[Dovecot] dovecot 2 variables
Hi,
I am trying to use separate configurations for ldap authentication thus providing users with the ability to only use username without domain part. Now according to documentation this should be possible http://wiki2.dovecot.org/AuthDatabase/PasswdFile
but I keep getting error in my dovecot.log like this
auth: Error: Can't open configuration file /etc/dovecot/%l/dovecot-ldap.conf: No such file or directory
Why does dovecot does not expand %l to local ip address?
On 7.4.2013, at 23.51, Pavel Dimow paveldimow@gmail.com wrote:
I am trying to use separate configurations for ldap authentication thus providing users with the ability to only use username without domain part. Now according to documentation this should be possible http://wiki2.dovecot.org/AuthDatabase/PasswdFile
but I keep getting error in my dovecot.log like this
auth: Error: Can't open configuration file /etc/dovecot/%l/dovecot-ldap.conf: No such file or directory
Why does dovecot does not expand %l to local ip address?
That expansion works only with passwd-file, not with anything else (such as ldap).
Thank you Timo, can you please correct me if I am wrong, but this means that only way to have one dovecot server authenticating users from ldap without domain part is to use %l in ldap query? That imply to have tree like ou=people,o=x.x.x.x.o=mail,dc=acme,dc=com Or there is a better way to do it?
On Sun, Apr 7, 2013 at 11:26 PM, Timo Sirainen tss@iki.fi wrote:
On 7.4.2013, at 23.51, Pavel Dimow paveldimow@gmail.com wrote:
I am trying to use separate configurations for ldap authentication thus providing users with the ability to only use username without domain part. Now according to documentation this should be possible http://wiki2.dovecot.org/AuthDatabase/PasswdFile
but I keep getting error in my dovecot.log like this
auth: Error: Can't open configuration file /etc/dovecot/%l/dovecot-ldap.conf: No such file or directory
Why does dovecot does not expand %l to local ip address?
That expansion works only with passwd-file, not with anything else (such as ldap).
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain part.
On Sun, Apr 7, 2013 at 11:51 PM, Pavel Dimow paveldimow@gmail.com wrote:
Thank you Timo, can you please correct me if I am wrong, but this means that only way to have one dovecot server authenticating users from ldap without domain part is to use %l in ldap query? That imply to have tree like ou=people,o=x.x.x.x.o=mail,dc=acme,dc=com Or there is a better way to do it?
On Sun, Apr 7, 2013 at 11:26 PM, Timo Sirainen tss@iki.fi wrote:
On 7.4.2013, at 23.51, Pavel Dimow paveldimow@gmail.com wrote:
I am trying to use separate configurations for ldap authentication thus providing users with the ability to only use username without domain part. Now according to documentation this should be possible http://wiki2.dovecot.org/AuthDatabase/PasswdFile
but I keep getting error in my dovecot.log like this
auth: Error: Can't open configuration file /etc/dovecot/%l/dovecot-ldap.conf: No such file or directory
Why does dovecot does not expand %l to local ip address?
That expansion works only with passwd-file, not with anything else (such as ldap).
Pavel Dimow wrote:
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain part.
You might try to use several passdb/userdb sections with driver ldap, one for each domain:
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Regards Daniel
Well that is not very scalable as we always ask first database no matter what. What if I have the same user in both databases (ldap)?
On Mon, Apr 8, 2013 at 12:36 AM, Daniel Parthey < daniel.parthey@informatik.tu-chemnitz.de> wrote:
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain
Pavel Dimow wrote: part.
You might try to use several passdb/userdb sections with driver ldap, one for each domain:
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Regards Daniel
You could put (%l=1.2.3.4) in the ldap filter. But I guess it still gets sent to the LDAP server. The best solution would be:
local 1.2.3.4 { userdb { .. } }
But that doesn't work yet.
With v2.2 you can do multiple queries. So you could have one query to translate IP address to the domain, and then a second lookup to lookup the user@domain. http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb -> subqueries.
On 8.4.2013, at 13.07, Pavel Dimow paveldimow@gmail.com wrote:
Well that is not very scalable as we always ask first database no matter what. What if I have the same user in both databases (ldap)?
On Mon, Apr 8, 2013 at 12:36 AM, Daniel Parthey < daniel.parthey@informatik.tu-chemnitz.de> wrote:
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain
Pavel Dimow wrote: part.
You might try to use several passdb/userdb sections with driver ldap, one for each domain:
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Regards Daniel
Thank you Timo, then I guess I will runing two instances of dovecot one for each domain until
local 1.2.3.4 { userdb { .. } }
becomes ready :)
On Mon, Apr 8, 2013 at 12:14 PM, Timo Sirainen tss@iki.fi wrote:
You could put (%l=1.2.3.4) in the ldap filter. But I guess it still gets sent to the LDAP server. The best solution would be:
local 1.2.3.4 { userdb { .. } }
But that doesn't work yet.
