[Dovecot] dovecot-ldap.conf for usernames/homes/UID/GID
hi there,
Im getting such a headache today, Ive added myself to three mailing lists trying to figure this out, okay here it goes.
Ive got a Fedora Core 4 box running dovecot imap, squirrel mail, postfix, samba/winbind.
Im running winbind to authenticate against Active Directory, Ive edited my /etc/pam.d/dovecot pam module so to let my users login with there Active directory password, but squirrel mail wont let them I think, let me stress the term, think is has something to do with there home directories, because I have some local users as well, they can login no issues & my users with the same usernames on unix and ADS can login with there ADS passwords
Now Im looking at the dovecot webmin module and I see that Data source for users, homes and Ids is set to use Standard unix username database. There is now option of PAM like in Password authentication source. Although I do see LDAP, using config file. Can I set that to query Active directory ldap database and go there Data source for users, homes and Ids?
If I can can someone tell me how to, if not can someone tell me what I need to do?
Here is what I have so far with my /etc/dovecot-ldap.conf
hosts = senior-server.school.cathedral.qld.edu.au:389 dn = cn=administrator,cn=users,dc=school,dc=cathedral,dc=qld,dc=edu,dc=au dnpass = wwvH@cs ldap_version = 3 base = dc=school,dc=cathedral,dc=qld,dc=edu,dc=au deref = never scope = subtree
user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber
user_filter = (&(objectClass=posixAccount)(cn=%u)) pass_attrs = uid,userPassword pass_filter = (&(objectClass=posixAccount)(uid=%u)) CRYPT default_pass_scheme = CRYPT user_global_uid = 100 user_global_gid = 100
As time goes on I'm convinced more and more the problem is that I can't make the home directory when I login into squirrel mail ... Has anyone ever incounted this before?
Q1. Can dovecot use it's LDAP configuration to get information from Active Directory? if so can someone show me and example dovecot-ldap.conf file?
Q2. To this me seams like just virtual user scenario, in virtual users how do you get a home directory for mail to be stored in automatically?
Q3. In my /etc/pam.d/dovecot pam module (shown below) it requests that you make a home directory, when i use this in my sshd pam module and login i make a home directory, when i do it via squirrel mail it dosn't make a home directory, why?
auth required pam_winbind.so account required pam_winbind.so session optional pam_mkhomedir.so
Q4. Here is both my configuration files, can someone tell me what i'm doing wrong?
/etc/dovecot-ldap.conf
hosts = server2000.mydomain.com.au:389 dn = cn=administrator,cn=users,dc=mydomain,dc=com,dc=au dnpass = password ldap_version = 3 base = dc=mydomain,dc=com,dc=au deref = never scope = subtree
user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber
user_filter = (&(objectClass=posixAccount)(cn=%u)) pass_attrs = uid,userPassword pass_filter = (&(objectClass=posixAccount)(uid=%u)) CRYPT default_pass_scheme = CRYPT user_global_uid = 100 user_global_gid = 100
/etc/dovecot.conf
#base_dir = /var/run/dovecot/ protocols = imap imaps imap_listen = [::] pop3_listen = [::] #imaps_listen = #pop3s_listen = #ssl_disable = no #ssl_cert_file = /usr/share/ssl/certs/dovecot.pem #ssl_key_file = /usr/share/ssl/private/dovecot.pem #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat #ssl_parameters_regenerate = 24 #disable_plaintext_auth = yes log_path = /var/log/dovecot.log #info_log_path = #log_timestamp = "%b %d %H:%M:%S " login_dir = /var/run/dovecot-login #login_chroot = yes login = imap #login_executable = /usr/libexec/dovecot/imap-login #login_user = dovecot #login_process_size = 32 #login_process_per_connection = yes #login_processes_count = 3 #login_max_processes_count = 128 #login_max_logging_users = 256 login = pop3 #max_mail_processes = 1024 #verbose_proctitle = no #verbose_ssl = no #first_valid_uid = 500 #last_valid_uid = 0 #first_valid_gid = 1 #last_valid_gid = 0 #mail_extra_groups = valid_chroot_dirs = /home default_mail_env = maildir:~/Maildir #mail_cache_fields = MessagePart #mail_never_cache_fields = #client_workarounds = #mailbox_check_interval = 0 #mailbox_idle_check_interval = 30 #mail_full_filesystem_access = no #mail_max_flag_length = 50 #mail_save_crlf = no #mail_read_mmaped = no #maildir_stat_dirs = no #maildir_copy_with_hardlinks = no #maildir_check_content_changes = no mbox_locks = fcntl #mbox_read_dotlock = no #mbox_lock_timeout = 300 #mbox_dotlock_change_timeout = 30 # umask to use for mail files and directories #umask = 0077 #mail_drop_priv_before_exec = no #imap_executable = /usr/libexec/dovecot/imap #imap_process_size = 256 #imap_use_modules = no #imap_modules = /usr/lib/dovecot/imap #pop3_executable = /usr/libexec/dovecot/pop3 #pop3_process_size = 256 #pop3_use_modules = no #pop3_modules = /usr/lib/dovecot/pop3 auth = default auth_mechanisms = plain #auth_realms = #auth_default_realm = auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = pam #auth_executable = /usr/libexec/dovecot/dovecot-auth #auth_process_size = 256 auth_user = root #auth_chroot = #auth_count = 1 #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ #auth_anonymous_username = anonymous #auth_verbose = no #auth_debug = no #auth = digest_md5 #auth_mechanisms = digest-md5 #auth_realms = #auth_userdb = passwd-file /etc/passwd.imap #auth_passdb = passwd-file /etc/passwd.imap #auth_user = imapauth #auth_chroot = # simply set "auth_methods = plain digest-md5"
"/etc/dovecot.conf" 487L, 20333C -----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org]On Behalf Of Paul Matthews Sent: Thursday, 12 January 2006 3:30 To: dovecot@dovecot.org Subject: [Dovecot] dovecot-ldap.conf for usernames/homes/UID/GID
hi there,
Im getting such a headache today, Ive added myself to three mailing lists trying to figure this out, okay here it goes.
