You have two ways of authenticating against ldap. I decided to use the method where a single account has access to the user credentials. (Advantage of this method, you can limit ldap lookups eg do not have to do 2nd for the userdb)
debug_level = 1 uris = ldaps://ldap.local:8443 dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local dnpass = xxxx base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local scope = subtree
user_filter = (&(objectClass=posixAccount)(uid=%u) pass_attrs = uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uidNu mber=userdb_uid,gidNumber=userdb_gid
However I did not have any issues authenticating against ldap with yours also. But using the %u
-----Original Message----- From: Luke Schierer [mailto:luke-dovecot@schierer.org] Sent: maandag 31 augustus 2020 21:32 To: dovecot@dovecot.org Subject: using %d as a variable in the ldap search base
Hi,
I'm trying to configure dovecot to use LDAP authentication directly, and I'm having a bit of trouble. I have a somewhat unusual setup, in that I have an LDAP directory that has 3 OUs each of which have their own set of users, some of which overlap. As I was trying to figure things out, I was setting the search base in my /etc/dovecot/dovecot-ldap.conf.ext file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext file to
base = ou=%d,dc=thecrazyguys,dc=net
however, the resulting searches against the directory endup just dropping the %d, resulting in
ou=,dc=thecrazyguys,dc=net
which is invalid. On a whim, I tried a search base of
base = dc=%d,dc=thecrazyguys,dc=net
and found that it did correctly substitute in the variable, which would be correct, except that my ldap tree is set up with OUs and not an extra DC segment.
for whatever reason, it will do variable substitution for dc=%d, but not for ou=%d. this is certainly not documented, and seems like wrong behavior, since having an ou in a search base is valid.
I'm including configuration information below. Please let me know if I've missed including information that is required.
Thanks! Luke
luke@schierer@littera001:/etc/dovecot$ lsb_release -rd Description: Ubuntu 18.04.5 LTS Release: 18.04 luke@schierer@littera001:/etc/dovecot$
luke@schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-imapd 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 luke@schierer@littera001:/etc/dovecot$
root@littera001:/etc/dovecot# dovecot -n # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method = dotlock mail_cache_min_mail_count = 15 mail_fsync = always mail_location = maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY mail_nfs_index = yes mail_nfs_storage = yes mail_privileged_group = mail mailbox_list_index = yes maildir_broken_filename_sizes = yes maildir_very_dirty_syncs = yes mbox_min_index_size = 10 B mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap pop3" ssl_cert =
root@littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext | grep -v ^# | uniq | more
hosts = censor001.plerumque.thecrazyguys.net
tls = yes tls_require_cert = allow
debug_level = 4
auth_bind = yes
base = ou=%d,dc=thecrazyguys,dc=net
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))
blocking = no root@littera001:/etc/dovecot#