I am using 2.0.8. Anonymous binds are no longer supported in the environment I am using. I need to change my userdb ldap setup to bind. I believe the ldap server does Kerberos (or can) authentication. My users are authenticating using Kerberos or Kerberos/PAM. This needs to stay in place.
Can anyone suggest how I might go about changing my setup to work?
My current ldap setup is as follows (the directories, user id, etc are set statically in the configuration elsewhere): tls = yes hosts = MAILSERVER base = dc=middleearth,dc=sapphiresunday,dc=org ldap_version = 3 user_attrs = userPrincipalName=user user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrincipalName=%u))) # For using doveadm -A: iterate_attrs = userPrincipalName=user iterate_filter = (objectClass=person)
Thank you, Trever Adams
"Seize the day, put no trust in the morrow!" -- Quintus Horatius Flaccus (Horace)
On Tue, 2010-12-28 at 10:32 -0700, Trever L. Adams wrote:
I am using 2.0.8. Anonymous binds are no longer supported in the environment I am using. I need to change my userdb ldap setup to bind. I believe the ldap server does Kerberos (or can) authentication. My users are authenticating using Kerberos or Kerberos/PAM. This needs to stay in place.
Can anyone suggest how I might go about changing my setup to work?
So you're only talking about using ldap for userdb? Can't you just set dn and dnpass to whatever user (that has access to list all users)?
On 12/30/2010 02:55 AM, Timo Sirainen wrote:
So you're only talking about using ldap for userdb? Can't you just set dn and dnpass to whatever user (that has access to list all users)?
Correct, ldap only for userdb. I found some old documentation that used "bind" and "bind_pw" I think it was. That didn't work. I was just going through some of my old dovecot ml stuff that I have saved. I just found the dn and dnpass you mention (it doesn't seem to be in the documentation, btw). I will likely not be able to try it out until tomorrow.
This is in an AD setup (Samba4). Do you or anyone else know if I need to use a special port and whether ssl or tls (S4 no longer allows anonymous binds and I want to make sure this is as secure as possible)?
Thank you, Trever Adams
"I am not sure what this is, but an `F' would only dignify it." -- English Professor
participants (2)
-
Timo Sirainen
-
Trever L. Adams