On Wed, 2008-04-16 at 08:16 +0000, Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
This is exactly what I am trying to achieve, though I am using
OpenLDAP.
Our setup looks like this:
user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
Hmmm. I am not using LDAP for userdb. The only userdb information that
is needed is the homedir for the mail (and the uid/gid, but these are always "varmail"). In my case, this is always determined by the email address:
jackmc@lorentz.com -> /var/mail/lorentz.com/jackmc
Thus, I have this in my config:
userdb: driver: static args: uid=varmail gid=varmail home=/var/mail/%Ld/%Ln
Looking at your config, it seems that your passdb for LDAP depends on
your userdb, as you have mail= twice in your pass_attrs, once for userdb_user. For that matter, why do you have userPassword=password? dovecot should never need to see the contents of this field. Indeed, this is the whole point of using auth_bind: instead of dovecot retrieving the password from LDAP and checking it against the user-supplied one, dovecot should _send_ the password to LDAP in the form of a bind and have LDAP accept or reject it.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs