[Dovecot] how to separate virtual delivery and authentication?
I have a "pure ldap" setting with postfix and dovecot. When using dovecot delivery, the recipient is checked via ldap. The same ldap query is used when authenticate. So, if I want to authenticate with the uid , I can't use a filter like uid=%u because the delivery will fail. I don't want to use %nor something else because I could use multiple e-mail addresses on a single account.
I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex situations should be better to have two separate filters, one for authentication and the other for the delivery. What is your oppinion?
-- Mihai Bădici http://mihai.badici.ro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 30 Dec 2013, Mihai Badici wrote:
I have a "pure ldap" setting with postfix and dovecot. When using dovecot delivery, the recipient is checked via ldap. The same ldap query is used when authenticate. So, if I want to authenticate with the uid , I can't use a filter like uid=%u because the delivery will fail. I don't want to use %nor something else because I could use multiple e-mail addresses on a single account.
I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex situations should be better to have two separate filters, one for authentication and the other for the delivery. What is your oppinion?
There are two filters already:
the passdb filter which is used to find users during authentication
the userdb filter which is used to get the information about users, e.g. after auth and for delivery
The responses of both queries are cached, too.
Where / how would you like to have another filter? What is to get better?
If you want to make the LDAP search more efficient, you could add another LDAP attribute, index it,& add all writings of the users there, e.g.:
dn: uid=user, .... uid: user mail: forename.surname@example.com maildrop: user maildrop: user@host.sub.example.org maildrop: forename.surname@example.com maildrop: forename.surname@example2.com maildrop: forename.oldsurname@example.com maildrop: alias@part.aliasdomain.net
However, the values of maildrop must be unique among all users.
The passdb filter uses uid only, userdb uses maildrop only.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUsu0D13r2wJMiz2NAQJhEQf/ZJbC3z4XlMHrkae1yeWN4M4sWAFV7K8Y +PewH7IIZMwOvx2uiJXKFdhVqoPkseidwKEYJC2e0mSqAAE+wCiqqRj6Oeo1kAKt tVn6EofgabABf03SCULU3YfCITt2F7GBAyMv4kxEMH1WKxdBiABcTmRXhWJzyWPl aMLc+Z4Jqaedq6m8/efR2JlLsCYflmeeCk8vNNguqXifcnUwqTSRvwGnwn+Ny7Eq lgGCbIYNHZVXcUelRmsJ+F4p1ed6rYX1me/+Q8QgQBCKSWaWiBTslgBLpHhdM4+d ISqIcJcV1djlqT6NA3TpMuicv4RkglzvRl07DbvTKzDmhOB8pKdb6g== =HD5o -----END PGP SIGNATURE-----
On Tuesday 07 January 2014 09:00:15 you wrote:
On Mon, 30 Dec 2013, Mihai Badici wrote:
I have a "pure ldap" setting with postfix and dovecot. When using dovecot delivery, the recipient is checked via ldap. The same ldap query is used when authenticate. So, if I want to authenticate with the uid , I can't use a filter like uid=%u because the delivery will fail. I don't want to use %nor something else because I could use multiple e-mail addresses on a single account.
I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex situations should be better to have two separate filters, one for authentication and the other for the delivery. What is your oppinion? There are two filters already:
the passdb filter which is used to find users during authentication
the userdb filter which is used to get the information about users, e.g. after auth and for delivery
The passdb filter uses uid only, userdb uses maildrop only.
There is not the efficiency , but the flexibility who interest me. There are two sepparate processes: delivery and authentication. During delivery, dovecot will check if the mailbox exists and where it is located; it is not important how the user is authenticated. During authentication, there is user, pasword and mailbox location, iti is not important if the user has an valid e-mail address.
When the filter is accessed by the delivery module, the query string must be the e-mail ( all other solutions will fail when multiple e-mail addresses and non-standard uid are used). When the filter is accessed via the authentication module, the query will contain the username, not the e-mail . So basically there is not the same string provided as argument for the query filter. We need all sort of workarounds to solve this dilema, like the "or" between mail and uid , split the e-mail address as %u and % d and so on.... With two query strings, one for authentication and the other for delivery I think it could be more elegant and clear.
-- Steffen Kaiser
-- Mihai Bădici http://mihai.badici.ro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 7 Jan 2014, Mihai Badici wrote:
On Tuesday 07 January 2014 09:00:15 you wrote:
On Mon, 30 Dec 2013, Mihai Badici wrote:
I have a "pure ldap" setting with postfix and dovecot. When using dovecot delivery, the recipient is checked via ldap. The same ldap query is used when authenticate. So, if I want to authenticate with the uid , I can't use a filter like uid=%u because the delivery will fail. I don't want to use %nor something else because I could use multiple e-mail addresses on a single account.
