[Dovecot] Virtual users, postfix and dovecot deliver LDA
Hi, I have question about how to setup ldap-lookups in dovecot. I have done my homework by googling and reading documention and sample configuration files. But cant resolve this issue.
Background: I have setup postfix and dovecot. Postix is configured to ldap alias maps and is delivering mails to /var/spool/vmail/username/Maildir correctly . Username is ldap attribute sAMAccountName from active directory. Goal: To use dovecots sieve plugin I have to setup postfix to use dovecots deliver. Changed postfix main.cf to virtual_transport = dovecot and master.cf to include lines: dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/lda/deliver -d ${recipient}
Problem is that mail get delivered to /var/spool/vmail/users.email@address , not folder named as ldap attribute sAMAccountNameas it should.
The question is: How I can configure deliver to do map email address to ldap attribute sAMAccountName? Second question is can I use ldap groups as distribution lists whit deliver?
Dovecot version is 1.1.2 and postfix 2.5.1
Cheers,
Petri
On Fri, 2008-08-29 at 17:08 +0300, Petri Asikainen wrote:
Problem is that mail get delivered to /var/spool/vmail/users.email@address , not folder named as ldap attribute sAMAccountNameas it should.
I'm guessing your user_attrs setting doesn't contain "sAMAccountName=user" so Dovecot uses the email destination as username. If that doesn't help, post your dovecot-ldap.conf
Second question is can I use ldap groups as distribution lists whit deliver?
deliver can write the mail only to a single recipient. I'd guess you could do this on Postfix side.
Thanks, Now I'm starting to get it. but cant get ldap userdb working. First I was using static userdb (Stubid me ... ;)
I added dovecot-ldap-userdb.conf and it's in auth default, but now it does lookup users at all. Account that I try to use to bind ldap is working with postfix. Theres probably something wrong with my static attributes syntax.
## dovecot.conf: (part of it)
auth default {
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb ldap { args = /etc/dovecot/dovecot-ldap-userdb.conf }
## new dovecot-ldap-userdb.conf hosts = 172.16.0.2 base = ou=Oppilaitokset,dc=domain,dc=local ldap_version = 3 dn = ad_postfix@domain.local dnpass = *********** user_attrs = sAMAccountName=user,=home=/var/spool/vmail/%u,=gid=12,=uid=1001
## and in dovedot-ldap.conf hosts = 172.16.0.2 base = ou=Oppilaitokset,dc=domain,dc=local ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u
Timo Sirainen wrote:
On Fri, 2008-08-29 at 17:08 +0300, Petri Asikainen wrote:
Problem is that mail get delivered to /var/spool/vmail/users.email@address , not folder named as ldap attribute sAMAccountNameas it should.
I'm guessing your user_attrs setting doesn't contain "sAMAccountName=user" so Dovecot uses the email destination as username. If that doesn't help, post your dovecot-ldap.conf
Second question is can I use ldap groups as distribution lists whit deliver?
deliver can write the mail only to a single recipient. I'd guess you could do this on Postfix side.
On Sep 1, 2008, at 7:51 AM, Petri Asikainen wrote:
I added dovecot-ldap-userdb.conf and it's in auth default, but now it does lookup users at all. Account that I try to use to bind ldap is working with postfix. Theres probably something wrong with my static
attributes syntax.
You would be able to use the same dovecot-ldap.conf for both also.
## new dovecot-ldap-userdb.conf hosts = 172.16.0.2 base = ou=Oppilaitokset,dc=domain,dc=local ldap_version = 3 dn = ad_postfix@domain.local dnpass = *********** user_attrs = sAMAccountName=user,=home=/var/spool/vmail/ %u,=gid=12,=uid=1001
The =gid=12 and =uid=1001 could be replaced with mail_gid and mail_uid
settings in dovecot.conf. But those shouldn't break anything.
Hmm. Oh, right. The sAMAccountName=user does actually nothing with
deliver. That's kind of a bug I should probably fix.. You could
instead do something like:
user_attrs = sAMAccountName=home=/var/spool/vmail/%$
And then use mail_location = %h
Still having some problems. Is there way to query user db to see what values dovecot is returning after ldap query?
