Le 31/10/2013 10:42, Achim Gottinger a écrit :
Am 30.10.2013 21:17, schrieb me@electronico.nc:
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
You should use
/etc/dovecot/dovecot-ldap-passdb.conf.ext
hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template.
Hello Achim, Thanks for your answer :-) Sure it works OK, as soon as I specify dn & dnpass (that I omitted in passdb... :-[ ) Many thanks again ! Nicolas The problem was auth_bind_userdn which only matched users in OU=users. If you use that type of passwort check pass_filter is not used. Now dovecot binds as user dn first, does an lookup of the users dn via
Am 31.10.2013 01:11, schrieb me@electronico.nc: pass_filter and uses the result as the dn for the password verification via an second bind to ldap. If you use the LDAP Server from an Active Directory i'd recommen you use. pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)). Because if you use Windows Remote Admin Tools to create users the users dn is usually someting like dn=cn=[Full Name],ou=Users,dc=domain,dc=lan and cn=[Full Name]. sAMAccountName however holds the users login name.