LDAP Filters as defined for dovecot UserDB and passDB
I have pretty much everything working fine.
I have run into one issue with the filters that I am unsure where this a filter is being set.
Dovecot 2.2.32 (dfbe293d4)
I have setup dovecot-ldap.conf.ext to control my LDAP query's
My current layout used filters based on looking at the posixAccount attributes
user_filter = (&(objectClass=posixAccount)(uid=%u))
If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
From that I saw inetOrgPerson could be used. So I changed the filters.
user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_filter = (&(objectClass=inetOrgPerson)(uid=%n)) iterate_filter = (objectClass=inetOrgPerson)
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Y0GBzgVdlorAqHsn lip=192.168.123.236 Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search: base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales)) Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK 1 user=sales original_user=sales@userful.com
so far so good but then I get
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST 3851550721 29049 1 519189df600c24c010b57158ac01c867 session_pid=29073 request_auth_token Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
-- William Merkens IT Support Analyst Userful Corporation +1 403.289.2177 ext.289 +1 866 USERFUL (1-866-873-7385) Suite 300, 736 8th Ave. SW Calgary AB T2P 1H4
Managed Desktops Done Right. http://www.userful.com
Check your userdb, is it using same config file?
Aki
On 02.11.2017 23:59, Will Merkens wrote:
I have pretty much everything working fine.
I have run into one issue with the filters that I am unsure where this a filter is being set.
Dovecot 2.2.32 (dfbe293d4)
I have setup dovecot-ldap.conf.ext to control my LDAP query's
My current layout used filters based on looking at the posixAccount attributes
user_filter = (&(objectClass=posixAccount)(uid=%u))
If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
From that I saw inetOrgPerson could be used. So I changed the filters.
user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_filter = (&(objectClass=inetOrgPerson)(uid=%n)) iterate_filter = (objectClass=inetOrgPerson)
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Y0GBzgVdlorAqHsn lip=192.168.123.236 Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search: base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales)) Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK 1 user=sales original_user=sales@userful.com
so far so good but then I get
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST 3851550721 29049 1 519189df600c24c010b57158ac01c867 session_pid=29073 request_auth_token Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 3 Nov 2017, Aki Tuomi wrote:
Check your userdb, is it using same config file?
some HOWTOs explicitly want you to use two config files, because Dovecot maintains two different connections for passdb and userdb queries, which is faster. So if you have copied the config file, instead of symlinked them, you might have to change two files.
On 02.11.2017 23:59, Will Merkens wrote:
I have pretty much everything working fine.
I have run into one issue with the filters that I am unsure where this a filter is being set.
Dovecot 2.2.32 (dfbe293d4)
I have setup dovecot-ldap.conf.ext to control my LDAP query's
My current layout used filters based on looking at the posixAccount attributes
user_filter = (&(objectClass=posixAccount)(uid=%u))
If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
From that I saw inetOrgPerson could be used. So I changed the filters.
user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_filter = (&(objectClass=inetOrgPerson)(uid=%n)) iterate_filter = (objectClass=inetOrgPerson)
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Y0GBzgVdlorAqHsn lip=192.168.123.236 Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search: base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales)) Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK 1 user=sales original_user=sales@userful.com
so far so good but then I get
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST 3851550721 29049 1 519189df600c24c010b57158ac01c867 session_pid=29073 request_auth_token Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWfwUUnz1H7kL/d9rAQI3dggAnmkloeNU+DF1nOeKeZzEMELow9lO1DeA vQ7eUpiXvsD/HkXdAUjF+/bd+AdUEMgZfqn8b/Wd5XhMYkcmx9w1mikYzsX8kZ/P oHRTpfcR+pgp/FfwOeMpg64BXEUwNKcdqVeYrzVKbveWY0wJra9AifpQfFq2TXLI 1Ey4cXkqpafFcEIsjFVGzaZAtyY5+flyD/Hciyf+xP37Mpsi+pXftqzQKiH5ZV93 PVVhW7gMth6jCqIV5rvI/24rjmBqQXV+Il2/3YxLcHpvP8sL+5iis2bWSM06Lvbo wUnMmM7mPFtRWNZfP9ClyUAIt0Qf+pu55BKbdG+bDU/i5TW6dVKs5Q== =esxF -----END PGP SIGNATURE-----
On 17-11-03 01:01 AM, Steffen Kaiser wrote:
On Fri, 3 Nov 2017, Aki Tuomi wrote:
Check your userdb, is it using same config file?
some HOWTOs explicitly want you to use two config files, because Dovecot maintains two different connections for passdb and userdb queries, which is faster. So if you have copied the config file, instead of symlinked them, you might have to change two files.
Ok I checked for this.
# Authentication for LDAP users. Included from 10-auth.conf.
#
#
passdb { driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext }
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
#
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/var/spool/maildir/%d/%n/Maildir }
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
#
Only one file is being called.
And in my 10-auth.conf at the bottom
#
#!include auth-deny.conf.ext #!include auth-master.conf.ext
#!include auth-system.conf.ext #!include auth-sql.conf.ext !include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
ldap is the only auth system I am using.
On 02.11.2017 23:59, Will Merkens wrote:
I have pretty much everything working fine.
I have run into one issue with the filters that I am unsure where this a filter is being set.
Dovecot 2.2.32 (dfbe293d4)
I have setup dovecot-ldap.conf.ext to control my LDAP query's
My current layout used filters based on looking at the posixAccount attributes
user_filter = (&(objectClass=posixAccount)(uid=%u))
If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
From that I saw inetOrgPerson could be used. So I changed the filters.
user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_filter = (&(objectClass=inetOrgPerson)(uid=%n)) iterate_filter = (objectClass=inetOrgPerson)
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Y0GBzgVdlorAqHsn lip=192.168.123.236 Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search: base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales)) Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap(sales@userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales@userful.com -> sales Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK 1 user=sales original_user=sales@userful.com
so far so good but then I get
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST 3851550721 29049 1 519189df600c24c010b57158ac01c867 session_pid=29073 request_auth_token Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
-- Steffen Kaiser
-- William Merkens IT Support Analyst Userful Corporation +1 403.289.2177 ext.289 +1 866 USERFUL (1-866-873-7385) Suite 300, 736 8th Ave. SW Calgary AB T2P 1H4
Managed Desktops Done Right. http://www.userful.com
participants (3)
-
Aki Tuomi
-
Steffen Kaiser
-
Will Merkens