Two domains - same user names filter
Hi,
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
I sat up this config: domain1 users maildirs are stored in /home/vmail/username domain2 users maildirs are stored in /home/vmail/domain2/username
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal. Is it possible to use a user_filter which will choose the correct maildir and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2:
hosts = ldap.domain2.com
base = ou=People,dc=domain2,dc=com
ldap_version = 3
user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir
user_filter = (uid=%n)
pass_attrs = uid=%n,userPassword=password
pass_filter = (uid=%n)
default_pass_scheme = MD5
Thanks, Robert
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 2 Jun 2017, Sandbox wrote:
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal.
Well the most problem is that you have two LDAP servers with different content.
Is it possible to use a user_filter which will choose the correct maildir and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2: hosts = ldap.domain2.com base = ou=People,dc=domain2,dc=com ldap_version = 3 user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir user_filter = (uid=%n) pass_attrs = uid=%n,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
you have one LDAP conf per domain and two userdb's, right?
Can you make use of ${domain} in one of the LDAP servers, is the domain present in the user entries?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTEeOXz1H7kL/d9rAQKgKAf+NgTeS/4p/BPFwiP7pFXvn1K0cNRvBLcA n6sDHQPebxnVxotRPomblaXoHVpYHPY9PlADQ6tF0g0ZjVuXeYdQuF5Yxy8pJgKb Wyy12H2kLOCbN4rbFEGJqxL9301mMQLfgIRe4EbDi4BdXRjyBNvIYU+6M2BYXHTx VNTXcsql18tmjJufN5/7XeVFpd3LVC4o6v2W99N88JLi2GJjpPVYGiyMrRmdGTOI XL75q8wg9Zoh6FKu+fdocDUpsFvxmraMChsagJScdHvG2pfMj26J87aJzHJ43zZe GhzI7fwCbuVWZ4mGyZNB4Age7MjO0yaeqCVR/M29dUPv3Xtl8Z7NCg== =qnQp -----END PGP SIGNATURE-----
On June 2, 2017 at 11:13 AM Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 2 Jun 2017, Sandbox wrote:
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal.
Well the most problem is that you have two LDAP servers with different content.
Is it possible to use a user_filter which will choose the correct maildir and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2: hosts = ldap.domain2.com base = ou=People,dc=domain2,dc=com ldap_version = 3 user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir user_filter = (uid=%n) pass_attrs = uid=%n,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5you have one LDAP conf per domain and two userdb's, right?
Can you make use of ${domain} in one of the LDAP servers, is the domain present in the user entries?
Steffen Kaiser
Dovecot 2.2.29+ has feature called username_filter for passdb blocks, which lets you specify usernames the passdb block is to be used. This could simplify your config somewhat. See https://wiki.dovecot.org/PasswordDatabase
Aki
On 2 Jun 2017, at 11.40, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Dovecot 2.2.29+ has feature called username_filter for passdb blocks, which lets you specify usernames the passdb block is to be used. This could simplify your config somewhat. See https://wiki.dovecot.org/PasswordDatabase
Small mistake. That feature is in 2.2.30+
Sami
Its weird, when i sat up (&(uid=%n)(mail=*@%{domain1.com})) as user_filter:
auth: Debug: auth client connected (pid=14697) auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=3Ej8PkdRAgDAqAG3 lip=192.168.34.10 rip=192.168.34.18 lport=143 rport=59394 auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): pass search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid,userPassword auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): result: uid= testuser1 userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): result: uid= testuser1 userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=testuser1 %n=testuser1 auth: Debug: master in: REQUEST 3018063873 14697 1 3f04b57a81e1750e279d4dfec2e35414 session_pid=14699 request_auth_token auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): user search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(&(uid=testuser 1)(mail=*@domain1.com})) fields=uid auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): no fields returned by the server auth: Info: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): unknown user auth: Debug: master userdb out: NOTFOUND 3018063873 imap-login: Info: Internal login failure (pid=14697 id=1) (internal failure, 1 successful auths): user=<testuser1>, method=PLAIN, rip=192.168.34.18, lip=192.168.34.10, mpid=14699, TLS, session=<3Ej8PkdRAgDAqAG3>
As I understand the filter should give back this result: "testuser1" when the mail record is *@domain1.com.
