Hi,
I would like to ask about one more thing regarding LDAP server authentication.
Am I understanding correctly that the auth_bind option, regardless of whether it is set to yes or no, and even if anonymous access to the LDAP directory is blocked, must be used with dn=cn=manager,dc=example,dc=com and dnpass=password to enable authentication?
It seems to me that there are no other cases where Dovecot can query the LDAP server directly using the login and password provided by the client. To perform authentication, it must execute a BIND by an intermediate user, regardless of where the password check takes place - in LDAP or in Dovecot.
Are there any other ways for the client to log in directly with their credentials on the Dovecot server?
Hi,
I reviewed your guidelines and focused only on how olcAccess works to block anonymous users. I installed a blank native Debian and interestingly, the default Debian rules also allow anonymous reading of the LDAP directory.
olcAccess by Debian olcAccess: {0} to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1} to attrs=shadowLastChange by self write by * read olcAccess: {2} to * by * read
After analyzing everything and testing, I started with two rules that block anonymous users and at the same time grant access to logged-in users. I realize that this is probably not enough and I should include some permissions in this, but this is the initial setting on which I can continue to work.
olcAccess by me olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1} to * by self write by users read by anonymous auth by * none
Thank you for your help.
On Wed, May 17, 2023 at 7:57 AM Andrzej Milewski <andrzej.milewski@gmail.com> wrote:Hi,
I'm trying to set up a production mail server. I have installed Dovecot on Debian from the package. For authentication, I have another machine running OpenLDAP, also installed on Debian. I would like the end mail client to authenticate with Dovecot using the login and password set in LDAP.
In the LDAP-related configuration, I have:
auth_bind=yes
base = ou=Users,dc=example,dc=com
user_attrs = mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password,\
pass_filter = (&(objectClass=posixAccount)(uid=%u))
The LDAP user is entered as uid=user@example.com. With the default olcAccess permissions, it works and logs in correctly.
Here are my default olcAccess settings after installation:
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com" attrs=userPassword,
shadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous a
uth by dn="cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=laktopol,dc=p
l" write by * none
olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by dn=
"cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write b
y * read
olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com" attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous au
th by dn="cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com
" write by * none
olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by dn="
cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write by
* read
olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com" attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous au
th by dn="cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=laktopol,dc=p
l" write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write by dn=
"cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=example,dc=com" write
by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {6}to filter=(objectClass=sambaDomain) by dn="cn=samba,dc=laktopol,
dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by dn="cn=samba,dc
=laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {8}to attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa
ssword by self write by anonymous auth by dn="cn=nsspam,dc=example,dc=com" wr
ite by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {9}to attrs=shadowLastChange by self write by * read
olcAccess: {10} to * by * readHowever, I am not satisfied with these settings because using the anonymous user, anyone can browse the entire LDAP tree. While passwords are not visible with anonymous login, user data in the LDAP domain is exposed.
If I change the last olcAccess entry from "olcAccess: {10} to * by * read" to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot browse LDAP, but the mail client user also cannot log in.
What should be the correct configuration?--
Andrzej--