[Dovecot] Dovecot deliver with AD LDAP userdb
Good Afternoon,
I have my virtual users stored in an Active Directory database. As far as mail info goes the 2 important fields are: mail (their primary email address) and otherMailbox (a multivalue attribute containing their mail aliases). Right now all email addresses belong in the same domain and there are no immediate plans to change this.
If I use Postfix to do the lookups and delivery only using Dovecot for passdb Pam driver and a static userdb then everything delivers fine to mail and otherMailbox addresses. I have been working on switching over to Dovecot's deliver process in order to integrate sieve capability. I have configured userdb ldap and passdb ldap in Dovecot and have set up master and client sockets. Before I describe my problem let me show you my configuration (as I think the dovecot-ldap.conf in particular needs to be explained). Here are the important parts of dovecot.conf:
auth default { socket listen { master { path = /usr/var/run/dovecot/auth-master mode = 0666 user = vmail group = vmail }
client {
path = /var/spool/postfix/private/auth
mode = 0666
user = postfix
group = postfix
}
}
passdb ldap { args = /etc/dovecot-ldap.conf } userdb ldap { # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf args = /etc/dovecot-ldap.conf }
and my dovecot -n:
lda: postmaster_address: postmaster@sau24.org mail_plugins: sieve auth default: mechanisms: plain login debug: yes passdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 438 user: postfix group: postfix master: path: /usr/var/run/dovecot/auth-master mode: 438 user: vmail group: vmail plugin: sieve: ~/.dovecot.sieve sieve_dir: ~/sieve sieve_storage: ~/sieve
Further, here is my dovecot-ldap.conf:
hosts = delldb.sau24.org:3268 base = dc=sau24, dc=org ldap_version = 3 dn = cn=Mail User,cn=Users,dc=sau24,dc=org dnpass = secret auth_bind = yes scope = subtree user_attrs = sAMAccountName=home=/home/vmail/%$,=uid=501,=gid=501 pass_attrs = sAMAccountName=user user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(otherMailbox=%n@sau24.org))) pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(othermailbox=%n@sau24.org)))
Now, you'll notice that the user_filter and pass_filter have the domain statically placed after the mail and othermailbox attributes. This reason for this is that this ldap configuration is used for both authentication purposes and local delivery, so its not always being passed the domain info (for authentication it gets the users IP address). Since all my users are on the same domain I can statically set this here. This setup authenticates users to imap and pop (users use their sAMAccountName as their username when they log in), and pulls their correct home directory. Checking mail is not a problem at all.
Further, this setup will deliver mail correctly to mail addressed to the value in the "mail" attribute. The problem seems to be in the otherMailbox attribute, it cannot lookup the users sAMAccountName based off of the otherMailbox field. Here is what it looks like in the logs for mail sent to my "mail" attribute (mark.schaub@sau24.org):
Oct 14 12:36:19 auth(default): Info: master in: USER 1 mark.schaub@sau24.org service=deliver Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub@sau24.org): user search: base=dc=sau24, dc=org scope=subtree filter=(&(objectclass=user)(|(sAMAccountName=mark.schaub)(mail=mark.schaub@sau24.org)(otherMailbox=mark.schaub@sau24.org))) fields=sAMAccountName Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub@sau24.org): result: sAMAccountName(home=/home/vmail/%$)=/home/vmail/mschaub Oct 14 12:36:19 auth(default): Info: master out: USER 1 mark.schaub@sau24.org home=/home/vmail/mschaub uid=501 gid=501 Oct 14 12:36:19 deliver(mark.schaub@sau24.org): Info: sieve: msgid=<6b71e3a70910140936v4e8cd6fdwd847a1721a9d9786@mail.gmail.com>: stored mail into mailbox 'INBOX'
But this is what I get when I try to send to an address listed in my otherMailbox field (tech@sau24.org):
Oct 14 12:30:58 auth(default): Info: master in: USER 1 tech@sau24.org service=deliver Oct 14 12:30:58 auth(default): Info: ldap(tech@sau24.org): user search: base=dc=sau24, dc=org scope=subtree filter=(&(objectclass=user)(|(sAMAccountName=tech)(mail=tech@sau24.org)(otherMailbox=tech@sau24.org))) fields=sAMAccountName Oct 14 12:30:58 auth(default): Info: ldap(tech@sau24.org): Unknown user Oct 14 12:30:58 auth(default): Info: master out: NOTFOUND 1
As a test I tried modifying my dovecot-ldap.conf to use different fields instead of otherMailbox. Sending to some of those attributes worked, others didnt. I could use the "sn" and "givenName" attributes, but "postalCode" and "title" would give the same error as otherMailbox.
My question is this: is there something wrong with my configuration or can Dovecot only query certain fields in the user_attr string?
Thanks, ~ Mark
My question is this: is there something wrong with my configuration or can Dovecot only query certain fields in the user_attr string?