Timo Sirainen kirjoitti:
On Sep 1, 2008, at 7:51 AM, Petri Asikainen wrote:
I added dovecot-ldap-userdb.conf and it's in auth default, but now it does lookup users at all. Account that I try to use to bind ldap is working with postfix. Theres probably something wrong with my static attributes syntax.
You would be able to use the same dovecot-ldap.conf for both also.
## new dovecot-ldap-userdb.conf hosts = 172.16.0.2 base = ou=Oppilaitokset,dc=domain,dc=local ldap_version = 3 dn = ad_postfix@domain.local dnpass = *********** user_attrs = sAMAccountName=user,=home=/var/spool/vmail/%u,=gid=12,=uid=1001
The =gid=12 and =uid=1001 could be replaced with mail_gid and mail_uid settings in dovecot.conf. But those shouldn't break anything.
Hmm. Oh, right. The sAMAccountName=user does actually nothing with deliver. That's kind of a bug I should probably fix.. You could instead do something like:
user_attrs = sAMAccountName=home=/var/spool/vmail/%$
And then use mail_location = %h
Thanks I got it working.
my dovecot-ldap.conf is end of mail in case anyone is interested.
Couple of notes, I have to leave uid and gid mappings here (user_filter) or I got setuid related error messages.
userdb is queried with email address when lda got mail to deliver. and with username when user connects to mailbox. So theres need "complex" user_filter.
Theres probably no need to use pass_filter when auth_bind = yes.
Cheers,
Petri
hosts = 172.16.0.2 base = ou=Oppilaitokset,dc=skao,dc=local pass_filter = (&(objectClass=Person)(sAMAccountName=%u)) user_filter = (&(objectClass=Person)(|(mail=%u)(sAMAccountName=%u))) ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u dn = domain_postfix@domain.local dnpass = *********** user_attrs = sAMAccountName=user,sAMAccountName=home=/var/spool/vmail/%$,=gid=12,=uid=1001
Timo Sirainen kirjoitti:
On Mon, 2008-09-01 at 13:07 +0300, Petri Asikainen wrote:
Still having some problems. Is there way to query user db to see what values dovecot is returning after ldap query?
Not really, but auth_debug=yes shows what it returns.
Works for me (tm). Maybe some of ldap servers does not like that result attributes are specified multiple times. But current active directory server this not seems be an issue.
Log shows that quory is working:
Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): user search: base=ou=Oppilaitokset,dc=domain,dc=local scope=subtree filter=(&(objectClass=Person)(|(mail=petasi)(sAMAccountName=petasi))) fields=sAMAccountName,sAMAccountName Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): result: sAMAccountName(home=/var/spool/vmail/%$)=/var/spool/vmail/petasi Sep 1 15:00:52 domainlx6 dovecot: auth(default): master out: USER 2 petasi home=/var/spool/vmail/petasi gid=12 uid=1001
Timo Sirainen kirjoitti:
On Mon, 2008-09-01 at 15:15 +0300, Petri Asikainen wrote:
user_attrs = sAMAccountName=user,sAMAccountName=home=/var/spool/vmail/%$,=gid=12,=uid=1001
Hmm. Does that really return both "user" and "home"? I've in TODO that it's not working..
Your log shows that "home" is working but "user" is ignored, just as I thought..
On Mon, 2008-09-01 at 15:42 +0300, Petri Asikainen wrote:
Works for me (tm). Maybe some of ldap servers does not like that result attributes are specified multiple times. But current active directory server this not seems be an issue.
Log shows that quory is working:
Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): user search: base=ou=Oppilaitokset,dc=domain,dc=local scope=subtree filter=(&(objectClass=Person)(|(mail=petasi)(sAMAccountName=petasi))) fields=sAMAccountName,sAMAccountName Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): result: sAMAccountName(home=/var/spool/vmail/%$)=/var/spool/vmail/petasi Sep 1 15:00:52 domainlx6 dovecot: auth(default): master out: USER 2 petasi home=/var/spool/vmail/petasi gid=12 uid=1001
Timo Sirainen kirjoitti:
On Mon, 2008-09-01 at 15:15 +0300, Petri Asikainen wrote:
user_attrs = sAMAccountName=user,sAMAccountName=home=/var/spool/vmail/%$,=gid=12,=uid=1001
Hmm. Does that really return both "user" and "home"? I've in TODO that it's not working..
Or actually that log doesn't show anything since both mail and sAMAccountName are the same. :) But I'm pretty sure the user gets ignored..
