Hi, I'm trying to set up a production mail server. I have installed Dovecot on Debian from the package. For authentication, I have another machine running OpenLDAP, also installed on Debian. I would like the end mail client to authenticate with Dovecot using the login and password set in LDAP.
In the LDAP-related configuration, I have:
auth_bind=yes
base = ou=Users,dc=example,dc=com
user_attrs =
mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password,
pass_filter = (&(objectClass=posixAccount)(uid=%u))
The LDAP user is entered as uid=user@example.com. With the default olcAccess permissions, it works and logs in correctly.
Here are my default olcAccess settings after installation: # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com" attrs=userPassword, shadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous a uth by dn="cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=laktopol,dc=p l" write by * none olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by dn= "cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write b y * read olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com" attrs=userPassword,s hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous au th by dn="cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com " write by * none olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by dn=" cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write by olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
- read
attrs=userPassword,s hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous au th by dn="cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=laktopol,dc=p l" write by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write by dn= "cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write by * read olcAccess: {6}to filter=(objectClass=sambaDomain) by dn="cn=samba,dc=laktopol, dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by dn="cn=samba,dc =laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read olcAccess: {8}to attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa ssword by self write by anonymous auth by dn="cn=nsspam,dc=example,dc=com" wr ite by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: {9}to attrs=shadowLastChange by self write by * read olcAccess: {10} to * by * read
However, I am not satisfied with these settings because using the anonymous user, anyone can browse the entire LDAP tree. While passwords are not visible with anonymous login, user data in the LDAP domain is exposed.
If I change the last olcAccess entry from "olcAccess: {10} to * by * read" to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot browse LDAP, but the mail client user also cannot log in.
What should be the correct configuration?
Andrzej