Problem to configure dovecot-ldap.conf.ext
Hello,
Dovecot 2.2.25 CentOS 7
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
But for me it is not possible to configure this correct ?
I can make for user
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts = 192.168.100.204 192.168.100.214 #hosts = 192.168.100.204 hosts = ipa.example.com
LDAP URIs to use. You can use this instead of hosts list. Note that this
setting isn't supported by all LDAP libraries.
#uris = ldap://ipa.example.com ldap://ipa1.example.com
Distinguished Name - the username used to login to the LDAP server.
Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it's lower. Also note that SASL binds
and auth_bind=yes don't work together.
sasl_bind = yes
SASL mechanism name to use.
sasl_mech = gssapi
SASL realm to use.
sasl_realm = EXAMPLE.COM
SASL authorization ID, ie. the dnpass is for this "master user", but the
dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM
Use TLS to connect to the LDAP server.
#tls = yes
TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = /etc/ipa/ca.crt #tls_ca_cert_dir = #tls_cipher_suite =
TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file = #tls_key_file =
Valid values: never, hard, demand, allow, try
tls_require_cert = demand
Use the given ldaprc path.
#ldaprc_path =
LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
-1 = everything. You may need to recompile OpenLDAP with debugging enabled
to get enough output.
#debug_level = 0
Use authentication binding for verifying password's validity. This works by
logging into LDAP server using the username and password given by client.
The pass_filter is used to find the DN for the user. Note that the pass_attrs
is still used, only the password field is ignored in it. Before doing any
search, the binding is switched back to the default DN.
auth_bind = yes
If authentication binding is used, you can save one LDAP request per login
if users' DN can be specified with a common template. The template can use
the standard %variables (see user_filter). Note that you can't
use any pass_attrs if you use this setting.
If you use this setting, it's a good idea to use a different
dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
the filename is different in userdb's args). That way one connection is used
only for LDAP binds and another connection is used for user lookups.
Otherwise the binding is changed to the default DN before each user lookup.
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
LDAP base. %variables can be used here.
For example: dc=mail, dc=example, dc=org
base = cn=users,cn=accounts,dc=example,dc=com
Dereference: never, searching, finding, always
#deref = never
Search scope: base, onelevel, subtree
scope = subtree #scope = onelevel
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
Filter for user lookup. Some variables can be used (see
http://wiki2.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there's no domain
%d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
If you wish to avoid two LDAP lookups (passdb + userdb), you can use
userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
also have to include user_attrs in pass_attrs field prefixed with "userdb_"
string. For example:
#pass_attrs = uid=user,userPassword=password,\
homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Attributes and filter to get a list of all users
iterate_attrs = uid=user, mailAlternateAddress=user iterate_filter = (objectClass=posixAccount)
Default password scheme. "{scheme}" before password overrides this.
List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
-- mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.co
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user.
Distinguished Name - the username used to login to the LDAP server.
Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it's lower. Also note that SASL binds
and auth_bind=yes don't work together.
sasl_bind = yes
SASL mechanism name to use.
sasl_mech = gssapi
SASL realm to use.
sasl_realm = EXAMPLE.COM
SASL authorization ID, ie. the dnpass is for this "master user", but the
dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM
Dunno with SASL and Co.
Use authentication binding for verifying password's validity. This works by
logging into LDAP server using the username and password given by client.
The pass_filter is used to find the DN for the user. Note that the pass_attrs
is still used, only the password field is ignored in it. Before doing any
search, the binding is switched back to the default DN.
auth_bind = yes
If authentication binding is used, you can save one LDAP request per login
if users' DN can be specified with a common template. The template can use
the standard %variables (see user_filter). Note that you can't
use any pass_attrs if you use this setting.
If you use this setting, it's a good idea to use a different
dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
the filename is different in userdb's args). That way one connection is used
only for LDAP binds and another connection is used for user lookups.
Otherwise the binding is changed to the default DN before each user lookup.
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com) ?
Search scope: base, onelevel, subtree
scope = subtree #scope = onelevel
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
Filter for user lookup. Some variables can be used (see
http://wiki2.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there's no domain
%d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
If doveadm user -u info@example.co returns your entry, this filter is OK.
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
you cannot return two values for user, I guess you like to have "uid", so
pass_attrs = uid=user,userPassword=password
Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Looks good, if doveadm user -u info@example.co returns something sensible, beause the user filter is the same.
Attributes and filter to get a list of all users
iterate_attrs = uid=user, mailAlternateAddress=user
same as pass_attr.
iterate_filter = (objectClass=posixAccount)
Looks strange, should be
iterate_filter = (objectClass=mailrecipient)
Default password scheme. "{scheme}" before password overrides this.
List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI 8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2 uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh 28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg== =0e2c -----END PGP SIGNATURE-----
Hello Steffen and List,
Thanks for the answer and help,
I mean I found the biggest problem it is "auth_bind_userdn = "
please read the rest ;-)
Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
;-) Yes
Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.com
yes this is working with all user ?
doveadm user -u office userdb: office user : office home : /srv/vmail/office uid : 10000 gid : 10000
doveadm user -u info@example.com userdb: info@example.com user : office home : /srv/vmail/office uid : 10000 gid : 10000
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user. this is a result from ldapsearch with dovecots special user, from the dovecot system!
ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 'dc=example,dc=com' 'mail=office@example.com'
I can also search for 'mailAlternateAddress=info@example.com' with the same result.
extended LDIF
LDAPv3
base <dc=example,dc=com> with scope subtree
filter: mail=office@example.com
requesting: ALL
office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com st: AUSTRIA l: Salzburg postalCode: 5020 krbPasswordExpiration: 20380101000000Z krbLastPwdChange: 20160929133721Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com mailAlternateAddress: info@example.com displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy uid: office objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: mailrecipient objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash initials: GN gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy sn: Niederwimmer homeDirectory: /home/office mail: office@example.com krbPrincipalName: office@example.COM givenName:: R8O8bnRoZXIgSi4= cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc uidNumber: 1507800005 gidNumber: 1507800005
search result
search: 2 result: 0 Success
numResponses: 2
numEntries: 1
Distinguished Name - the username used to login to the LDAP server.
Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it's lower. Also note that SASL
binds # and auth_bind=yes don't work together. sasl_bind = yes
SASL mechanism name to use.
sasl_mech = gssapi
SASL realm to use.
sasl_realm = EXAMPLE.COM
SASL authorization ID, ie. the dnpass is for this "master user", but the
dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com@EXAMPLE.COM
Dunno with SASL and Co.
OK, OK this was a Test and I reverting this ;-). Now I have #sals_bind = yes
This is my next Problem, to find out is this correct working on my system ;-).
Use authentication binding for verifying password's validity. This works
by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
If authentication binding is used, you can save one LDAP request per
login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't
use any pass_attrs if you use this setting.
If you use this setting, it's a good idea to use a different
dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long
as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. #
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com) ?
I mean I don't understand this in the Moment (?), but I can comment out this ?
I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."
now the tests are WORKING !!!
now I have to find out the correct syntax for auth_bind_userdn !!! when it is possible ?
Search scope: base, onelevel, subtree
scope = subtree #scope = onelevel
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
Filter for user lookup. Some variables can be used (see
http://wiki2.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there's no domain
%d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
If doveadm user -u info@example.co returns your entry, this filter is OK.
Yes, this filter is OK ;-)
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
you cannot return two values for user, I guess you like to have "uid", so
pass_attrs = uid=user,userPassword=password
OK, I change it back, this are only tests to found the correct setup for dovecot
Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu)))
Looks good, if doveadm user -u info@example.co returns something sensible, beause the user filter is the same.
:-)
Attributes and filter to get a list of all users
iterate_attrs = uid=user, mailAlternateAddress=user
same as pass_attr.
iterate_filter = (objectClass=posixAccount)
Looks strange, should be
iterate_filter = (objectClass=mailrecipient)
Is changed to your Parameters
Default password scheme. "{scheme}" before password overrides this.
List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
I say it before with commented out "auth_bind_userdn" the authentication is also working now with "mailAlternateAddress= xxxxxxxxx"
Many thanks to hint me ;-)
-- mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
Thanks for the answer and help,
I mean I found the biggest problem it is "auth_bind_userdn = "
Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot.
I must also have mailAlternateAddress
When I make a ldapsearch with this user, I found all I need to configure dovecot.
doveadm auth test office and doveadm auth test office@examle.com
with success authentication
but when I make a doveadm auth test info@example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?
;-) Yes
Do you find doveadm user -u office doveadm user -u office@examle.com doveadm user -u info@example.com
yes this is working with all user ?
doveadm user -u office userdb: office user : office home : /srv/vmail/office uid : 10000 gid : 10000
doveadm user -u info@example.com userdb: info@example.com user : office home : /srv/vmail/office uid : 10000 gid : 10000
I have a broken authentication
Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user. this is a result from ldapsearch with dovecots special user, from the dovecot system!
ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 'dc=example,dc=com' 'mail=office@example.com'
I can also search for 'mailAlternateAddress=info@example.com' with the same result.
extended LDIF
LDAPv3
base <dc=example,dc=com> with scope subtree
filter: mail=office@example.com
requesting: ALL
office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com st: AUSTRIA l: Salzburg postalCode: 5020 krbPasswordExpiration: 20380101000000Z krbLastPwdChange: 20160929133721Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com mailAlternateAddress: info@example.com displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy uid: office objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: mailrecipient objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash initials: GN gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy sn: Niederwimmer homeDirectory: /home/office mail: office@example.com krbPrincipalName: office@example.COM givenName:: R8O8bnRoZXIgSi4= cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc uidNumber: 1507800005 gidNumber: 1507800005
search result
search: 2 result: 0 Success
numResponses: 2
numEntries: 1
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office@examle.com) ?
I mean I don't understand this in the Moment (?), but I can comment out this ?
Well, you must comment this setting, because:
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds?highlight=%28auth_bind_...
"If you're using DN template, pass_attrs and pass_filter settings are completely ignored."
That is: Only if *all* your users log in using their "uid" attribute and are located at a single predictable hierarchie level, you can use this in order to avoid the LDAP query with passdb_filter to locate the user's DN.
I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."
now the tests are WORKING !!!
now I have to find out the correct syntax for auth_bind_userdn !!! when it is possible ?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWBBGA3z1H7kL/d9rAQKsEgf8C0xuesf4YJYD6sHF1eMMhAbQew3I9gP1 TxSVkRJP2VYZM4mkIfPEnyK0GOGU1uri8yT65gQLSxZCg+R77UZjIls9pUsZ3Zqq Ko/jBWbXzphglHlppLQ6EiLnaRfiLPT5dO7EynQm7RiFWiwhc4mL9Gc8w0X6Gye8 copDqauC3hm9LHtxfcQe28K82A0WuJHHxyz7AchT38N4EzzkAp5jOeNvt4fV4L+s C9Juxz2uVE5/qhHE1/w3BWY0dpy+1SRdVoXHX8iix4Lz3STUcVDSuiYptNhLjKPv 2KEF/7gPRONCz7b6wDqIfVDoYrBYcueACASdtg3re/xrVjbh7fsG/Q== =wO5h -----END PGP SIGNATURE-----
participants (2)
-
Günther J. Niederwimmer
-
Steffen Kaiser