I previously had a static userdb and an ldap passdb. Everything's been working fine, both 1.2 and 2.0 - but now I need to support the nightly mdbox purge operation. I added the iterate params to my ldap configuration, but (I'm guessing) that with a defined static userdb it won't work.
How should I setup my ldap userdb? Do I use prefetch?
Current config:
passdb { driver = ldap args = /usr/local/etc/dovecot/dovecot-ldap.conf } userdb { driver = static args = uid=vmail gid=mail home=/var/mail/%d/%n mail=mdbox:/var/mail/%d/%n/mdbox allow_all_users=yes }
dovecot-ldap.conf: ## dn credentials shouldn't be needed since using auth-bind - but here anyway dn = xxx,dc=amfeslan,dc=local dnpass = xxx ## auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=amfeslan,dc=local ldap_version = 3 base = ou=Users, dc=amfeslan, dc=local user_attrs = dbox:%d/%n/Maildir=mail,%d/%n=home user_filter = (mail=%u) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)) iterate_attrs = mail=user iterate_filter = (&(objectClass=inetOrgPerson)(mail=*))
-- Daniel
On Sun, 2010-11-21 at 19:15 -0800, Daniel L. Miller wrote:
I previously had a static userdb and an ldap passdb. Everything's been working fine, both 1.2 and 2.0 - but now I need to support the nightly mdbox purge operation. I added the iterate params to my ldap configuration, but (I'm guessing) that with a defined static userdb it won't work.
You could add userdb ldap after the userdb static. I think only iteration will use it.
On 11/22/2010 10:43 AM, Timo Sirainen wrote:
On Sun, 2010-11-21 at 19:15 -0800, Daniel L. Miller wrote:
I previously had a static userdb and an ldap passdb. Everything's been working fine, both 1.2 and 2.0 - but now I need to support the nightly mdbox purge operation. I added the iterate params to my ldap configuration, but (I'm guessing) that with a defined static userdb it won't work. You could add userdb ldap after the userdb static. I think only iteration will use it.
I think I got it - probably by accident. Just because it's actually working doesn't mean it's *correct* - does this look right? Do I have redundant/obsolete parms specified?
passdb { driver = ldap args = /usr/local/etc/dovecot/dovecot-ldap.conf } userdb { driver = prefetch } userdb { driver = ldap # symlink to dovecot-ldap.conf args = /usr/local/etc/dovecot/dovecot-ldap-userdb.conf }
## static userdb removed
/usr/local/etc/dovecot/dovecot-ldap.conf
hosts = ldap.amfeslan.local
dn = xxx
dnpass = xxx
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=amfeslan,dc=local
ldap_version = 3
base = ou=Users, dc=amfeslan, dc=local
user_attrs = =home=/var/mail/%d/%n,
=mail=mdbox:/var/mail/%d/%n/mdbox,
=uid=vmail,
=gid=mail
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,
userPassword=password,
=userdb_home=/var/mail/%d/%n,
=userdb_mail=mdbox:/var/mail/%d/%n/mdbox,
=userdb_uid=vmail,
=userdb_gid=mail
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
iterate_attrs = mail=user
iterate_filter = (&(objectClass=inetOrgPerson)(mail=*))
-- Daniel
On Mon, 2010-11-22 at 21:32 -0800, Daniel L. Miller wrote:
I think I got it - probably by accident. Just because it's actually working doesn't mean it's *correct* - does this look right? Do I have redundant/obsolete parms specified?
passdb { driver = ldap args = /usr/local/etc/dovecot/dovecot-ldap.conf } userdb { driver = prefetch } userdb { driver = ldap # symlink to dovecot-ldap.conf args = /usr/local/etc/dovecot/dovecot-ldap-userdb.conf }
The symlink isn't very useful. It'll just cause extra LDAP connections to be created, since that userdb is used only for iteration anyway and iterations are always executed in their own separate processes with separate LDAP connection.
