Thanks Kees. The doveadm command is showing the same behavior as I can see from postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))"
Why is dovecot still using the default filter setting even though my config now looks like this:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
pass_attrs =
=user=%{ldap:mail},
=password=%{ldap:userPassword}
user_attrs =
=user=%{ldap:mail}
user_filter = (mail=%u) iterate_attrs = mail=user
Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access) since there would be no need to search for matching dn's.
But I guess that is only true for the authentication use case and not in the case where postfix just needs to know if a user exists or not (like the doveadm user command).
Is my (new) understanding correct that I always need a dovecot user (or anonymous read access) in the LDAP database?
Thanks, Moritz
On 08/05/2023 23:36 CEST Kees van Vloten <keesvanvloten@gmail.com> wrote:
On 08-05-2023 16:43, Moritz Pflanzer wrote:
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128 docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text= docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=<713569303.508224.1683556526256@webmail.strato.de> docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=<moritz@pflanzer.eu>, size=3340, nrcpt=1 (queue active) docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))" docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?
Looking forward to recommendations, Moritz
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org First setup and test dovecot-ldap.conf.ext, only when your queries are correct it makes sense to continue with the rest of the configuration. Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, iterate_attrs. That last one can be tested with: doveadm user -u "*" and should list all users.
When these queries work it is easy to add passdb and userdb.
- Kees.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org