Just as a clarification, I mean to ask if Dovecot can only query certain fields in the user_filter string.
Thanks, ~ Mark
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Wed, 2009-10-14 at 16:00 -0400, Mark Schaub wrote:
user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(otherMailbox=%n@sau24.org)))
My LDAP knowledge isn't that great, but does | accept more than one parameter? Try changing this to:
user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(|(mail=%n@sau24.org)(otherMailbox=%n@sau24.org))))
Other than that, I don't really have much ideas. Does the same filter work with e.g. ldapsearch?
I have tried the user_filter you suggested, it did not change anything. I played around with some Active Directory permissions today and set it up so that I could perform anonymous queries and verified that they were successful with ldapsearch on the command line. This still didn't seem to help the problem.
As far as I can tell userdb ldap queries are run using the user specified in dn with the password specified in dnpass. I know those fields are correct as userdb has no problem querying users by sAMAccountName or mail attributes. I also know that the user_filter string works as I can run an ldapsearch using dn, dnpass, and user_filter and that returns the correct information. For some reason when the deliver process does this nothing is returned.
As I mentioned in the initial post, some fields work and others do not. If I change the filter to look for sn=%n and try to deliver to my last name then it delivers fine. If I set the filter to title=%n and try to deliver to my title then I get the same problem as with otherMailbox.
Is there schema information dovecot is using that defines certain userdb attributes it can and can't use?
On Thu, Oct 15, 2009 at 12:28 PM, Timo Sirainen <tss@iki.fi> wrote:
On Wed, 2009-10-14 at 16:00 -0400, Mark Schaub wrote:
user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(otherMailbox=%n@sau24.org)))
My LDAP knowledge isn't that great, but does | accept more than one parameter? Try changing this to:
user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(|(mail=%n@sau24.org)(otherMailbox=%n@sau24.org))))
Other than that, I don't really have much ideas. Does the same filter work with e.g. ldapsearch?
On Fri, 2009-10-16 at 14:18 -0400, Mark Schaub wrote:
As far as I can tell userdb ldap queries are run using the user specified in dn with the password specified in dnpass. I know those fields are correct as userdb has no problem querying users by sAMAccountName or mail attributes. I also know that the user_filter string works as I can run an ldapsearch using dn, dnpass, and user_filter and that returns the correct information. For some reason when the deliver process does this nothing is returned.
What about pass_filter, does that work with imap/pop3 logins?
As I mentioned in the initial post, some fields work and others do not. If I change the filter to look for sn=%n and try to deliver to my last name then it delivers fine. If I set the filter to title=%n and try to deliver to my title then I get the same problem as with otherMailbox.
Weird.
Is there schema information dovecot is using that defines certain userdb attributes it can and can't use?
No.
What about pass_filter, does that work with imap/pop3 logins?
Interesting question. Typically users only try to login with their sAMAccountName and thats always worked just fine. I just tested this and pass_filter seems to be running in to the same issue. If I set the pass_filter to:
pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(otherMailbox=%n)))
Then I am not able to log in using my email alias. However if I set it to:
pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(sn=%n)))
Then I am able to log in using my last name. Just like before other fields like postalCode and title will not work. For each attribute that does not work I have verified that an ldapsearch using the same filter returns exactly 1 sAMAccountName.
All the log shows for the failure (when I attempt to login as my "postmaster" alias) is:
Info: ldap(postmaster,127.0.0.1): unknown user
But if I set the filter to check the mail attribute and login using my mail it correctly changes my username (as my mail address is different from my username):
Info: auth(mark.schaub,127.0.0.1): username changed mark.schaub -> mschaub Info: ldap(mschaub,127.0.0.1): result: sAMAccountName(user)=mschaub Info: client out: OK 1 user=mschaub
On Fri, 2009-10-16 at 14:59 -0400, Mark Schaub wrote:
Then I am able to log in using my last name. Just like before other fields like postalCode and title will not work. For each attribute that does not work I have verified that an ldapsearch using the same filter returns exactly 1 sAMAccountName.
Then there's something different what Dovecot and ldapsearch does. They have the same dn, dnpass, neither uses tls, same base, deref, scope?
On Wed, 14 Oct 2009 16:00:54 -0400 Mark Schaub <mark.schaub@sau24.org> wrote:
Good Afternoon,
I have my virtual users stored in an Active Directory database. As far as mail info goes the 2 important fields are: mail (their primary email address) and otherMailbox (a multivalue attribute containing their mail aliases). Right now all email addresses belong in the same domain and there are no immediate plans to change this.
