[Dovecot] Passdb filter question - LDAP.
dovecot 1:1.2.9-1ubuntu6.1
I don't know if I can solve this problem with Dovecot, or if it's anLDAP matter.
I'm authenticating users with saslauthd/LDAP, and using Dovecot LDA.
---- dovecot.confpassdb ldap { args = /etc/dovecot/dovecot-ldap-passdb.conf } userdb prefetch { } # The userdb below is used only by deliver. userdb ldap { args = /etc/dovecot/dovecot-ldap-userdb.conf }
----- dovecot-ldap-passdb.conf search base is dc=example,dc=org pass_filter = (&(objectclass=brPerson)(objectclass=inetOrgPerson)(mail=%u)) pass_attrs = userPassword=password,%u=user
----- dovecot-ldap-userdb.conf search base is ou=%d,ou=mail,ou=services,dc=example,dc=org user_filter = (&(objectclass=nisMailAlias)(cn=%n)) user_attrs = rfc822MailMember=user,EmailQuota=quota_rule=*:storage=%$M
Here is how the LDAP tree is:
ou=mail,ou=services,dc=example,dc=org
ou=subdomain1.example.org,ou=mail,ou=services,dc=example,dc=org
example entry under "ou=subdomain1.example.org"
---dn: cn=userfoo,ou=subdomain1,ou=mail,ou=services,dc=example,dc=org cn: userfoo edupersonprincipalname: WEMHVDEA-FUAOBAAA@example.org (some sort of unique identifier) emailquota: 512 objectclass: eduPerson objectclass: nisMailAlias rfc822mailmember: userfoo@subdomain1.example.org
---
ou=people,dc=example,dc=orgdn: uid=29859085900@example.org,ou=people,dc=example,dc=org uid: 29859085900@example.org eduPersonPrincipalName: WEMHVDEA-FUAOBAAA@example.org userPassword: {MD5}6ZoYxCjLONXyYIU2eJIuAw== objectClass: person objectClass: inetOrgPerson objectClass: eduPerson mail: 29859085900@example.org mail: userf@director.example.org mail: userfoo@dptoxyz.example.org mail: userfoo@subdomain1.example.org
When delivering email, it must search under "services", for the proper "rfc822mailmember", which is the mailbox.
When authenticating, there's where my problem is, I can't have ALL
user e-mails under "ou=people", maybe just 1, so I need to search
under "ou=services", there I have all user email addresses, and by
using "edupersonPrincipalName", I want to point to the right location
under "ou=people", where I have the user password.
edupersonPrincipalName is the attribute present under "ou=services"
and "ou=people" that links the entries.
I tried to do it by changing passdb filter file, like this:
pass_filter = (&(objectclass=eduPerson)(mail=%u)) pass_attrs = userPassword=userdb_password,eduPersonPrincipalName=userdb_user
It works, but changes the username to the value of "edupersonprincipalname", and this changes the mailbox name. Dovecot accesses the wrong mailbox then (something like 29859085900@example.org).
My question is: is it possible to change the passdb filter, so it searches for somemail@sub1.example.org (under ou=services), then it gets the value of "edupersonprincipalname" (the unique identifier, present under "services" and "people"), and with that value, it looks under "people" the person with that identifier and validates the password. It would be a filter inside a filter, sort of.
thanks, and sorry if this is a little offtopic.
This message was sent using IMP, the Internet Messaging Program.
On Mon, 2010-08-30 at 16:26 -0300, Lauro Costa G. Borges wrote:
pass_filter = (&(objectclass=eduPerson)(mail=%u)) pass_attrs = userPassword=userdb_password,eduPersonPrincipalName=userdb_user
userdb_password doesn't make much sense. Also userdb_user isn't typically what you want.
It works, but changes the username to the value of "edupersonprincipalname", and this changes the mailbox name. Dovecot accesses the wrong mailbox then (something like 29859085900@example.org).
Just remove the eduPersonPrincipalName from pass_attrs. It should probably be just:
pass_attrs = userPassword=password
I'm gonna try to ask more clearly, I guess I'm having a little
difficulty to explain the problem.
Dovecot 1.2
I'm using LDAP passdb lookups, with prefetch.
I have two places on my LDAP tree where I get user information: an
identities subtree, and a services subtree.
For LDA, I just search under the services subtree, it contains
information about the user mail accounts.
Every user has more than one mail account, all of them are located
under the services subtree, and each contain an unique identifier
field, that links them to one single user entry, under the identities
subtree. There I store the user password (one password to all mail
accounts).
--> Is it possible to make the passdb filter in a way it searches for
the mail account information (under services), there it gets the value
of the unique identifier field, and then perform another search on the
LDAP tree, but not using the "mail" (%u) as a query, instead it uses
the value of the unique identifier, to get the password (under the
identities subtree)?
This message was sent using IMP, the Internet Messaging Program.
On Wed, 2010-09-01 at 16:32 -0300, Lauro Costa G. Borges wrote:
--> Is it possible to make the passdb filter in a way it searches for
If you can get the wanted fields by running ldapsearch command line tool once, you can do it with Dovecot's filters.
the mail account information (under services), there it gets the value
of the unique identifier field, and then perform another search on the
LDAP tree, but not using the "mail" (%u) as a query, instead it uses
the value of the unique identifier, to get the password (under the
identities subtree)?
Sounds like two lookups, which isn't supported.
If passdb/userdb ldap isn't enough for this, you could always use passdb/userdb checkpassword.
participants (2)
-
Lauro Costa G. Borges
-
Timo Sirainen