I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex situations should be better to have two separate filters, one for authentication and the other for the delivery. What is your oppinion? There are two filters already:
the passdb filter which is used to find users during authentication
the userdb filter which is used to get the information about users, e.g. after auth and for delivery
The passdb filter uses uid only, userdb uses maildrop only.
There is not the efficiency , but the flexibility who interest me. There are two sepparate processes: delivery and authentication. During delivery, dovecot will check if the mailbox exists and where it is located; it is not important how the user is authenticated. During authentication, there is user, pasword and mailbox location, iti is not important if the user has an valid e-mail address.
When the filter is accessed by the delivery module, the query string must be the e-mail ( all other solutions will fail when multiple e-mail addresses and non-standard uid are used). When the filter is accessed via the authentication module, the query will contain the username, not the e-mail . So basically there is not the same string provided as argument for the query filter. We need all sort of workarounds to solve this dilema, like the "or" between mail and uid , split the e-mail address as %u and % d and so on.... With two query strings, one for authentication and the other for delivery I think it could be more elegant and clear.
IMHO, exactly that works with the maildrop LDAP attribute. You enumerate all mail addresses into maildrop. Use maildrop in userdb filter only. If you like to use "uid" on command line of doveadm, you need to add the uid to maildrop as well, otherwise have the passdb return another username, e.g. the "mail" LDAP attribute to convert the uid into mail adress.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUsvRMV3r2wJMiz2NAQIMfAf9F1juWY2KOGkYYPeKcpIZXrJqH3goyCX1 D7+a8Vl4vWMimjpGq13sVB4yrRwnOLViGHGQNcuZtx/sI75hFUqrd93WufYsShiv VyfIeOdPbsBE9M0wje2z8conH3GX0clo/5vPhftgFe+NYQTvrJct8is2N2RPyqrE 8p9SzmjH3mhB0dAoZOeCdxeFWIGqNP59uTGSowRWQH5CX4zCi0IJWWiP6I39ffiV mG5OMdY1bbCCLJQDGwfz9VGeRQ5Gpua5LDThq8QJKzASwkw6G3KtKr0wfGUOkijt gXyFIQEI8QeXvd2xLrEwnmlW/HFETVZnyTQk21n9pq/T0c18lIUqXg== =wTnt -----END PGP SIGNATURE-----
IMHO, exactly that works with the maildrop LDAP attribute. You enumerate all mail addresses into maildrop. Use maildrop in userdb filter only. If you like to use "uid" on command line of doveadm, you need to add the uid to maildrop as well, otherwise have the passdb return another username, e.g. the "mail" LDAP attribute to convert the uid into mail adress.
-- Steffen Kaiser
This is also a workaround, adding uid to maildrop. Think at, for example, using Active Directory with dovecot ( I do not recommend that :) ) I wonder if I could use only passdb filter for authentication (and let userdb for delivery) , this could be far better.But I think this is a design issue.
-- Mihai Bădici http://mihai.badici.ro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 7 Jan 2014, Mihai Badici wrote:
IMHO, exactly that works with the maildrop LDAP attribute. You enumerate all mail addresses into maildrop. Use maildrop in userdb filter only. If you like to use "uid" on command line of doveadm, you need to add the uid to maildrop as well, otherwise have the passdb return another username, e.g. the "mail" LDAP attribute to convert the uid into mail adress.
This is also a workaround, adding uid to maildrop. Think at, for example, using Active Directory with dovecot ( I do not recommend that :) )
I don't know what that means. I wouldn't name it workaround.
I wonder if I could use only passdb filter for authentication (and let userdb for delivery) , this could be far better.But I think this is a design issue.
Remember: passdb is for authentificating users; userdb is for getting user information. When an user auth's for IMAP, passdb verifies the password and probably overrides the username, in the second step the userdb is queried for the user data. If you use prefetch userdb and provide different passdb and userdb queries, I would not expect a clean run.