and when i sat up the "old" method (uid=%n)
auth: Debug: auth client connected (pid=14739) auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=6v9kQkdREADAqAG3 lip=192.168.34.10 rip=192.168.34.18 lport=143 rport=59408 auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): pass search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid,userPassword auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=testuser1 %n=testuser1 auth: Debug: master in: REQUEST 2349465601 14739 1 30535968cbadc3948ed4578ae769de33 session_pid=14741 request_auth_token auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): user search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1; uid unused auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 auth: Debug: master userdb out: USER 2349465601 testuser1 auth_token=5f171ed4c66480dcc89a21709b062753c151aede imap-login: Info: Login: user=<testuser1>, method=PLAIN, rip=192.168.34.18, lip=192.168.34.10, mpid=14741, TLS, session=<6v9kQkdREADAqAG3>
btw, its Dovecot 2.2.18 (Ubuntu 16.04 LTS)
Robert
2017-06-03 18:18 GMT+02:00 Sami Ketola <sami.ketola@dovecot.fi>:
On 2 Jun 2017, at 11.40, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Dovecot 2.2.29+ has feature called username_filter for passdb blocks, which lets you specify usernames the passdb block is to be used. This could simplify your config somewhat. See https://wiki.dovecot.org/ PasswordDatabase
Small mistake. That feature is in 2.2.30+
Sami
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 6 Jun 2017, Sandbox wrote:
Its weird, when i sat up (&(uid=%n)(mail=*@%{domain1.com})) as user_filter: ^^^^^^^^^^ https://wiki2.dovecot.org/Variables?highlight=%28domain%29
The variable is named domain.
auth: Debug: auth client connected (pid=14697) auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=3Ej8PkdRAgDAqAG3 lip=192.168.34.10 rip=192.168.34.18 lport=143 rport=59394 auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): pass search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid,userPassword auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): result: uid= testuser1 userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): result: uid= testuser1 userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=testuser1 %n=testuser1 auth: Debug: master in: REQUEST 3018063873 14697 1 3f04b57a81e1750e279d4dfec2e35414 session_pid=14699 request_auth_token auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): user search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(&(uid=testuser 1)(mail=*@domain1.com})) fields=uid ^^^^^^^^^^^^^^^
auth: Debug: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): no fields returned by the server auth: Info: ldap(testuser1,192.168.34.18,<3Ej8PkdRAgDAqAG3>): unknown user auth: Debug: master userdb out: NOTFOUND 3018063873 imap-login: Info: Internal login failure (pid=14697 id=1) (internal failure, 1 successful auths): user=<testuser1>, method=PLAIN, rip=192.168.34.18, lip=192.168.34.10, mpid=14699, TLS, session=<3Ej8PkdRAgDAqAG3>
As I understand the filter should give back this result: "testuser1" when the mail record is *@domain1.com.
