[Dovecot] Dovecot 1.2.12+Postfix+Active Directory: virtual domain name dropped.
I have a Windoze-only client who wants to move their mail hosting from godaddy.com hosting to an in-house system. I'm pitching Linux as an alternative to Exchange, and trying to set up a demonstration system for them. While a long-time Linux user, my server admin experience has been in setting up front-ends (mostly Apache-based web interfaces) for the embedded systems I specialize in.
The goal is to have an IMAP server where the users don't have Linux IDs, and only need to manually login to the Active Directory domain controller.
The client has multiple Internet domains, but all users are in the same Active Directory realm internally.
With the help of the how-tos at linuxmail.info, I got the system to the point of being able to authenticate logins for both IMAP and SMTP (usng dovecot-SASL). I tried using PAM first, but it didn't work: running kinit from the command line takes over 90 seconds to get a ticket, and Dovecot timed out after 60 on every login attempt. So I switched to LDAP. Note: I still don't understand why, but authentication through Active Directory didn't work until I changed the querying distinguished name from the "cn=,dc=,dc=" format to "user@xxxx.local" format.
I have Postfix using dovecot-deliver as the LDA, but I hit a snag: deliver is not putting the domain name in the path to the maildir.
I have the active directory query set as:
user_filter = (&(objectClass=user)(samaccountname=%n))
user_attrs = =home=/var/mailstore/%d/%n. =uid=501, =gid=501,
=mail=maildir:/var/mailstore/%d/%n/Maildir/
When I send mail to testing.testing@xxxx.xxx (real domain obscured), I see this in mail.log
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master in: USER#0111#011testing.testing@xxxx.xxx#011service=deliver
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): user search: base=dc=lawley, dc=local scope=subtree filter=(&(objectClass=user) (samaccountname=testing.testing)) fields=
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)=
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master out: USER#0111#011testing.testing#011home=/var/mailstore//testing.testing. =uid=501#011gid=501#011mail=maildir:/var/mailstore//testing.testing/Maildir/
i.e., the domain does not appear in the paths to the home directory or maildir.
I found a bug report in the mailing list that looks like it might be the same problem (%d not supported in user_attrs), but the fix it references is for 2.0.
Is this a known problem in 1.x? Is there a fix/workaround for it? E.g., could I have Postfix generate the maidir path and pass it to deliver as the "-m" parameter?
Thanks,
Ran
On Thu, 2010-12-23 at 16:53 -0700, Ran Talbott wrote:
I have the active directory query set as: user_filter = (&(objectClass=user)(samaccountname=%n)) user_attrs = =home=/var/mailstore/%d/%n. =uid=501, =gid=501,
=mail=maildir:/var/mailstore/%d/%n/Maildir/
Would be nicer to use global mail_location=maildir:~/Maildir rather than setting it here.
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master in: USER#0111#011testing.testing@xxxx.xxx#011service=deliver
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): user search: base=dc=lawley, dc=local scope=subtree filter=(&(objectClass=user) (samaccountname=testing.testing)) fields=
Because you're not actually requesting any fields, "fields=" means you're getting all the fields..
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)=
You could add one of these fields to user_attrs to avoid it returning everything.
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master out: USER#0111#011testing.testing#011home=/var/mailstore//testing.testing. =uid=501#011gid=501#011mail=maildir:/var/mailstore//testing.testing/Maildir/
Still, none of this explains why the domain gets dropped. Maybe it's due to some other setting, but you didn't give dovecot -n output so I can only guess. See auth_username_format setting for example.
participants (2)
-
Ran Talbott
-
Timo Sirainen