[Dovecot] Dovecot LDAP problems

[Adam Pardy]

I'm currently trying to configure a linux mailserver running centos to 
use an xserve running snow leopard. I am configuring the mailserver to 
run dovecot,sendmail,clamav,spam assassin and squirrelmail so it matches 
those used by the mac.

The problem I am having is that I cannot get the server to authenticate 
properly to the macs LDAP database. As far as I can tell it is either a 
problem authenticating passwords or username and passwords. mail.app 
says its the password it cant authenticate Thunderbird says it could be 
either. It seems to be a problem in dovecot-ldap.conf, (as I can run 
ldapsearch from the linux server authenticate correctly and gain user 
information)

What I'd like to know is there a standard set of settings required to 
authenticate to the LDAP on the mac? I'm currently running the od with 
no requirements for Kerberos, SSL or anything else it can authenticate 
with plain passwords (it will be once it is implemented I'm trying to 
have as few variables as possible at the moment).

Copy of dovecot-ldap.conf below;

   1. This file is opened as root, so it should be owned by root and
      mode 0600.

#

   1. http://wiki.dovecot.org/AuthDatabase/LDAP

#

   1. NOTE: If you're not using authentication binds, you'll need to give
   2. dovecot-auth read access to userPassword field in the LDAP server.
   3. With OpenLDAP this is done by modifying /etc/ldap/slapd.conf.
      There should
   4. already be something like this:


   1. access to attribute=userPassword
   2. by dn="<dovecot's dn>" read # add this
   3. by anonymous auth
   4. by self write
   5. by * none


   1. Space separated list of LDAP hosts to use. host:port is allowed too.

hosts =hostname.com

   1. LDAP URIs to use. You can use this instead of hosts list. Note
      that this
   2. setting isn't supported by all LDAP libraries.

#uris =

   1. Distinguished Name - the username used to login to the LDAP server

dn= uid=wmuser,cn=#####,dc=##,dc=###########,dc=###

   1. Password for LDAP server

dnpass = password

   1. Use SASL binding instead of the simple binding. Note that this changes
   2. ldap_version automatically to be 3 if it's lower. Also note that
      SASL binds
   3. and auth_bind=yes don't work together.

#sasl_bind = no

   1. SASL mechanism name to use.

#sasl_mech =

   1. SASL realm to use.

#sasl_realm =

   1. SASL authorization ID, ie. the dnpass is for this "master user",
      but the
   2. dn is still the logged in user. Normally you want to keep this empty.

#sasl_authz_id =

   1. Use TLS to connect to the LDAP server.

#tls = no

   1. Use authentication binding for verifying password's validity. This
      works by
   2. logging into LDAP server using the username and password given by
      client.
   3. The pass_filter is used to find the DN for the user. Note that the
      pass_attrs
   4. is still used, only the password field is ignored in it. Before
      doing any
   5. search, the binding is switched back to the default DN.

auth_bind = yes

   1. If authentication binding is used, you can save one LDAP request
      per login
   2. if users' DN can be specified with a common template. The template
      can use
   3. the standard %variables (see user_filter). Note that you can't
   4. use any pass_attrs if you use this setting.

#

   1. If you use this setting, it's a good idea to use a different
   2. dovecot-ldap.conf for userdb (it can even be a symlink, just as
      long as the
   3. filename is different in userdb's args). That way one connection
      is used only
   4. for LDAP binds and another connection is used for user lookups.
      Otherwise
   5. the binding is changed to the default DN before each user lookup.

#

   1. For example:

auth_bind_userdn = cn=%u,cn=users,dc=##,dc=###########,dc=###
#
#auth_bind_userdn =

   1. LDAP protocol version to use. Likely 2 or 3.

ldap_version = 3

   1. LDAP base. %variables can be used here.

base = dc=##, dc=###########, dc=###

   1. Dereference: never, searching, finding, always

#deref = never

   1. Search scope: base, onelevel, subtree

#scope = subtree

   1. User attributes are given in LDAP-name=dovecot-internal-name list. The
   2. internal names are:
   3. uid - System UID
   4. gid - System GID
   5. home - Home directory
   6. mail - Mail location

#

   1. There are also other special fields which can be returned, see
   2. http://wiki.dovecot.org/UserDatabase/ExtraFields

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

   1. Filter for user lookup. Some variables can be used (see
   2. http://wiki.dovecot.org/Variables for full list):
   3. %u - username
   4. %n - user part in user at domain, same as %u if there's no domain
   5. %d - domain part in user at domain, empty if user there's no domain

user_filter = (&(objectClass=posixAccount)(uid=%u))

   1. Password checking attributes:
   2. user: Virtual user name (user at domain), if you wish to change the
   3. user-given username to something else
   4. password: Password, may optionally start with {type}, eg. {crypt}
   5. There are also other special fields which can be returned, see
   6. http://wiki.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = uid=user,userPassword=password

   1. If you wish to avoid two LDAP lookups (passdb + userdb), you can use
   2. userdb prefetch instead of userdb ldap in dovecot.conf. In that
      case you'll
   3. also have to include user_attrs in pass_attrs field prefixed with
      "userdb_"
   4. string. For example:

#pass_attrs = uid=user,userPassword=password

   1. Filter for password lookups

pass_filter = (&(objectClass=posixAccount)(uid=%u))

   1. Default password scheme. "{scheme}" before password overrides this.
   2. List of supported schemes is in:
      http://wiki.dovecot.org/Authentication

default_pass_scheme = PLAIN

   1. You can use same UID and GID for all user accounts if you really
      want to.
   2. If the UID/GID is still found from LDAP reply, it overrides these
      values.

#user_global_uid =
#user_global_gid =