Hi,
Let me ask a more specific question.
What I would like to configure, is:
- for our internal users to use their regular AD usernam/passwords, just as everybody can currently do.
but, new: password. (or username and password, fine as well)
- for external users, to ONLY be allowed to use an application specific
Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb
But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already.
Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot.
Here are our sanitised configs:
root@mails:/etc/dovecot# doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs auth_debug = yes auth_failure_delay = 2 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca =
and our dovecot-ldap.conf.ext:
hosts = ldap1 ldap2 ldap3 dn = cn=search,cn=.... dnpass = secretashell tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=..... scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24 user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person)
MJ