%u))
> > pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> > (mailAlternateAddress=%Lu)))
> 
> Looks good, if doveadm user -u info at example.co returns something sensible,
> beause the user filter is the same.

:-)
 
> > # Attributes and filter to get a list of all users
> > iterate_attrs = uid=user, mailAlternateAddress=user
> 
> same as pass_attr.
> 
> > iterate_filter = (objectClass=posixAccount)
> 
> Looks strange, should be
> 
> iterate_filter = (objectClass=mailrecipient)

Is changed to your Parameters
 
> > # Default password scheme. "{scheme}" before password overrides this.
> > # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
> > #default_pass_scheme = CRYPT

I say it before with commented out "auth_bind_userdn" the authentication is 
also working now with "mailAlternateAddress= xxxxxxxxx"

Many thanks to hint me ;-)

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the dovecot mailing list