With v2.2 you can do multiple queries. So you could have one query to translate IP address to the domain, and then a second lookup to lookup the user@domain. http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb -> subqueries.
On 8.4.2013, at 13.07, Pavel Dimow paveldimow@gmail.com wrote:
Well that is not very scalable as we always ask first database no matter what. What if I have the same user in both databases (ldap)?
On Mon, Apr 8, 2013 at 12:36 AM, Daniel Parthey < daniel.parthey@informatik.tu-chemnitz.de> wrote:
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain
Pavel Dimow wrote: part.
You might try to use several passdb/userdb sections with driver ldap, one for each domain:
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Regards Daniel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 7 Apr 2013, Pavel Dimow wrote:
Just to be clear my goal is to have multiple domains on multiple addresses but use one dovecot instance and to let users logging without @domain part.
If %l is expanded in the LDAP query, you could add an attribute with the local IP address, e.g.:
pass_filter = (&(objectClass=mailUser)(|(mail=%Lu)(&(localPart=%Lu)(localIP=%l))))
(check if parenthesis are balanced) Same with user_filter
The idea:
mailUserLDAPItem && ( nameWithDomain || ( nameWithoutDomain && localIP ) )
So the user could login with domain on any local port and without domain on one or more local interfaces.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUWK5PV3r2wJMiz2NAQKNMAgAovEJQY0nhBwT0E/d9tEd6wokF5XlVjpc 15vvc3zbJ9AaQVMz4LHAx1N4Secx+BP+UrJLiPPIegGAPbExA4gjI2oC31sEUcJB 8iBtRlbVHLn+pV0DnlG5FBn0KQgIyX1ml+AafcFrVOq/PcCTQzdWqO0oyLR6PN8a SGpArMTweVjMpbhiYdR1fqtc5iYEI2MefO4OjEG0Xxc2KfqzDZqUSZ1H4+ftPT9a oA59e2sc3PRjCrjpeA4UbWNC/ZEDSJFtt01mX3WZ00HVI/+gMiPZVY7NTeaCC9W4 rq0dI2J1O/zP2+yY40KtuZrSt7Kw4b61LXO8Yp/fJVpGoZzf6HvuWA== =/+hu -----END PGP SIGNATURE-----
Interesting, but this means that we need to have one tree with all users (where each user have additional attribute containing local ip), instead we now have two separate trees because we use this for other authentication purposes.
Thank you for sharing your thoughts Steffen
On Mon, Apr 8, 2013 at 2:34 PM, Steffen Kaiser < skdovecot@smail.inf.fh-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 7 Apr 2013, Pavel Dimow wrote:
Just to be clear my goal is to have multiple domains on multiple addresses
but use one dovecot instance and to let users logging without @domain part.
If %l is expanded in the LDAP query, you could add an attribute with the local IP address, e.g.:
pass_filter = (&(objectClass=mailUser)(|(**mail=%Lu)(&(localPart=%Lu)(** localIP=%l))))
(check if parenthesis are balanced) Same with user_filter
The idea:
mailUserLDAPItem && ( nameWithDomain || ( nameWithoutDomain && localIP ) )
So the user could login with domain on any local port and without domain on one or more local interfaces.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUWK5PV3r2wJMiz2NAQKNMA**gAovEJQY0nhBwT0E/**d9tEd6wokF5XlVjpc 15vvc3zbJ9AaQVMz4LHAx1N4Secx+**BP+**UrJLiPPIegGAPbExA4gjI2oC31sEUc**JB 8iBtRlbVHLn+**pV0DnlG5FBn0KQgIyX1ml+**AafcFrVOq/PcCTQzdWqO0oyLR6PN8a SGpArMTweVjMpbhiYdR1fqtc5iYEI2**MefO4OjEG0Xxc2KfqzDZqUSZ1H4+**ftPT9a oA59e2sc3PRjCrjpeA4UbWNC/**ZEDSJFtt01mX3WZ00HVI/+**gMiPZVY7NTeaCC9W4 rq0dI2J1O/zP2+**yY40KtuZrSt7Kw4b61LXO8Yp/**fJVpGoZzf6HvuWA== =/+hu -----END PGP SIGNATURE-----
participants (6)
-
Benny Pedersen
-
Daniel Parthey
-
Pavel Dimow
-
Reindl Harald
-
Steffen Kaiser
-
Timo Sirainen