If I use Postfix to do the lookups and delivery only using Dovecot for passdb Pam driver and a static userdb then everything delivers fine to mail and otherMailbox addresses. I have been working on switching over to Dovecot's deliver process in order to integrate sieve capability. I have configured userdb ldap and passdb ldap in Dovecot and have set up master and client sockets. Before I describe my problem let me show you my configuration (as I think the dovecot-ldap.conf in particular needs to be explained). Here are the important parts of dovecot.conf:
auth default { socket listen { master { path = /usr/var/run/dovecot/auth-master mode = 0666 user = vmail group = vmail }
client { path = /var/spool/postfix/private/auth mode = 0666 user = postfix group = postfix }
}
passdb ldap { args = /etc/dovecot-ldap.conf } userdb ldap { # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf args = /etc/dovecot-ldap.conf }
and my dovecot -n:
lda: postmaster_address: postmaster@sau24.org mail_plugins: sieve auth default: mechanisms: plain login debug: yes passdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 438 user: postfix group: postfix master: path: /usr/var/run/dovecot/auth-master mode: 438 user: vmail group: vmail plugin: sieve: ~/.dovecot.sieve sieve_dir: ~/sieve sieve_storage: ~/sieve
Further, here is my dovecot-ldap.conf:
hosts = delldb.sau24.org:3268 base = dc=sau24, dc=org ldap_version = 3 dn = cn=Mail User,cn=Users,dc=sau24,dc=org dnpass = secret auth_bind = yes scope = subtree user_attrs = sAMAccountName=home=/home/vmail/%$,=uid=501,=gid=501 pass_attrs = sAMAccountName=user user_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(otherMailbox=%n@sau24.org))) pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(mail=%n@sau24.org)(othermailbox=%n@sau24.org)))
Now, you'll notice that the user_filter and pass_filter have the domain statically placed after the mail and othermailbox attributes. This reason for this is that this ldap configuration is used for both authentication purposes and local delivery, so its not always being passed the domain info (for authentication it gets the users IP address). Since all my users are on the same domain I can statically set this here. This setup authenticates users to imap and pop (users use their sAMAccountName as their username when they log in), and pulls their correct home directory. Checking mail is not a problem at all.
Further, this setup will deliver mail correctly to mail addressed to the value in the "mail" attribute. The problem seems to be in the otherMailbox attribute, it cannot lookup the users sAMAccountName based off of the otherMailbox field. Here is what it looks like in the logs for mail sent to my "mail" attribute (mark.schaub@sau24.org):
Oct 14 12:36:19 auth(default): Info: master in: USER 1 mark.schaub@sau24.org service=deliver Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub@sau24.org): user search: base=dc=sau24, dc=org scope=subtree filter=(&(objectclass=user)(|(sAMAccountName=mark.schaub)(mail=mark.schaub@sau24.org)(otherMailbox=mark.schaub@sau24.org))) fields=sAMAccountName Oct 14 12:36:19 auth(default): Info: ldap(mark.schaub@sau24.org): result: sAMAccountName(home=/home/vmail/%$)=/home/vmail/mschaub Oct 14 12:36:19 auth(default): Info: master out: USER 1 mark.schaub@sau24.org home=/home/vmail/mschaub uid=501 gid=501 Oct 14 12:36:19 deliver(mark.schaub@sau24.org): Info: sieve: msgid=<6b71e3a70910140936v4e8cd6fdwd847a1721a9d9786@mail.gmail.com>: stored mail into mailbox 'INBOX'
But this is what I get when I try to send to an address listed in my otherMailbox field (tech@sau24.org):
Oct 14 12:30:58 auth(default): Info: master in: USER 1 tech@sau24.org service=deliver Oct 14 12:30:58 auth(default): Info: ldap(tech@sau24.org): user search: base=dc=sau24, dc=org scope=subtree filter=(&(objectclass=user)(|(sAMAccountName=tech)(mail=tech@sau24.org)(otherMailbox=tech@sau24.org))) fields=sAMAccountName Oct 14 12:30:58 auth(default): Info: ldap(tech@sau24.org): Unknown user Oct 14 12:30:58 auth(default): Info: master out: NOTFOUND 1
As a test I tried modifying my dovecot-ldap.conf to use different fields instead of otherMailbox. Sending to some of those attributes worked, others didnt. I could use the "sn" and "givenName" attributes, but "postalCode" and "title" would give the same error as otherMailbox.
My question is this: is there something wrong with my configuration or can Dovecot only query certain fields in the user_attr string?
Thanks, ~ Mark
Not sure, if it helps, but you are trying to do "mta's" work by dovecot delivery. Your postfix setup must do lookups for mail aliases and return REAL mailbox name(mail ldap field). I'm using Exim as MTA - it is working fine. I have 1 router, which resolves 'othermailbox' ldap field to 'mail' field and after that the dovecot delivery is running. With such setup my users are able to use sieve, but authentication can be done only by real mailboxes. Postfix must have some mechanisms to makes it work this way.
Note: mail must have user@domain - if you want to use multiply domains. othermail should be user2@domain to restrict alias mapping to one certain domain in multidomain setup.
participants (4)
-
Mark Schaub
-
mschaub@mail.sau24.org
-
Nikita Koshikov
-
Timo Sirainen