[Dovecot] user_global_uid - tricky to set
Hola!
Dovecot should serve virtual mail users. So I've set user_global_uid and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've commented auth the user_attrs field. Still Dovecot tries to switch to the uid that is defined in the LDAP entry.
It took me some time to figure out, that the only way to prevent this is to set user_attrs = foo=uid,bar=gid or something like this, so Dovecot doesn't have a chance to find the uid/gid. Still it will perform some LDAP lookups.
In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP if the user_attrs field is undefined.
I'm using Dovecot 1.0rc24 on Debian sid.
Regards, A.
On Thu, 2007-03-01 at 22:02 +0100, Alexej Davidov wrote:
Hola!
Dovecot should serve virtual mail users. So I've set user_global_uid and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've commented auth the user_attrs field. Still Dovecot tries to switch to the uid that is defined in the LDAP entry.
It took me some time to figure out, that the only way to prevent this is to set user_attrs = foo=uid,bar=gid or something like this, so Dovecot doesn't have a chance to find the uid/gid. Still it will perform some LDAP lookups.
In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP if the user_attrs field is undefined.
Commenting out user_attrs is the same as setting it to the default value. Setting "user_attrs =" should have worked. However if you don't want userdb LDAP lookup at all, use userdb static instead.
On Tue, 06 Mar 2007 16:55:25 +0200 Timo Sirainen tss@iki.fi wrote:
On Thu, 2007-03-01 at 22:02 +0100, Alexej Davidov wrote:
Hola!
Dovecot should serve virtual mail users. So I've set user_global_uid and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've commented auth the user_attrs field. Still Dovecot tries to switch to the uid that is defined in the LDAP entry.
It took me some time to figure out, that the only way to prevent this is to set user_attrs = foo=uid,bar=gid or something like this, so Dovecot doesn't have a chance to find the uid/gid. Still it will perform some LDAP lookups.
In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP if the user_attrs field is undefined.
Commenting out user_attrs is the same as setting it to the default value. Setting "user_attrs =" should have worked. However if you don't want userdb LDAP lookup at all, use userdb static instead.
I want to use ldap for authorization. The entries just happen to contain a uid field, which should not be used for file access, though.
Setting "user_attrs =" did not work. Dovecot still looked up the uid from ldap. I always got: Mar 1 21:31:54 myhost dovecot: imap-login: Login: user=foo@bar.net, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS Mar 1 21:31:54 myhost dovecot: IMAP(foo@bar.net): stat(/var/vmail/foo/cur) failed: Permission denied
I tried again with "user_attrs =" and strange enough the error is now different: Mar 6 19:11:52 myhost dovecot: imap-login: Internal login failure: user=foo@bar.net, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS Mar 6 19:11:52 myhost dovecot: child 9966 (auth) killed with signal 11
After setting user_attrs back to "foo=uid,bar=gid" everything works again.
A.
On Tue, 2007-03-06 at 19:32 +0100, Alexej Davidov wrote:
Commenting out user_attrs is the same as setting it to the default value. Setting "user_attrs =" should have worked. However if you don't want userdb LDAP lookup at all, use userdb static instead.
I want to use ldap for authorization. The entries just happen to contain a uid field, which should not be used for file access, though.
Yes, but using passdb ldap is enough for authentication. You don't want to use LDAP as userdb. Just remove userdb ldap {} and add:
userdb static { args = uid=vmail gid=vmail }
I tried again with "user_attrs =" and strange enough the error is now different: Mar 6 19:11:52 myhost dovecot: imap-login: Internal login failure: user=foo@bar.net, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS Mar 6 19:11:52 myhost dovecot: child 9966 (auth) killed with signal 11
Looks like that's a bug and the empty user_attrs didn't do what I thought it did. Fixed: http://dovecot.org/list/dovecot-cvs/2007-March/007949.html
On Tue, 06 Mar 2007 20:53:05 +0200 Timo Sirainen tss@iki.fi wrote:
On Tue, 2007-03-06 at 19:32 +0100, Alexej Davidov wrote: Yes, but using passdb ldap is enough for authentication. You don't want to use LDAP as userdb. Just remove userdb ldap {} and add:
userdb static { args = uid=vmail gid=vmail } Oh, I get it now. That works. Thanks.
participants (2)
-
Alexej Davidov
-
Timo Sirainen