On Mon, 2008-09-01 at 15:46 +0300, Timo Sirainen wrote:
Your log shows that "home" is working but "user" is ignored, just as I thought..
On Mon, 2008-09-01 at 15:42 +0300, Petri Asikainen wrote:
Works for me (tm). Maybe some of ldap servers does not like that result attributes are specified multiple times. But current active directory server this not seems be an issue.
Log shows that quory is working:
Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): user search: base=ou=Oppilaitokset,dc=domain,dc=local scope=subtree filter=(&(objectClass=Person)(|(mail=petasi)(sAMAccountName=petasi))) fields=sAMAccountName,sAMAccountName Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): result: sAMAccountName(home=/var/spool/vmail/%$)=/var/spool/vmail/petasi Sep 1 15:00:52 domainlx6 dovecot: auth(default): master out: USER 2 petasi home=/var/spool/vmail/petasi gid=12 uid=1001
Timo Sirainen kirjoitti:
On Mon, 2008-09-01 at 15:15 +0300, Petri Asikainen wrote:
user_attrs = sAMAccountName=user,sAMAccountName=home=/var/spool/vmail/%$,=gid=12,=uid=1001
Hmm. Does that really return both "user" and "home"? I've in TODO that it's not working..
Timo Sirainen kirjoitti:
Your log shows that "home" is working but "user" is ignored, just as I thought..
Hmm.. I dont want argue with you, you wrote the beast . But before I add that sAMAccountName=user mapping, my system log shows like following and user cannot access imap mailbox. After adding there no log messages "username changed" when accessing imap box. And MTA can still deliver mails to correct box.
Does third line mean that username get converted to home?
## LOG BEFORE sAMAccountName
Sep 1 14:40:48 skaolx6 dovecot: auth(default): ldap(petasi,172.21.89.69): user search: base=ou=Oppilaitokset,dc=domain,dc=local scope=subtree filter=(&(objectClass=Person)(|(mail=petasi)(sAMAccountName=petasi))) fields=sAMAccountName
Sep 1 14:40:48 domainlx6 dovecot: auth(default): auth(petasi,172.21.89.69): username changed petasi -> home=/var/spool/vmail/petasi
Sep 1 14:40:48 domainlx6 dovecot: auth(default): ldap(home=/var/spool/vmail/petasi,172.21.89.69): result: sAMAccountName(user=home=/var/spool/vmail/%$)=home=/var/spool/vmail/petasi
Sep 1 14:40:48 domainlx6 dovecot: auth(default): master out: USER 1 home=/var/spool/vmail/petasi gid=12 uid=1001
Sep 1 14:40:48 domainlx6 dovecot: imap-login: Login: user=<petasi>, method=PLAIN, rip=172.21.89.69, lip=212.86.14.194, TLS
Sep 1 14:40:48 domainlx6 dovecot: IMAP(home=/var/spool/vmail/petasi): mkdir(/HOME_DIRECTORY_USED_BUT_NOT_GIVEN_BY_USERDB/Maildir/.Trash/cur) failed: Permission denied
On Mon, 2008-09-01 at 15:42 +0300, Petri Asikainen wrote:
Works for me (tm). Maybe some of ldap servers does not like that result attributes are specified multiple times. But current active directory server this not seems be an issue.
Log shows that quory is working:
Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): user search: base=ou=Oppilaitokset,dc=domain,dc=local scope=subtree filter=(&(objectClass=Person)(|(mail=petasi)(sAMAccountName=petasi))) fields=sAMAccountName,sAMAccountName Sep 1 15:00:52 domainlx6 dovecot: auth(default): ldap(petasi,172.21.89.69): result: sAMAccountName(home=/var/spool/vmail/%$)=/var/spool/vmail/petasi Sep 1 15:00:52 domainlx6 dovecot: auth(default): master out: USER 2 petasi home=/var/spool/vmail/petasi gid=12 uid=1001
Timo Sirainen kirjoitti:
On Mon, 2008-09-01 at 15:15 +0300, Petri Asikainen wrote:
user_attrs = sAMAccountName=user,sAMAccountName=home=/var/spool/vmail/%$,=gid=12,=uid=1001 Hmm. Does that really return both "user" and "home"? I've in TODO that it's not working..
participants (2)
-
Petri Asikainen
-
Timo Sirainen