[Dovecot] Please help: LDAP configuration _almost_ works.

Jack McKinney jackmc at lorentz.com
Wed Apr 16 16:28:33 EEST 2008 

On Wed, 2008-04-16 at 08:16 +0000, Rob Coward wrote:
> I cant help you with what is going wrong for you, but we use dovecot
> very successfully with ldap lookups against Active Directory, using
> auth_bind=yes, and it does not require anonymous connections. The
> initial connection is by an un-privileged user that searches for the
> user, then a 2nd connection is used, authenticating against AD as the
> looked up user using the password supplied to dovecot.

	This is exactly what I am trying to achieve, though I am using
OpenLDAP.

> Our setup looks like this:

> user_attrs = mail=user
> user_filter = (&(objectClass=user)(mail=%u))
> pass_attrs = mail=user,userPassword=password,mail=userdb_user
> pass_filter = (&(objectClass=user)(mail=%u))
> user_global_uid = dovecot
> user_global_gid = dovecot

	Hmmm. I am not using LDAP for userdb.  The only userdb information that
is needed is the homedir for the mail (and the uid/gid, but these are
always "varmail").  In my case, this is always determined by the email
address:

jackmc at lorentz.com -> /var/mail/lorentz.com/jackmc

	Thus, I have this in my config:

  userdb:
    driver: static
    args: uid=varmail gid=varmail home=/var/mail/%Ld/%Ln

	Looking at your config, it seems that your passdb for LDAP depends on
your userdb, as you have mail= twice in your pass_attrs, once for
userdb_user.
	For that matter, why do you have userPassword=password? dovecot should
never need to see the contents of this field.  Indeed, this is the whole
point of using auth_bind: instead of dovecot retrieving the password
from LDAP and checking it against the user-supplied one, dovecot should
_send_ the password to LDAP in the form of a bind and have LDAP accept
or reject it.


-- 
Jack McKinney
GPG 1024D/99C6A174
jackmc at lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz
Beware geeks bearing diffs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080416/3b3204c6/attachment.bin

More information about the dovecot mailing list