Hmmm... Perhaps my understanding is wrong. Below is the thoughtprocess that brought me here...
userPassword: this is not included _because_ I am using auth_bind. dovecot is not going to check the userPassword field itself; instead, it is going to try and use the password supplied by the user to authenticate to the LDAP server, using:
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email.
An illustration. As an end user, suppose the information that I am touse to connect is:
Username: jackmc@lorentz.com Password: test123
The sequence that I am trying to make occur is this:User sends "jackmc@lorentz.com", "test123" to dovecot
Dovecot searches ldap for a user with this email address. Specifically, the user needs to be in "ou=users, dc=lorentz, dc=com" (and not any subtree; only in the top level). This base DN is based on the username supplied: lorentz.com is converted to LDAP fomat. In order to search for for this, Dovecot needs access to the LDAP database. To this end, I have created a DN "cn=varmail, ou=users, dc=lorentz, dc=com" which can search all domains for the "mail" field. Thus, dovecot will bind using the varmail DN and then search onelevel of "ou=users, dc=lorentz, dc=com" for an inetOrgPerson entry whose mail field is jackmc@lorentz.com. As demonstrated by the ldapsearch in my earlier email, this will return the entry for "cn=Jack McKinney, ou=users, dc=lorentz, dc=com". Now that dovecot knows what the user's DN is, it will make a new connection to the LDAP server (this is my understanding of "auth_bind = yes") using "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" and the password "test123". If this LDAP connection authenticates, then the user is granted access to email (the email location is specified in a static userdb in my dovecot.conf).
Thus, dovecot never needs to see the userPassword field. Indeed, by design, varmail does not have access to this field. Dovecot is supposed to determine the DN for the user based on the supplied username (which in this case is an email address) and then use that DN and the password supplied by the user to try and authenticate to LDAP. If it succeeds, then the user can access their email.
On Fri, 2008-04-11 at 09:20 +0200, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 8 Apr 2008, Jack McKinney wrote:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ********* ldap_version = 3 auth_bind = yes pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
Your configuration looks bad:
You use auth_bind, but the displayed LDAP item does not contain no "userPassword" attribute and you've specified "dn", not necessary for auth_bind's. And you have no pass_attrs config.
I guess the first step is to set auth_bind = no and add the password attribute to the user.
Or keep the auth_bind = yes and add a userPassword attribute to the user, so each user can bind itself to his/her LDAP item.
Wiki: http://wiki.dovecot.org/AuthDatabase/LDAP
The OpenLDAP log shows that the query is received and that itreturns a match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Well, does nentries=1 really indicates one _match_ or just one returned item/packet? If I use ldapsearch -x uid=nonexisting , I get: "# numResponses: 1" in the last line, but no hit. You also see that the search is attr=uid, why?
I do _not_ know why Dovecot just hangs, this is probably a bug due to the configuration glitches.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH/xFeVJMDrex4hCIRAq1TAJ9MVpxpDnAmNgDp7y3MO1tIcE6zhQCeMMe4 GQ5xrufcilvadYYiyaJvvCI= =IgtW -----END PGP SIGNATURE-----
Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs