-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.co
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user.
# Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
# Password for LDAP server, if dn is specified. dnpass = 'XXXXXXXXXXXXXX'
# Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. Also note that SASL binds # and auth_bind=yes don't work together. sasl_bind = yes # SASL mechanism name to use. sasl_mech = gssapi # SASL realm to use. sasl_realm = EXAMPLE.COM # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM
Dunno with SASL and Co.
# Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: # auth_bind_userdn = cn=%u,ou=people,o=org # auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com) ?
# Search scope: base, onelevel, subtree scope = subtree #scope = onelevel
# User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
# Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
If doveadm user -u info@example.co returns your entry, this filter is OK.
# Password checking attributes: # user: Virtual user name (user@domain), if you wish to change the # user-given username to something else # password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
you cannot return two values for user, I guess you like to have "uid", so
pass_attrs = uid=user,userPassword=password
# Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Looks good, if doveadm user -u info@example.co returns something sensible, beause the user filter is the same.
# Attributes and filter to get a list of all users iterate_attrs = uid=user, mailAlternateAddress=user
same as pass_attr.
iterate_filter = (objectClass=posixAccount)
Looks strange, should be
iterate_filter = (objectClass=mailrecipient)
# Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication #default_pass_scheme = CRYPT
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI 8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2 uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh 28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg== =0e2c -----END PGP SIGNATURE-----