and when i sat up the "old" method (uid=%n)
auth: Debug: auth client connected (pid=14739) auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=6v9kQkdREADAqAG3 lip=192.168.34.10 rip=192.168.34.18 lport=143 rport=59408 auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): pass search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid,userPassword auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=testuser1 %n=testuser1 auth: Debug: master in: REQUEST 2349465601 14739 1 30535968cbadc3948ed4578ae769de33 session_pid=14741 request_auth_token auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): user search: base=ou=People,dc=domain1,dc=com scope=subtree filter=(uid=testuser1) fields=uid auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1; uid unused auth: Debug: ldap(testuser1,192.168.34.18,<6v9kQkdREADAqAG3>): result: uid=testuser1 auth: Debug: master userdb out: USER 2349465601 testuser1 auth_token=5f171ed4c66480dcc89a21709b062753c151aede imap-login: Info: Login: user=<testuser1>, method=PLAIN, rip=192.168.34.18, lip=192.168.34.10, mpid=14741, TLS, session=<6v9kQkdREADAqAG3>
btw, its Dovecot 2.2.18 (Ubuntu 16.04 LTS)
Robert
2017-06-03 18:18 GMT+02:00 Sami Ketola <sami.ketola@dovecot.fi>:
On 2 Jun 2017, at 11.40, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Dovecot 2.2.29+ has feature called username_filter for passdb blocks, which lets you specify usernames the passdb block is to be used. This could simplify your config somewhat. See https://wiki.dovecot.org/ PasswordDatabase
Small mistake. That feature is in 2.2.30+
Sami
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTarLHz1H7kL/d9rAQIIWAgAoWPAG/Q86Yt0CH1Zn1KdlXsTpk5NHc02 4snBpPo5nptJ9ZqUsuvQaGVu7iYqOZV4fJjONJAaPOrOkhxvGSa0twOlgF/+uNxs FJt5xn13OjuTKKOX24GTXxStVqQp0uOysGMlV3aFJudOCFig584IBtZa4Xdmky8Q GV2LHspK0go04YSZ7O8kSIJHcjEHsgOiO2OPl6jJo5rR7StVvzXIHOqeOLVeMWdS VDYDKxBcKf83HUgRJE0FU1zfR3UTrV/nwSTi232xgQ5XXhjY1fHZGirceaEleZkH T7Y6rzblph29eu4+xGcxEtJe0MQ5H03qP2lahGFj8IMzo9F5y1eB0w== =hDv0 -----END PGP SIGNATURE-----
Hi,
On Fri, 2 Jun 2017, Sandbox wrote:
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal.
| Well the most problem is that you have two LDAP servers with different content.
Unfortunately i cant do anything with this. :S
Is it possible to use a user_filter which will choose the correct maildir
and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2: hosts = ldap.domain2.com base = ou=People,dc=domain2,dc=com ldap_version = 3 user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir user_filter = (uid=%n) pass_attrs = uid=%n,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
| you have one LDAP conf per domain and two userdb's, right?
Nop, I have two ldap.conf files, one for domain1 and one for domain2 and two userdb setting in dovecot.conf for each ldap.conf files.
| Can you make use of ${domain} in one of the LDAP servers, is the domain present in the user entries?
Uhm, what do you mean? "Can you make use of ${domain} in one of the LDAP servers"? Only the mail address and the departmentNumber contains the domain in the user entries, to be clear, the first domain's (this is the "old" one) user entries does not contain any departmentNumber data so those e-mails are going to the current /home/vmail/user/maildir directory, the second domain (which is the "new" one) contains the departmentnumber data, so those emails are going to the /home/vmail/domain2.com/user/maildir directory. The main problem that I have the same usernames in both domains, thats why i cant use only one domain. Actually i have one ldap server with two domains configured. Just thinking about the problem, is that not possible to fill up a not used LDAP record eg: labeledURI with the user's second e-mail address? So in the ldap.conf i have to use a filter which can decide which e-mail address is used -> where to store the mail. Or, use two mail record. Both requires e-mail address filtering where i have to use the domain part as a decision parameter....what do you think?
Robert
2017-06-02 10:13 GMT+02:00 Steffen Kaiser <skdovecot@smail.inf.fh-brs.de>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 2 Jun 2017, Sandbox wrote:
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal.
Well the most problem is that you have two LDAP servers with different content.
Is it possible to use a user_filter which will choose the correct maildir
and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2: hosts = ldap.domain2.com base = ou=People,dc=domain2,dc=com ldap_version = 3 user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir user_filter = (uid=%n) pass_attrs = uid=%n,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5you have one LDAP conf per domain and two userdb's, right?
Can you make use of ${domain} in one of the LDAP servers, is the domain present in the user entries?
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTEeOXz1H7kL/d9rAQKgKAf+NgTeS/4p/BPFwiP7pFXvn1K0cNRvBLcA n6sDHQPebxnVxotRPomblaXoHVpYHPY9PlADQ6tF0g0ZjVuXeYdQuF5Yxy8pJgKb Wyy12H2kLOCbN4rbFEGJqxL9301mMQLfgIRe4EbDi4BdXRjyBNvIYU+6M2BYXHTx VNTXcsql18tmjJufN5/7XeVFpd3LVC4o6v2W99N88JLi2GJjpPVYGiyMrRmdGTOI XL75q8wg9Zoh6FKu+fdocDUpsFvxmraMChsagJScdHvG2pfMj26J87aJzHJ43zZe GhzI7fwCbuVWZ4mGyZNB4Age7MjO0yaeqCVR/M29dUPv3Xtl8Z7NCg== =qnQp -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 2 Jun 2017, Sandbox wrote:
On Fri, 2 Jun 2017, Sandbox wrote:
I have two LDAP domains, which has some equal users, eg:
abc@domain1.com abc@domain2.com
This works fine except one thing: i cant set up the ldap query to choose the correct maildir if the user names are equal.
| Well the most problem is that you have two LDAP servers with different content.
Unfortunately i cant do anything with this. :S
Is it possible to use a user_filter which will choose the correct maildir
and user/domain from the email address?
My current ldap.conf for domain1:
hosts = ldap.domain1.com base = ou=People,dc=domain1,dc=com ldap_version = 3 user_attrs = uid=user user_filter = (uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5
and for domain2: hosts = ldap.domain2.com base = ou=People,dc=domain2,dc=com ldap_version = 3 user_attrs =
=mail=maildir:/home/vmail/%{ldap:departmentNumber)/%n/Maildir user_filter = (uid=%n) pass_attrs = uid=%n,userPassword=password pass_filter = (uid=%n) default_pass_scheme = MD5| you have one LDAP conf per domain and two userdb's, right?
Nop, I have two ldap.conf files, one for domain1 and one for domain2 and two userdb setting in dovecot.conf for each ldap.conf files.
| Can you make use of ${domain} in one of the LDAP servers, is the domain present in the user entries?
Uhm, what do you mean? "Can you make use of ${domain} in one of the LDAP servers"? Only the mail address and the departmentNumber contains the domain in the user entries, to be clear, the first domain's (this is the "old" one) user entries does not contain any departmentNumber data so those e-mails are going to the current /home/vmail/user/maildir directory, the second domain (which is the "new" one) contains the departmentnumber data, so those emails are going to the /home/vmail/domain2.com/user/maildir directory. The main problem that I have the same usernames in both domains, thats why i cant use only one domain. Actually i have one ldap server with two domains configured. Just thinking about the problem, is that not possible to fill up a not used LDAP record eg: labeledURI with the user's second e-mail address? So in the ldap.conf i have to use a filter which can decide which e-mail address is used -> where to store the mail. Or, use two mail record. Both requires e-mail address filtering where i have to use the domain part as a decision parameter....what do you think?
Then use
(&(uid=%n)(mail=*@%{domain}))
or something similar.
However, I don't know, whether %{domain} is populated in your config. Did you checked out Aki's answer. If that works as described, username_format would make it easier.
2017-06-02 10:13 GMT+02:00 Steffen Kaiser <skdovecot@smail.inf.fh-brs.de>:
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTFYqHz1H7kL/d9rAQJ41AgAmyu8Uw+BQCmSQ7PHlFUIh/YO8IQy10Sv WzgorCAqtyL3KBU48tE1lUyQT58NV4QR7SGEbFxsSN1WQXzFTsc43kLfGvmk7/WQ bAtvqZaw0uiiPrt2p69e4jfd7GR7NIgM8UP2IM74anmLRzx/uMTBH3MyufChb6gW EDXjn/rTNlm0FaUYGL6JZuyQMZb8YubHVtl1BXMvdULXgewdmCv9UqodUBKVDlDG f8RwUzAjTiITFINC+4RGBwJKVK8J4MxA4BUs9yZomMXd6384JYogCACmvuK4Je13 5BwTfxT97NER3LIxsLeTZPA6SHq89IlDS3HD/wqW5wMgDzp+BWlOiQ== =mipf -----END PGP SIGNATURE-----
participants (4)
-
Aki Tuomi
-
Sami Ketola
-
Sandbox
-
Steffen Kaiser