[Dovecot] Director and forwarding LDAP user as Master user
Hello guys,
Would you be able to help me with this little issue. I bet someone has the same config so if you can copy-paste it I will very appreciate it. So main idea is to enable Dovecot director to authenticate a LDAP user with plain or encrypted password and send the user to back-end Dovecot server after the authentication. According to Wiki it is only possible if we use the master user to communicate to the back-end server.
On the back-end Dovecot server it is working fine, I can log in as normal user/user_password or as user*masteruser/master_password. The back-end config is:
auth_master_user_separator = * passdb { driver = passwd-file args = /usr/local/dovecot/etc/dovecot/passwd.masterusers master = yes pass = yes }
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
Now front-end: how to get director forward the user to the back-end after authentication on the director? With my director config the user stays on the director all the time:
passdb { driver = static args = proxy=y master=masteruser pass=master_password destuser=%u*masteruser }
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
The only way to forward the user is to setup nopassword=y in args of static passdb but in that case the user will be authenticated on the backend but not on the director... What do I missing ? Please help me
Best Regards, Alexandr Sabitov
On 20.12.2012, at 4.11, Alexandr Sabitov alexandr.sabitov@netregistry.com.au wrote:
Hello guys,
Would you be able to help me with this little issue. I bet someone has the same config so if you can copy-paste it I will very appreciate it. So main idea is to enable Dovecot director to authenticate a LDAP user with plain or encrypted password and send the user to back-end Dovecot server after the authentication. According to Wiki it is only possible if we use the master user to communicate to the back-end server.
If you use auth_bind=yes this doesn't work. If you don't, this should work:
On the back-end Dovecot server it is working fine, I can log in as normal user/user_password or as user*masteruser/master_password. The back-end config is:
auth_master_user_separator = * passdb { driver = passwd-file args = /usr/local/dovecot/etc/dovecot/passwd.masterusers master = yes pass = yes }
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
The above looks ok. "pass = yes" is the important part, so simply adding this should work:
Now front-end: how to get director forward the user to the back-end after authentication on the director? With my director config the user stays on the director all the time:
passdb { driver = static args = proxy=y master=masteruser pass=master_password destuser=%u*masteruser
pass = yes
}
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
The only way to forward the user is to setup nopassword=y in args of static passdb but in that case the user will be authenticated on the backend but not on the director... What do I missing ? Please help me
Best Regards, Alexandr Sabitov
Hi Timo,
Unfortunately adding pass=yes to dovecot director did not work for me but I found another way to enable what I need. Can you please confirm if it is alright. This is working for me:
Task: Get LDAP users authenticate at Director with encrypted password such as cram-md5 and pass them to back-end Dovecot mail-server as a Master user.
Dovecot Director: 192.168.100.95 Dovecot: 192.168.100.96
Dovecot: 2.1.10
dovecot-proxy.conf (NO NEED FOR STATIC PASSDB): ... passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext } service pop3-login { executable = pop3-login director inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ...
dovecot.conf: ... auth_master_user_separator = * passdb { driver = passwd-file args = /usr/local/dovecot/etc/dovecot/passwd.masterusers master = yes pass = yes } passdb { driver = static } userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext } ...
dovecot-ldap.conf.ext: ... user_attrs = homeDirectory=home, uidNumber=uid, gidNumber=gid user_filter = (&(objectClass=nrPOPAccount)(uid=%u)) pass_attrs = uid=user, userPassword=password, =proxy=y, =destuser=%u*masteruser, =pass=mastpass pass_filter = (&(objectClass=nrPOPAccount)(uid=%u)) ...
Then telnet to the director with normail username/passwords and see where user stops at:
dovecot-shared-1:/usr/local/dovecot/etc/dovecot# /usr/local/dovecot/bin/doveadm who -a /var/run/dovecot-proxy/anvil
username # proto (pids) (ips)
HE DIDNT STOP ON DIRECTOR
dovecot-shared-1:/usr/local/dovecot/etc/dovecot# /usr/local/dovecot/bin/doveadm who -a /var/run/dovecot/anvil
username # proto (pids) (ips)
migration.test@network.id.au 1 pop3 (16226) (192.168.100.96)
HE WENT THROUGH DIRECTOR AND NOW IS AT MAILSERVER
Double-check: dovecot-shared-1:/usr/local/dovecot/etc/dovecot# /usr/local/dovecot/bin/doveadm director status -a /var/run/dovecot-proxy/director-admin mail server ip vhosts users 192.168.100.96 100 1
Double-check in logs:
Jan 08 04:35:11 auth: Debug: client in: AUTH 1 PLAIN service=pop3 session=xTmneL/SGwAKAQeo lip=192.168.100.95
rip=10.1.7.168 lport=110 rport=39451 resp=<hidden>
Jan 08 04:35:11 auth: Debug: ldap(migration.test@network.id.au,10.1.7.168,
Thundbird setup with encrypted password works good.
Looks like all is working good and I do not have the auth_bind=yes.
Timo, please confirm if it is OK setup.
Best Regards, Alexandr Sabitov
From: Timo Sirainen [tss@iki.fi] Sent: Friday, January 04, 2013 2:53 PM To: Alexandr Sabitov Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Director and forwarding LDAP user as Master user
On 20.12.2012, at 4.11, Alexandr Sabitov alexandr.sabitov@netregistry.com.au wrote:
Hello guys,
Would you be able to help me with this little issue. I bet someone has the same config so if you can copy-paste it I will very appreciate it. So main idea is to enable Dovecot director to authenticate a LDAP user with plain or encrypted password and send the user to back-end Dovecot server after the authentication. According to Wiki it is only possible if we use the master user to communicate to the back-end server.
If you use auth_bind=yes this doesn't work. If you don't, this should work:
On the back-end Dovecot server it is working fine, I can log in as normal user/user_password or as user*masteruser/master_password. The back-end config is:
auth_master_user_separator = * passdb { driver = passwd-file args = /usr/local/dovecot/etc/dovecot/passwd.masterusers master = yes pass = yes }
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
The above looks ok. "pass = yes" is the important part, so simply adding this should work:
Now front-end: how to get director forward the user to the back-end after authentication on the director? With my director config the user stays on the director all the time:
passdb { driver = static args = proxy=y master=masteruser pass=master_password destuser=%u*masteruser
pass = yes
}
passdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = ldap args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext }
The only way to forward the user is to setup nopassword=y in args of static passdb but in that case the user will be authenticated on the backend but not on the director... What do I missing ? Please help me
Best Regards, Alexandr Sabitov
participants (2)
-
Alexandr Sabitov
-
Timo Sirainen