Ive got a Fedora Core 4 box running dovecot imap, squirrel mail, postfix, samba/winbind.
Im running winbind to authenticate against Active Directory, Ive edited my /etc/pam.d/dovecot pam module so to let my users login with there Active directory password, but squirrel mail wont let them I think, let me stress the term, think is has something to do with there home directories, because I have some local users as well, they can login no issues & my users with the same usernames on unix and ADS can login with there ADS passwords
Now Im looking at the dovecot webmin module and I see that Data source for users, homes and Ids is set to use Standard unix username database. There is now option of PAM like in Password authentication source. Although I do see LDAP, using config file. Can I set that to query Active directory ldap database and go there Data source for users, homes and Ids?
If I can can someone tell me how to, if not can someone tell me what I need to do?
On 12 Jan 2006, at 22:33, Paul Matthews wrote:
Q1. Can dovecot use it's LDAP configuration to get information from
Active Directory? if so can someone show me and example dovecot-ldap.conf
file?
Probably but that's not relevant if you're using WinBind. See below.
Q2. To this me seams like just virtual user scenario, in virtual
users how do you get a home directory for mail to be stored in automatically?
pam_mkhomedir, as you've used below.
Q3. In my /etc/pam.d/dovecot pam module (shown below) it requests
that you make a home directory, when i use this in my sshd pam module and
login i make a home directory, when i do it via squirrel mail it dosn't
make a home directory, why?auth required pam_winbind.so account required pam_winbind.so session optional pam_mkhomedir.so
Interesting. Mine says: auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so session required /lib/security/pam_mkhomedir.so skel=/etc/ skel umask=0022
The paths to the PAM modules should be irrelevant, but I would
perhaps add the skel & umask declarations.
Q4. Here is both my configuration files, can someone tell me what
i'm doing wrong?/etc/dovecot-ldap.conf
This is irrelevant if you're using WinBind.
/etc/dovecot.conf ... auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = pam
Many lines of this .conf file are commented out, and so are
irrelevant. However it looks like you're using a different format of
dovecot.conf than I am. I'm told the current 1.0_alpha5 is more
stable than 0.99.x and it also supports Pam sessions, which you need
for pam_mkhomedir.
My Dovecot.conf says: # /etc/passwd or similar, using getpwnam() # In many systems nowadays this uses Name Service Switch, which is # configured in /etc/nsswitch.conf. userdb passwd { }
passdb pam { args = "-session *" }
My nsswitch.conf says: passwd: files winbind shadow: files group: files winbind
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: filesI do not use LDAP at all on my mailserver.
HTH,
Stroller.
On 12 Jan 2006, at 05:30, Paul Matthews wrote:
I’m running winbind to authenticate against Active Directory, I’ve
edited my ‘/etc/pam.d/dovecot’ pam module so to let my users login with there
Active directory password, but squirrel mail wont let them … I think, let
me stress the term, ‘think’ is has something to do with there home directories, because I have some local users as well, they can login no issues &
my users with the same usernames on unix and ADS can login with there ADS
passwords …Now I’m looking at the dovecot webmin module and I see that ‘Data
source for users, homes and Ids’ is set to use ‘Standard unix username
database’. There is now option of PAM like in ‘Password authentication source’.
Although I do see LDAP, using config file. Can I set that to query Active
directory ldap database and go there Data source for users, homes and Ids’?
Hi there,
This, and your subsequent messages, are missing some important
information. Like what's written to the log files when a user tries
to authenticate? There are a number of "verbose", "debugging" and
"logging" options in dovecot.conf - you need to enable them & tail - f logfiles (I checked /var/log/messages & /var/log/mail when I had
this problem).
LDAP is irrelevant - a complete clupea rubra - when authenticating
using WinBind. Winbind is not the same as Active Directory, although
confusingly it seems to allow Active Directory users to authenticate.
I think this is because on Windows server, by default, Domain users
are also AD users, and you're actually authenticating against the
Domain (not the AD) when you authenticate using WinBind.
To authenticate using WinBind you'll need something like:
In /etc/dovecot.conf : passdb pam { args = "-session *" }
In /etc/pam.d/imap: #%PAM-1.0 auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so
AD users need a store directory in which to keep their email -
Dovecot will fail if they have no home directory. As I recall WinBind
will return a suitable path for their home directory - the path where
it'd expect them to be - but unless you have created that directory
manually then Dovecot will crap out. IMHO the best way to resolve
this is by using pam_mkhomedir - it'll create that home directory if
it doesn't exist upon user authentication. I have implemented a
system like this within the last 2 or 3 weeks and also had some
problems with it. If you search my postings to the list you will see
my configuration documented quite clearly and you should be able to
see how I resolved my issues. I think you will be able to resolve all
your issues by following them.
Stroller.
participants (2)
-
Paul Matthews
-
Stroller