Maybe, it's better you give a detailed example, which makes your idea more visible.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUsv6nF3r2wJMiz2NAQI5NwgApS5GzJh+0Ywg8WIsVKqzK/B6LJxLBH8B WlnfxBo4Vc6+7j3CdgiIPVPxRXHKCgp0N8uNcafbYTAXjkV5kemhrBD2XqTeFeYC Osg1QjQOhuAHB/G/WSSLB1vRaOy/G1gFN/Y4ZWijabBTIJ1hi9VArraE1JPNzR+u MxoRMJneX5nU5dTbvKs3+YErs54jZubeobctsLpr/JpK6erFUaRcccNvmD/ZGJTc rLErV8GojSbayWExYItwDVlxolbXC4d9ZLA64AMHUqpdyULWP4N9WlyhcCXtJ1zz wgvZEzlcoGw7aaq4EPfmrMyFiRNM702KWsa8Ut8w6iSYc38R7M6SOA== =UU93 -----END PGP SIGNATURE-----
O
userdb for delivery) , this could be far better.But I think this is a design issue. Remember: passdb is for authentificating users; userdb is for getting user information. When an user auth's for IMAP, passdb verifies the password and probably overrides the username, in the second step the userdb is queried for the user data. If you use prefetch userdb and provide different passdb and userdb queries, I would not expect a clean run.
Maybe, it's better you give a detailed example, which makes your idea more visible.
-- Steffen Kaiser
Ok, an example is better. let's say I use dovecot with postfix and I have in postfix/master.cf :
dovecot unix - n n - - pipe flags=DRhu user=mailbox:mailbox argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
I use two e-mail addresses, mihai@example.org and mihaib@example.org My uid is mihai.badici ( I choose it not related to e-mail address)
So, the deliver service will query ldap in order to find the mailbox. We need to put mail=%u or maildrop=%u, depends on schema.
On the other hand, the authentication will fail if I use uid, because it use the same query. I can put |(mail=%u)(uid=%u) and it's work, but is rather strange. I can, indeed, use maildrop to "canonify" the mailbox in postfix before delivery, and I think will work too. But I think is more elegant to separate the delivery query and authentication query. I'm not sure if is not possible to use only passdb query for authentication.
-- Mihai Bădici http://mihai.badici.ro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 7 Jan 2014, Mihai Badici wrote:
userdb for delivery) , this could be far better.But I think this is a design issue. Remember: passdb is for authentificating users; userdb is for getting user information. When an user auth's for IMAP, passdb verifies the password and probably overrides the username, in the second step the userdb is queried for the user data. If you use prefetch userdb and provide different passdb and userdb queries, I would not expect a clean run.
Maybe, it's better you give a detailed example, which makes your idea more visible.
Ok, an example is better. let's say I use dovecot with postfix and I have in postfix/master.cf :
dovecot unix - n n - - pipe flags=DRhu user=mailbox:mailbox argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
I use two e-mail addresses, mihai@example.org and mihaib@example.org My uid is mihai.badici ( I choose it not related to e-mail address)
So, the deliver service will query ldap in order to find the mailbox. We need to put mail=%u or maildrop=%u, depends on schema.
On the other hand, the authentication will fail if I use uid, because it use the same query. I can put |(mail=%u)(uid=%u) and it's work, but is rather strange. I can, indeed, use maildrop to "canonify" the mailbox in postfix before delivery, and I think will work too. But I think is more elegant to separate the delivery query and authentication query. I'm not sure if is not possible to use only passdb query for authentication.
That's what I meant in my second reply with "otherwise have the passdb return another username, e.g. the "mail" LDAP attribute to convert the uid into mail adress."
See: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields?highlight=user
You use only "uid" in passdb query, but return a field "user" to override the username, e.g.:
pass_attrs = uid=user
change "uid" to the attribute that holds your primary address.
Use the attribute in the userdb query that enumerate all mail addresses.
However, this has the drawback, IMHO, that you need to type a mail address with doveadm's -u switch.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs0A9F3r2wJMiz2NAQIlDAgArtE42Fn7a2hTt/tqdOHR8NaGCHC3V1Vo LqbXZ0fp3KnZBzyzT+NY6o4j6XbfBVAbYtwxTFe/auD1SI/BEXcnBWx5Yc/beA6Y CbR6UE+AZl1/JatWF0hck/tNveuRwuHxWdJG2cpXInEdQgDC/UNlvahVMbQC1LLN PK0UBebi0vwWZJFXo2ZrrvjHJPYZHkKmgebKEjxkh91vR8uE9+q8F1tbaJBuKifW iKz4fPCf70OfivoLr3G37WtbclDnzA16pqEaJAolQzJKyE4QMcg3vsXzsavpeNP8 5xUCo7cIeOVdk3PTjmFsS/5LBxP8fjdjkd2aLIZ4y5aWIFwsHzmWBw== =e+qJ -----END PGP SIGNATURE-----
participants (2)
-
Mihai Badici
-
Steffen Kaiser