Hi there,
I´m working on a setup with postfix (2.5.5) + dovecot (1.2.11) using a Active Directory user backend. At first, I used the instructions found here[1] to do the base configuration. As I understand, I need to use dovecot as a LDA to be able to use the quota plugin and have a per-user quota configuration, and this led me to two distinct (and opposed) configuration options. It seems that the usual dovecot + AD configuration uses the "auth_bind = yes" option, where the dovecot tries to bind to AD using user credentials. *But* to be able to use LDA, dovecot cant rely on user credentials, as there´s none when a mail arrives, so one need to use "auth_bind = no" and choose a "user" to bind to AD, using the dn and dnpass options. Am I right until here?
I could just use auth_bind=no *IF* the "dn" user has the necessary privileges to read other AD users passwords (like a administrator user). Is this correct? Well, antecipating that the AD sysadmin guy will not be happy with this, I thought that maybe I could "mix" the two configurations, since I dont need the user password to find user mailbox (while delivering), but I do while doing his authentication. I may use one configuration for userdb, and another for passdb. BUT (again!) there´s another problem, since delivering needs "email" (user@domain) and authentication needs "user" values (and, it´s perfectly valid that one should use "John Doe" as user, and foo@bar as email!). So, I messed a little with user filters and got this configuration:
dovecot.conf:
mail_uid = 1001 mail_gid = 1001
passdb ldap { args = /etc/dovecot/dovecot-ldap-pass.conf }
userdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
dovecot-ldap-pass.conf: hosts = 10.x.x.x base = dc=mydomain,dc=com,dc=br ldap_version = 3 auth_bind = yes auth_bind_userdn = mydomain\%u
dovecot-ldap-pass.conf: hosts = 10.x.x.x auth_bind = no dn = cn=Unprivleged User,cn=Users,dc=mydomain,dc=com,dc=br dnpass = 123456 ldap_version = 3 base = dc=mydomain,dc=com,dc=br deref = never scope = subtree user_attrs = sAMAccountName=mail=maildir:/var/vmail/%$/Maildir user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) pass_attrs = sAMAaccountName=user,userPassword=password pass_filter = (&(objectClass=person)(sAMAaccountName=%u))
The "pass_attrs and pass_filter" in dovecot-ldap-pass.conf is not used. The clever part, or the incredible stupid one, is the the filter (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) which means "find some person with email=something OR some person with username=user". I´m not sure of the full implications this could have... Anyway, it´s working, as the system accepts emails and the user can retrieve it using pop3.
Is there a better way to doing all this? Is it safe to bind dovecot to AD with the necessary privileges to read user passwords? I´m no AD expert, but can this special user be "read-only" ?
thanks in advance
[1] http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/
-- Christian Lyra