Re: Problem to configure dovecot-ldap.conf.ext

26 Oct 2016 · *all*


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
...
Thanks for the answer and help,
I mean I found the biggest problem it is "auth_bind_userdn = "
Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
...
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
...
I setup ldap (FreeIPA) to have a user for dovecot that can (read search
compare) all attributes that I need for dovecot.
I must also have  mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure
dovecot.
doveadm auth test office
and
doveadm auth test office@examle.com
with success authentication
but when I make a
doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
;-) Yes
...
Do you find
doveadm user -u office
doveadm user -u office@examle.com
doveadm user -u info@example.com
yes this is working with all user ?
doveadm user -u office
userdb: office
user      : office
home      : /srv/vmail/office
uid       : 10000
gid       : 10000
doveadm user -u info@example.com
userdb: info@example.com
user      : office
home      : /srv/vmail/office
uid       : 10000
gid       : 10000
...
...
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user.
this is a result from ldapsearch with dovecots special user, from the dovecot
system!
ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D
'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b
'dc=example,dc=com' 'mail=office@example.com'
I can also search for 'mailAlternateAddress=info@example.com' with the same
result.
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: mail=office@example.com
# requesting: ALL
#
# office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com
st: AUSTRIA
l: Salzburg
postalCode: 5020
krbPasswordExpiration: 20380101000000Z
krbLastPwdChange: 20160929133721Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com
mailAlternateAddress: info@example.com
displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
uid: office
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: mailrecipient
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
initials: GN
gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
sn: Niederwimmer
homeDirectory: /home/office
mail: office@example.com
krbPrincipalName: office@example.COM
givenName:: R8O8bnRoZXIgSi4=
cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc
uidNumber: 1507800005
gidNumber: 1507800005
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
...
...
# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com)
?
I mean I don't understand this in the Moment (?), but I can comment out this ?
Well, you must comment this setting, because:
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds?highlight=%28auth_bind_...
"If you're using DN template, pass_attrs and pass_filter settings are
completely ignored."
That is: Only if *all* your users log in using their "uid" attribute and
are located at a single predictable hierarchie level, you can use this in
order to avoid the LDAP query with passdb_filter to locate the user's DN.
...
I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."
now the tests are WORKING !!!
now I have to find out the correct syntax for auth_bind_userdn !!! when it is
possible ?

Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBWBBGA3z1H7kL/d9rAQKsEgf8C0xuesf4YJYD6sHF1eMMhAbQew3I9gP1
TxSVkRJP2VYZM4mkIfPEnyK0GOGU1uri8yT65gQLSxZCg+R77UZjIls9pUsZ3Zqq
Ko/jBWbXzphglHlppLQ6EiLnaRfiLPT5dO7EynQm7RiFWiwhc4mL9Gc8w0X6Gye8
copDqauC3hm9LHtxfcQe28K82A0WuJHHxyz7AchT38N4EzzkAp5jOeNvt4fV4L+s
C9Juxz2uVE5/qhHE1/w3BWY0dpy+1SRdVoXHX8iix4Lz3STUcVDSuiYptNhLjKPv
2KEF/7gPRONCz7b6wDqIfVDoYrBYcueACASdtg3re/xrVjbh7fsG/Q==
=wO5h
-----END PGP SIGNATURE-----