[Dovecot] Multiple LDAP authentication servers
Hello,
We are performing a Domain migration and I was wondering if there was any way to get Dovecot to authenticate to more than 1 LDAP server? Currently dovecot is configure to query the "mail" attribute from Active Directory and when found it binds with the credentials the user provided.
This works fine, but when migrating user accounts, they get disabled in the source domain so that the user can no longer log on to it. But disabling the account in the source domain, causes the user to be unable to use his email account.
Is there any way to get dovecot to try a second LDAP server if the first one fails to authenticate..?
~# dovecot -n
# 1.2.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.29-xs5.5.0.15 i686 Debian 5.0.4 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imaps imap
ssl_cert_file: /etc/ssl/certs/smtpd.crt
ssl_key_file: /etc/ssl/private/smtpd.key
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
login_user: postfix
mail_privileged_group: mail
mail_uid: vmail
mail_gid: vmail
mail_location: maildir:/srv/mail/vmail/%Ud/%Ln/Maildir
mbox_write_locks: fcntl dotlock
imap_client_workarounds: delay-newmail outlook-idle netscape-eoh
lda:
postmaster_address: postmaster@h-st.com
auth_socket_path: /var/run/dovecot/auth-master
log_path: /var/log/dovecot-deliver.log
info_log_path: /var/log/dovecot-deliver-info.log
auth default:
mechanisms: plain login
passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.confuserdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.confsocket:
type: listen
client:
path: /var/spool/postfix/private/auth-client
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmailThanks
Romer Ventura
On Lunes 03 Octubre 2011 16:29:39 Romer Ventura escribió:
Is there any way to get dovecot to try a second LDAP server if the first one fails to authenticate..?
Sure; just add a second passdb (maybe you also need a second userdb) pointing to the other server. Something like
passdb ldap { args = /usr/local/etc/AD.conf } passdb ldap { args = /usr/local/etc/second.conf }
HTH
Joseba Torre. Vicegerencia de TICs, área de Explotación
So you are saying I can define multiple passdb and userdb, each pointing to a different ldap config file?
Thanks
Romer Ventura
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Joseba Torre Sent: Monday, October 03, 2011 10:22 AM To: dovecot@dovecot.org Subject: Re: [Dovecot] Multiple LDAP authentication servers
On Lunes 03 Octubre 2011 16:29:39 Romer Ventura escribió:
Is there any way to get dovecot to try a second LDAP server if the first one fails to authenticate..?
Sure; just add a second passdb (maybe you also need a second userdb) pointing to the other server. Something like
passdb ldap { args = /usr/local/etc/AD.conf } passdb ldap { args = /usr/local/etc/second.conf }
HTH
Joseba Torre. Vicegerencia de TICs, área de Explotación
On Lunes 03 Octubre 2011 17:34:47 Romer Ventura escribió:
So you are saying I can define multiple passdb and userdb, each pointing to a different ldap config file?
That's it. You may define as many as you need, and each one is independent. If the 1st one fails dovecot will try the 2nd one, then the 3rd one and so on.
Joseba Torre. Vicegerencia de TICs, área de Explotación
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Romer Ventura Sent: Monday, October 03, 2011 9:30 AM To: dovecot@dovecot.org Subject: [Dovecot] Multiple LDAP authentication servers
Hello,
We are performing a Domain migration and I was wondering if there was any way to get Dovecot to authenticate to more than 1 LDAP server? Currently dovecot is configure to query the "mail" attribute from Active Directory and when found it binds with the credentials the user provided.
This works fine, but when migrating user accounts, they get disabled in the source domain so that the user can no longer log on to it. But disabling the account in the source domain, causes the user to be unable to use his email account.
Is there any way to get dovecot to try a second LDAP server if the first one fails to authenticate..?
~# dovecot -n
# 1.2.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.29-xs5.5.0.15 i686 Debian 5.0.4 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imaps imap
ssl_cert_file: /etc/ssl/certs/smtpd.crt
ssl_key_file: /etc/ssl/private/smtpd.key
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
login_user: postfix
mail_privileged_group: mail
mail_uid: vmail
mail_gid: vmail
mail_location: maildir:/srv/mail/vmail/%Ud/%Ln/Maildir
mbox_write_locks: fcntl dotlock
imap_client_workarounds: delay-newmail outlook-idle netscape-eoh
lda:
postmaster_address: postmaster@h-st.com
auth_socket_path: /var/run/dovecot/auth-master
log_path: /var/log/dovecot-deliver.log
info_log_path: /var/log/dovecot-deliver-info.log
auth default:
mechanisms: plain login
passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.confuserdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.confsocket:
type: listen
client:
path: /var/spool/postfix/private/auth-client
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmailAlso I forgot to mention that these are different domains, we are not authenticating to DOMAIN-AAA.COM and we would like to authenticate to DOMAIN-BBB.LAN while still allowing authentication to DOMAIN-AAA.COM. The Base DNs and domains are different.
Possible?
Thanks
participants (2)
-
Joseba Torre
-
Romer Ventura