-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:

I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.

I must also have mailAlternateAddress

When I make a ldapsearch with this user, I found all I need to configure dovecot.

doveadm auth test office and doveadm auth test office@examle.com

with success authentication

but when I make a doveadm auth test info@example.co (mailAlternateAddress)

I guess the missing 'm' in .co is a typo?

Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.co

I have a broken authentication

Can any give me a hint what is wrong, or is this not possible ?

Show us your LDAP record of this user.

Distinguished Name - the username used to login to the LDAP server.

Leave it commented out to bind anonymously (useful with auth_bind=yes).

dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com

Password for LDAP server, if dn is specified.

dnpass = 'XXXXXXXXXXXXXX'

Use SASL binding instead of the simple binding. Note that this changes

ldap_version automatically to be 3 if it's lower. Also note that SASL binds

and auth_bind=yes don't work together.

sasl_bind = yes

SASL mechanism name to use.

sasl_mech = gssapi

SASL realm to use.

sasl_realm = EXAMPLE.COM

SASL authorization ID, ie. the dnpass is for this "master user", but the

dn is still the logged in user. Normally you want to keep this empty.

sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM

Dunno with SASL and Co.

Use authentication binding for verifying password's validity. This works by

logging into LDAP server using the username and password given by client.

The pass_filter is used to find the DN for the user. Note that the pass_attrs

is still used, only the password field is ignored in it. Before doing any

search, the binding is switched back to the default DN.

auth_bind = yes

If authentication binding is used, you can save one LDAP request per login

if users' DN can be specified with a common template. The template can use

the standard %variables (see user_filter). Note that you can't

use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different

dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as

the filename is different in userdb's args). That way one connection is used

only for LDAP binds and another connection is used for user lookups.

Otherwise the binding is changed to the default DN before each user lookup.

For example:

auth_bind_userdn = cn=%u,ou=people,o=org

auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com

That one looks strange, you really have an account (uid=office@examle.com) ?

Search scope: base, onelevel, subtree

scope = subtree #scope = onelevel

User attributes are given in LDAP-name=dovecot-internal-name list. The

internal names are:

uid - System UID

gid - System GID

home - Home directory

mail - Mail location

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/UserDatabase/ExtraFields

#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000

Filter for user lookup. Some variables can be used (see

http://wiki2.dovecot.org/Variables for full list):

%u - username

%n - user part in user@domain, same as %u if there's no domain

%d - domain part in user@domain, empty if user there's no domain

user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))

If doveadm user -u info@example.co returns your entry, this filter is OK.

Password checking attributes:

user: Virtual user name (user@domain), if you wish to change the

user-given username to something else

password: Password, may optionally start with {type}, eg. {crypt}

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user

you cannot return two values for user, I guess you like to have "uid", so

pass_attrs = uid=user,userPassword=password

Filter for password lookups

#pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))

Looks good, if doveadm user -u info@example.co returns something sensible, beause the user filter is the same.

Attributes and filter to get a list of all users

iterate_attrs = uid=user, mailAlternateAddress=user

same as pass_attr.

iterate_filter = (objectClass=posixAccount)

Looks strange, should be

iterate_filter = (objectClass=mailrecipient)

Default password scheme. "{scheme}" before password overrides this.

List of supported schemes is in: http://wiki2.dovecot.org/Authentication

#default_pass_scheme = CRYPT

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI 8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2 uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh 28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg== =0e2c -----END PGP SIGNATURE-----