[Dovecot] LDAP authentication via PAM

9 Apr 2006


      I've configured dovecot to authenticate against a Fedora Directory
Server. The mail server on which dovecot is installed has the
nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the
following two lines:
auth_userdb = ldap /etc/dovecot-ldap.conf
auth_passdb = pam
In other words, I want dovecot to use LDAP to access the user database,
but PAM for authentication. This part is working, since users
authenticate and get their mails correctly through dovecot.
/etc/dovecot-ldap.conf contains the following:
hosts = 192.168.0.2
ldap_version = 3
base = ou=People, dc=duraflex, dc=com, dc=sv
deref = never
scope = subtree
user_attrs = uid,homeDirectory,,,uidNumber,gidNumber
user_filter = (&(objectClass=posixAccount)(uid=%u))
I haven't specified a dn or dnpass, since all I need is that dovecot
perform an anonymous query for the uid, homeDirectory, uidNumber and
gidNumber fields of its users, which are publically viewable. However,
my FDS server's access log has entries like these:
conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to
192.168.0.2
conn=3266227 op=0 BIND dn="" method=128 version=3
conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1
filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL
conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0
conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1
filter="(&(objectClass=posixGroup)(memberUid=dovecot))"
attrs="gidNumber"
conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0
conn=3266227 op=-1 fd=138 closed - B1
Dovecot binds anonimously with an empty dn, then queries FDS for a
user and a group called dovecot (which don't exist on the DS), and finds
0 entries.
Is it possible to access the user database through PAM (auth_userdb =
pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really
be an LDAP query for users, and a query in /etc/passwd and /etc/group
for dovecot (since it's a local user and group on the mail server).
Oscar A. Valdez

[Dovecot] LDAP authentication via PAM

Oscar A. Valdez

Is it possible to access the user database through PAM (auth_userdb = pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really be an LDAP query for users, and a query in /etc/passwd and /etc/group for dovecot (since it's a local user and group on the mail server).