I have _almost_ got Dovecot working! One little snag...
My users login using their email address as username. Each domain has
their own LDAP subtree. Each user has an entry in the ou=users subtree of the domain subtree, and has a mail: field (inetOrgPerson) listing their email address/login name. I am trying to use auth_bind: when I login with jackmc@lorentz.com, dovecot should search for mail=jackmc@lorentz.com in the onelevel below ou=users,dc=lorentz,dc=com and find me as "cn=Jack McKinney,ou=users,dc=lorentz,dc=com". I have created an entry in LDAP (varmail) that should be able to do this query. Indeed, from the command line, it works:
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D
'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel
'(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
# Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc@lorentz.com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
' However, it appears that dovecot performs the above query successfully, but then never uses the password and retrieved DN to attempt to bind and authenticate the user. Instead, it just times out.
My dovecot-ldap.conf is:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ********* ldap_version = 3 auth_bind = yes pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
The dovecot log shows:
Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden> Apr 3 08:13:30 fourier dovecot: auth(default): ldap(jackmc@lorentz.com,y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com)) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS
The OpenLDAP log shows that the query is received and that it returns a
match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
When I do the query from the command line, there is an additional pair
of lines:
Apr 3 08:18:10 fourier slapd[16106]: conn=22 op=2 UNBIND Apr 3 08:18:10 fourier slapd[16106]: conn=22 fd=28 closed
I thus conclude that Dovecot is not closing the connection.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz "There is no parameter that makes it impossible for you to perform still more excellently." -Mario Cuomo, on the lack of a clock in baseball