user_attrs = =home=/var/mail/%d/%n,
=mail=mdbox:/var/mail/%d/%n/mdbox,
=uid=vmail,
=gid=mail user_filter = (&(objectClass=inetOrgPerson)(mail=%u)) pass_attrs = mail=user,
userPassword=password,
=userdb_home=/var/mail/%d/%n,
=userdb_mail=mdbox:/var/mail/%d/%n/mdbox,
=userdb_uid=vmail,
=userdb_gid=mail
You could put all of the userdb_* stuff to mail_* settings, but since you're using userdb prefetch there has to be one at least. :) So maybe just keep userdb_home there and put the rest to dovecot.conf:
mail_location = mdbox:~/mdbox mail_uid = vmail mail_gid = mail
On Tue, 23 Nov 2010 13:51:34 +0000, Timo Sirainen tss@iki.fi wrote:
On Mon, 2010-11-22 at 21:32 -0800, Daniel L. Miller wrote:
I think I got it - probably by accident. Just because it's actually working doesn't mean it's *correct* - does this look right? Do I have redundant/obsolete parms specified?
passdb { driver = ldap args = /usr/local/etc/dovecot/dovecot-ldap.conf } userdb { driver = prefetch } userdb { driver = ldap # symlink to dovecot-ldap.conf args = /usr/local/etc/dovecot/dovecot-ldap-userdb.conf }
The symlink isn't very useful. It'll just cause extra LDAP connections to be created, since that userdb is used only for iteration anyway and iterations are always executed in their own separate processes with separate LDAP connection.
Ok - I've returned to my normal state of confusion. Prefetch documentation says I need an explicit userdb for LDA/LMTP use. And somewhere I read I wasn't supposed to use the exact same filename for both userdb & passdb - but a symlink was good. What should I use instead?
On Tue, 2010-11-23 at 07:30 -0800, dmiller@amfes.com wrote:
userdb { driver = ldap # symlink to dovecot-ldap.conf args = /usr/local/etc/dovecot/dovecot-ldap-userdb.conf }
The symlink isn't very useful. It'll just cause extra LDAP connections to be created, since that userdb is used only for iteration anyway and iterations are always executed in their own separate processes with separate LDAP connection.
Ok - I've returned to my normal state of confusion. Prefetch documentation says I need an explicit userdb for LDA/LMTP use.
Right.
And somewhere I read I wasn't supposed to use the exact same filename for both userdb & passdb - but a symlink was good. What should I use instead?
If you use the same filename, Dovecot uses the same LDAP connection for userdb and passdb lookups. Whether that's good or bad depends on the situation. In your case it simply creates an extra LDAP connection for userdb lookups, which is never used.
On Tue, 23 Nov 2010 15:33:47 +0000, Timo Sirainen tss@iki.fi wrote:
On Tue, 2010-11-23 at 07:30 -0800, dmiller@amfes.com wrote:
userdb { driver = ldap # symlink to dovecot-ldap.conf args = /usr/local/etc/dovecot/dovecot-ldap-userdb.conf }
The symlink isn't very useful. It'll just cause extra LDAP connections to be created, since that userdb is used only for iteration anyway and iterations are always executed in their own separate processes with separate LDAP connection.
Ok - I've returned to my normal state of confusion. Prefetch documentation says I need an explicit userdb for LDA/LMTP use.
Right.
And somewhere I read I wasn't supposed to use the exact same filename for both userdb & passdb - but a symlink was good. What should I use instead?
If you use the same filename, Dovecot uses the same LDAP connection for userdb and passdb lookups. Whether that's good or bad depends on the situation. In your case it simply creates an extra LDAP connection for userdb lookups, which is never used.
Going back and reading the docs...again...
Auth-binds recommends the different connections for asynchronous lookups to be faster - but since I'm using prefetch no userdb lookup is ever performed, so it's a wasted connection...got it. Might want to add a note to that effect in the auth-binds doc section, "This optimization does not apply when using Prefetch for the userdb, as no lookup is performed and having a separate LDAP connection defined for userdb use is a waste."
-- Daniel
On Tue, 2010-11-23 at 07:45 -0800, dmiller@amfes.com wrote:
Auth-binds recommends the different connections for asynchronous lookups to be faster - but since I'm using prefetch no userdb lookup is ever performed, so it's a wasted connection...got it. Might want to add a note to that effect in the auth-binds doc section,
Well, I tried to make it a bit clearer.
"This optimization does not apply when using Prefetch for the userdb, as no lookup is performed and having a separate LDAP connection defined for userdb use is a waste."
That's not really correct either, because many people who are using prefetch could still use userdb ldap for e.g. LDA lookups.
participants (3)
-
Daniel L. Miller
-
dmiller@amfes.com
-
Timo Sirainen