[Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)

Steffen Kaiser skdovecot at smail.inf.fh-bonn-rhein-sieg.de
Fri Apr 18 11:10:16 EEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 17 Apr 2008, Gavin Henry wrote:

>> 	So why is dovecot searching for uid? I am not asking it to; in fact, my
>> pass_attrs field is empty.
>
> Im' no tsure, I was hoping someone else would know why. Is it a hard coded
> default?
>
>> 	Also, I have switched around my setup to not use auth_bind:
>>
>> hosts = ldap.lrtz
>> dn = cn=varmail,ou=users,dc=lorentz,dc=com
>> dnpass = *******
>> ldap_version = 3
>> auth_bind = no
>> pass_attrs = userPassword=password

I got the impression that this is problem, see the Doc:
http://wiki.dovecot.org/AuthDatabase/LDAP  

pass_attrs = uid=user,userPassword=password

This is the default, please add "mail=user" to your pass_attrs and re-add 
auth_bind. Also, kill all dovecot processes (well, you know: make sure it 
is correct confuig that is used, e.g. add a syntax error, so you see it is 
even the correct file you're editing)

Rob had this in his conf:

user_attrs = mail=user
user_filter = (&(objectClass=user)(mail=%u))
pass_attrs = mail=user,userPassword=password,mail=userdb_user
pass_filter = (&(objectClass=user)(mail=%u))

Note the two mail=user settings, I have them, too. Drop 
the mail=userdb_user, as you use another userdb.

Rob also have

user_global_uid = dovecot
user_global_gid = dovecot

"If you're using a single UID and GID for all the users, you can use 
user_global_uid and user_global_gid settings instead of of returning them 
from LDAP." Which seems to apply to userdb only, but who knows?

Also, could you please drop the TLS/SSL on the connection, if any, and 
sniff the connection?

To sniff, use wireshark (ethereal) or tshark (tethereal) "port 389" as 
capture filter.
wireshark understands the LDAP protocol und decodes it. Moreover, you see 
_what_ is returned in detail.

BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, 
dns or ldap server? Did you disabled it?

BTW: I didn't know you can use dn/dnbpass for the initial lookup, now I 
know.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICFdqVJMDrex4hCIRAsWKAJ9SgI3ldlcd+gTuWIT6v7JZtYqkAwCeKAO7
ciaWVAteW3Lcx3hApX9VZsc=
=Sy5f
-----END PGP SIGNATURE-----

More information about the dovecot mailing list