On 09-05-2023 08:58, Moritz Pflanzer wrote:
Thanks Kees. The doveadm command is showing the same behavior as I can see from postfix where the wrong search filter is used:

docker-openldap-1  | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))"

Why is dovecot still using the default filter setting even though my config now looks like this:

hosts = openldap:1389
base = ou=users,dc=example,dc=com
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com

pass_attrs = \
=user=%{ldap:mail}, \
=password=%{ldap:userPassword}

user_attrs = \
=user=%{ldap:mail}

user_filter = (mail=%u)
iterate_attrs = mail=user
%u refers to the current user for iterate, you iterate over all users that have dovecot access, probably something like this:

iterate_filter = (objectClass=user)

iterate_attrs = \
   =user=%{ldap:mail}

- Kees.



Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access) since there would be no need to search for matching dn's.

But I guess that is only true for the authentication use case and not in the case where postfix just needs to know if a user exists or not (like the doveadm user command).

Is my (new) understanding correct that I always need a dovecot user (or anonymous read access) in the LDAP database?

Thanks,
Moritz


On 08/05/2023 23:36 CEST Kees van Vloten <keesvanvloten@gmail.com> wrote:

 
On 08-05-2023 16:43, Moritz Pflanzer wrote:

Hi all,

so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.

Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:

hosts = openldap:1389
base = ou=users,dc=example,dc=com
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com

And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.

This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:

docker-openldap-1  | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389)
docker-openldap-1  | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128
docker-openldap-1  | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text=
docker-postfix-1   | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51]
docker-postfix-1   | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=<713569303.508224.1683556526256@webmail.strato.de>
docker-postfix-1   | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=<moritz@pflanzer.eu>, size=3340, nrcpt=1 (queue active)
docker-postfix-1   | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
docker-openldap-1  | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))"
docker-openldap-1  | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid
docker-openldap-1  | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=

I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.

Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?

Looking forward to recommendations,
Moritz
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org

First setup and test dovecot-ldap.conf.ext, only when your queries are 
correct it makes sense to continue with the rest of the configuration.
Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, 
iterate_attrs.
That last one can be tested with: doveadm user -u "*"  and should list 
all users.

When these queries work it is easy to add passdb and userdb.

- Kees.


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org