[Dovecot] Static userdb with LDAP passdb but without "allow_all_users=yes"?
Hi,
Is it possible to have a static user database along with an LDAP password database and *not* be forced to set "allow_all_users=yes" for the userdb?
The wiki page on static user database says "Normally static userdb handles this by doing a passdb lookup instead." How should the passdb behave in order for this to work?
In my tests (on a test server) I am using Dovecot 2.0.7 and Postfix 2.7.0 on Ubuntu 10.04.1. I use (or am trying to use) LMTP with Dovecot and Postfix according to the HOWTO in the wiki [1] as well as dynamic address verification with LMTP [2]. Users are virtual, using a static userdb and passwords from LDAP. I also serve local system users which is why I also have userdb and passdb pam, but this isn't the issue here.
Delivering mail to an existing virtual user works fine as far as I can see but when a non-existent user is the recipient Dovecot complains that the passdb doesn't support lookups:
postfix/smtpd[26469]: connect from remote-smtp.example.net[10.0.0.10]
postfix/cleanup[26474]: 772A760B25: message-
id=20101125172409.772A760B25@mailtest.example.com
postfix/qmgr[27672]: 772A760B25: from=
I've uploaded this log file excerpt for your viewing convenience to
https://daff.pseudoterminal.org/misc/dovecot/failed_delivery.log
More relevant information (doveconf -n, dovecot-ldap.conf) is found
below. I can also provide a log excerpt from a successful delivery to an
existing virtual user, if needed.
To summarise: I want to use LMTP, dynamic address verification, a static user database and an LDAP password database. Can it be done without having to rely on the MTA (Postfix) to verify existing users?
Thanks in advance!
Andreas
[1] http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP [2] http://wiki2.dovecot.org/LDA/Postfix
dovecot-ldap.conf: uris = ldap://ldap.example.com:389 tls = yes tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt base = ou=virtualDomains,dc=example,dc=com dn = uid=dovecot,ou=services,dc=example,dc=com dnpass = xxx
pass_attrs=uid=user, userPassword=password pass_filter=(&(objectClass=hostedAccount)(uid=%u)(accountEnabled=TRUE))
iterate_attrs = uid=user iterate_filter = (objectClass=hostedAccount)
doveconf -n: https://daff.pseudoterminal.org/misc/dovecot/doveconf-n.txt
Andreas Ntaflos Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
On Thu, 2010-11-25 at 19:31 +0100, Andreas Ntaflos wrote:
Is it possible to have a static user database along with an LDAP password database and *not* be forced to set "allow_all_users=yes" for the userdb?
Yes.
dovecot: auth: Error: static(not-a-user@test01.example.com): passdb doesn't support lookups, can't verify user's existence
Set auth_debug=yes and see what it logs. passdb ldap should support it, as long as you don't set auth_bind=yes. I just verified that it works:
Nov 26 16:28:57 auth: Debug: master in: USER 1 tss service=lda Nov 26 16:28:57 auth: Debug: ldap(tss): pass search: base=ou=people,dc=example,dc=com scope=subtree filter=(&(objectClass=posixAccount)(uid=tss)) fields=uid,userPassword Nov 26 16:28:57 auth: Debug: ldap(tss): result: uid(user)=tss userPassword(password)=pass
On Friday 26 November 2010 17:30:55 Timo Sirainen wrote:
On Thu, 2010-11-25 at 19:31 +0100, Andreas Ntaflos wrote:
Is it possible to have a static user database along with an LDAP password database and *not* be forced to set "allow_all_users=yes" for the userdb?
Yes.
dovecot: auth: Error: static(not-a-user@test01.example.com): passdb doesn't support lookups, can't verify user's existence
Set auth_debug=yes and see what it logs. passdb ldap should support it, as long as you don't set auth_bind=yes. I just verified that it works:
Thanks for the hint! I always forget how useful mail_debug and auth_debug can be. It turns out that the problem was indeed that I had passwd and pam as additional user and password databases. The order in which they are declared in dovecot.conf matters of course and when the PAM passdb is the last entry the problem appears.
The workaround is obviously to not set PAM as the last entry. But this also means that any user from the LDAP/static user database that tries to log in has to go through PAM first and fail. On a busy server with lots of LDAP/static users and few system users this would waste quite a few resources and clutter up /var/log/auth.log pretty badly.
Is there a way around that?
Andreas
On Wed, 2010-12-01 at 02:56 +0100, Andreas Ntaflos wrote:
Thanks for the hint! I always forget how useful mail_debug and auth_debug can be. It turns out that the problem was indeed that I had passwd and pam as additional user and password databases. The order in which they are declared in dovecot.conf matters of course and when the PAM passdb is the last entry the problem appears.
On Thursday 02 December 2010 20:10:42 Timo Sirainen wrote:
On Wed, 2010-12-01 at 02:56 +0100, Andreas Ntaflos wrote:
Thanks for the hint! I always forget how useful mail_debug and auth_debug can be. It turns out that the problem was indeed that I had passwd and pam as additional user and password databases. The order in which they are declared in dovecot.conf matters of course and when the PAM passdb is the last entry the problem appears.
Excellent, thank you very much.
participants (2)
-
Andreas Ntaflos
-
Timo Sirainen