Hello Steffen and List,
Thanks for the answer and help,
I mean I found the biggest problem it is "auth_bind_userdn = "
please read the rest ;-)
Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
;-) Yes
Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.com
yes this is working with all user ?
doveadm user -u office userdb: office user : office home : /srv/vmail/office uid : 10000 gid : 10000
doveadm user -u info@example.com userdb: info@example.com user : office home : /srv/vmail/office uid : 10000 gid : 10000
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user. this is a result from ldapsearch with dovecots special user, from the dovecot system!
ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 'dc=example,dc=com' 'mail=office@example.com'
I can also search for 'mailAlternateAddress=info@example.com' with the same result.
extended LDIF
LDAPv3
base <dc=example,dc=com> with scope subtree
filter: mail=office@example.com
requesting: ALL
office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com st: AUSTRIA l: Salzburg postalCode: 5020 krbPasswordExpiration: 20380101000000Z krbLastPwdChange: 20160929133721Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com mailAlternateAddress: info@example.com displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy uid: office objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: mailrecipient objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash initials: GN gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy sn: Niederwimmer homeDirectory: /home/office mail: office@example.com krbPrincipalName: office@example.COM givenName:: R8O8bnRoZXIgSi4= cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc uidNumber: 1507800005 gidNumber: 1507800005
search result
search: 2 result: 0 Success
numResponses: 2
numEntries: 1
Distinguished Name - the username used to login to the LDAP server.
Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it's lower. Also note that SASL
binds # and auth_bind=yes don't work together. sasl_bind = yes
SASL mechanism name to use.
sasl_mech = gssapi
SASL realm to use.
sasl_realm = EXAMPLE.COM
SASL authorization ID, ie. the dnpass is for this "master user", but the
dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM
Dunno with SASL and Co.
OK, OK this was a Test and I reverting this ;-). Now I have #sals_bind = yes
This is my next Problem, to find out is this correct working on my system ;-).
Use authentication binding for verifying password's validity. This works
by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
If authentication binding is used, you can save one LDAP request per
login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't
use any pass_attrs if you use this setting.
If you use this setting, it's a good idea to use a different
dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long
as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. #
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com) ?
I mean I don't understand this in the Moment (?), but I can comment out this ?
I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."
now the tests are WORKING !!!
now I have to find out the correct syntax for auth_bind_userdn !!! when it is possible ?
Search scope: base, onelevel, subtree
scope = subtree #scope = onelevel
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
Filter for user lookup. Some variables can be used (see
http://wiki2.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there's no domain
%d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
If doveadm user -u info@example.co returns your entry, this filter is OK.
Yes, this filter is OK ;-)
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
you cannot return two values for user, I guess you like to have "uid", so
pass_attrs = uid=user,userPassword=password
OK, I change it back, this are only tests to found the correct setup for dovecot
Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Looks good, if doveadm user -u info@example.co returns something sensible, beause the user filter is the same.
:-)
Attributes and filter to get a list of all users
iterate_attrs = uid=user, mailAlternateAddress=user
same as pass_attr.
iterate_filter = (objectClass=posixAccount)
Looks strange, should be
iterate_filter = (objectClass=mailrecipient)
Is changed to your Parameters
Default password scheme. "{scheme}" before password overrides this.
List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
I say it before with commented out "auth_bind_userdn" the authentication is also working now with "mailAlternateAddress= xxxxxxxxx"
Many thanks to hint me ;-)
-- mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer