[Dovecot] LDAP for Virtual Domains
Is anyone using LDAP along with Dovecot where mail is being accessed
in the form of /var/vmail/${domain}/${user}? I have not figured out
how to extract the domain from LDAP in order to make this work. I
know this is sparse information but maybe there is an easy fix. If
not, I can post more information.
Bryan
<quote who="Bryan Vyhmeister">
Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information.
Bryan
What config have you tried?
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
On May 17, 2007, at 12:06 AM, Gavin Henry wrote:
<quote who="Bryan Vyhmeister">
Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information.
What config have you tried?
Sorry, I should have given more detail. Right now, I have one server
which is authenticating off of a passwd file from Dovecot. Postfix
accesses Dovecot's auth socket interface for SMTP AUTH passwords and
such. I use a virtual mailbox map and virtual alias map through
Postfix to decide where to deliver mail. In Dovecot, I have
mail_location set as follows:
mail_location = maildir:/var/vmail/domains/%d%n
That allows it to work fine for finding my mailboxes. I have tried
the default Dovecot LDAP file but I am not sure I really understand
how it all works. I guess this also involves picking a logical way to
setup my LDAP structure as well.
I think I could make this work by making the LDAP uid
user@domain.com. I don't think this is the best way of setting it up
though. All of my users login with user@domain.com and I want to keep
it that way. It does not seem like LDAP was designed to authenticate
this way quite as well.
Bryan
On May 17, 2007, at 12:06 AM, Gavin Henry wrote:
<quote who="Bryan Vyhmeister">
Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information.
What config have you tried?
Sorry, I should have given more detail. Right now, I have one server which is authenticating off of a passwd file from Dovecot. Postfix accesses Dovecot's auth socket interface for SMTP AUTH passwords and such. I use a virtual mailbox map and virtual alias map through Postfix to decide where to deliver mail. In Dovecot, I have mail_location set as follows:
mail_location = maildir:/var/vmail/domains/%d%n Hope you've got a "/" between the %d and %n that got dropped off ....
That allows it to work fine for finding my mailboxes. I have tried the default Dovecot LDAP file but I am not sure I really understand how it all works. I guess this also involves picking a logical way to setup my LDAP structure as well. LDAP is one of the biggest headaches you get into - despite the fact
Bryan Vyhmeister wrote: that lots of people seem to think it's THE solution for centralized user management. Google, read, google, read, curse, google, read, try, fail, google, read . . . get it working (still not understanding why), touch something, break it, curse, google, read, google, read, try again . . .
I think I could make this work by making the LDAP uid user@domain.com. I don't think this is the best way of setting it up though. All of my users login with user@domain.com and I want to keep it that way. It does not seem like LDAP was designed to authenticate this way quite as well.
uid should be . . . uid. One of the key items to understand about LDAP integration with most programs is there IS NO STANDARD. YOU define which fields are used. So you tell Dovecot, Postfix, or whatever which fields to search, and which fields to return, and what information is meaningful. Your login format will work just fine - but LDAP needs to have a field with that information stored (mail), and your LDAP-using servers need to be told which field to use.
The only key mail program I haven't been able to use with my setup is maildrop - I would have to store the mailfolder in LDAP, which I refuse to do. So I have a second database I need to maintain (for courier-authlib) for the couple users that use maildrop until I can come up with an alternative.
-- Daniel
On Thursday 17 May 2007 04:06:52 Bryan Vyhmeister wrote:
Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information.
Bryan
The attachments contain my configuration. Maybe you could document some more on the wiki?
dn: dc=mail,dc=quies,dc=net objectClass: top objectClass: dcObject objectClass: organizationalRole dc: mail cn: Quies Net mail division
dn: cn=dovecot,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: dovecot description: Dovecot daemon userPassword: not public
dn: ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalUnit ou: accounts
dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: posixGroup cn: quies.net gidNumber: 10000
dn: uid=pascal@quies.net,cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: pascal@quies.net uidNumber: 10000 gidNumber: 10000 homeDirectory: /var/spool/imap/net.quies/pascal userPassword: not public cn: Pascal de Kloe givenName: Pascal sn: de Kloe etc.
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote:
The attachments contain my configuration. Maybe you could document
some more on the wiki?
If I understand your config correctly, you set your home directory in
LDAP and then just deliver to ~/Maildir/ which goes to the correct /
var/spool/imap/domain/user like I mentioned. In that case, do
additional folders get created inside your Maildir or in the home
folder itself? Thank you for the response.
Bryan
On Friday 18 May 2007 03:52:40 Bryan Vyhmeister wrote:
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote:
The attachments contain my configuration. Maybe you could document some more on the wiki?
If I understand your config correctly, you set your home directory in LDAP and then just deliver to ~/Maildir/ which goes to the correct / var/spool/imap/domain/user like I mentioned. In that case, do additional folders get created inside your Maildir or in the home folder itself?
That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve.
It seemed like the most portable and extendable configuration. You could modify the LDAP homeDirectory at a later time with a simple query.
On May 18, 2007, at 2:14 AM, Pascal S. de Kloe wrote:
That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve.
It seemed like the most portable and extendable configuration. You
could modify the LDAP homeDirectory at a later time with a simple query.
I'll have to try this configuration on Sunday and see if I can get it
to work. The ideal would be for only Dovecot to access LDAP so that I
don't have to worry about Postfix dealing with that.
Bryan
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote:
The attachments contain my configuration. Maybe you could document
some more on the wiki?dn: dc=mail,dc=quies,dc=net objectClass: top objectClass: dcObject objectClass: organizationalRole dc: mail cn: Quies Net mail division
dn: cn=dovecot,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: dovecot description: Dovecot daemon userPassword: not public
dn: ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalUnit ou: accounts
dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: posixGroup cn: quies.net gidNumber: 10000
dn: uid=pascal@quies.net,cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: pascal@quies.net uidNumber: 10000 gidNumber: 10000 homeDirectory: /var/spool/imap/net.quies/pascal userPassword: not public cn: Pascal de Kloe givenName: Pascal sn: de Kloe etc. <dovecot.conf> <dovecot-ldap.conf>
I recognize that this is the dovecot list, not the Postfix list but I
wasn't sure if you were using Postfix as well. If so, how are you
getting around Postfix wanting mailacceptinggeneralid in order to
accept messages? Thank you.
Bryan
20.05.2007 23:00 Bryan Vyhmeister:
query_filter = (&(mail=%s))
mailacceptinggeneralid=%s ist the default value for query_filter.
maybe the &-operator ANDs your expression to the default.
anyway, if you just want to filter for the mail address, the &-
operator is unneccessary. try query_filter = (mail=%s) instead.
Marc
Bryan Vyhmeister wrote:
Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information.
Bryan
I am using almost this exact setup. What I love about this is my LDAP config is minimal - no special schemas required (just core, cosine, nis, and inetorgperson). Everything is driven by the "mail" field - you store the full mail address, with domain, and the userPassword. I'm using Postfix and Dovecot.
## Dovecot.conf ... default_mail_env = maildir:/var/mail/%d/%n valid_chroot_dirs = /var/mail passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } userdb passwd { args = /etc/dovecot/dovecot-ldap.conf } userdb ldap { args = /etc/dovecot/dovecot-ldap.conf } ... ## EOF
## Dovecot-ldap.conf hosts = localhost auth_bind = no auth_bind_userdn = uid=%n, ou=People, dc=amfeslan, dc=local ldap_version = 3 base = ou=People, dc=amfeslan, dc=local ## here's your magic lines user_attrs = %d/%n=mail user_filter = (mail=%u) pass_attrs = (&userPassword=password)(mail=%u)) user_global_uid = 5000 user_global_gid = 8 ## EOF
-- Daniel
Timo Sirainen wrote:
On Fri, 2007-05-18 at 07:34 -0700, Daniel L. Miller wrote:
userdb passwd { args = /etc/dovecot/dovecot-ldap.conf }
This probably isn't doing what you're thinking :) The args is completely ignored here, so it just looks up the username from NSS.
Thanks. Probably left over from when I was trying to implement the single LDAP lookup configuration - which I gave up on. Haven't noticed any significant performance hit using the separate user/pass lookups - though I'll revisit it soon I'm sure.
-- Daniel
On May 18, 2007, at 7:34 AM, Daniel L. Miller wrote:
I am using almost this exact setup. What I love about this is my
LDAP config is minimal - no special schemas required (just core,
cosine, nis, and inetorgperson). Everything is driven by the
"mail" field - you store the full mail address, with domain, and
the userPassword. I'm using Postfix and Dovecot.
Thank you for that info. Do you mind posting the relevant portions of
your Postfix config?
Bryan
participants (6)
-
Bryan Vyhmeister
-
Daniel L. Miller
-
Gavin Henry
-
Marc Delling
-
Pascal S. de Kloe
-
Timo Sirainen