[Dovecot] Configuration of dovecot 2.0.19 to authenticate users via LDAP

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Mon May 19 06:56:56 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 18 May 2014, Danylo Esterman wrote:

>    # Max Mustermann, people, ht
>    dn: cn=Max Mustermann,ou=people,dc=ht
>    cn: Max Mustermann
>    givenName: Max
>    gidNumber: 500
>    homeDirectory: /home/users/mmustormann
>    sn: Mustermann
>    objectClass: inetOrgPerson
>    objectClass: posixAccount
>    objectClass: top
>    uidNumber: 1000
>    uid: mmustermann
>    userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0=
>    loginShell: /bin/bash
>    mail: mustorm at test.com
>
> Now, I use the following configuration for dovecot
> (/etc/dovecot/dovecot-ldap.conf.ext)
>
>    hosts = 10.1.2.1
>    dn = cn=admin,dc=ht
>    dnpass = a
>    auth_bind = yes
>    auth_bind_userdn = uid=%u,ou=people,dc=ht
>    ldap_version = 3
>    scope = subtree
>    base = ou=people,dc=ht
>    user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
>    user_filter = (&(objectClass=posixAccount)(uid=%u))
>    pass_attrs = uid=user,userPassword=password
>    pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png
>
> Dovecot cannot authenticate itself for some reason...

The Wireshark trace shows that you've tried to authentificate an user 
"uid=mmustermann,ou=people,dc=ht", but no such LDAP item exists. It is 
named "cn=Max Mustermann,ou=people,dc=ht".

> If i change the configuration as follows:
>
>    auth_bind = no
>    #auth_bind_userdn = uid=%u,ou=people,dc=ht
>
> Then I get following picture: http://i.stack.imgur.com/tb5vo.png

Well, why auth_bind = no? If you read the comment for that setting:

# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
auth_bind = yes

> I am really desperate and don't know how to make it work. Can somebody
> please give me a clue how to solve this problem?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU3mrOHz1H7kL/d9rAQJP3Qf/S4FMF1R1ZSvs1vpul3S2pN1stNlEKvjU
9O5hemGYbjfXJjZzY0Htp1rfDHz35GkYkfIxNOmf9pH7WVS9BXK+3wx0jNXVOMVh
3OPnbe7UNZmj5MMx/xtCs6MrC010aOvZ0semBEaoyosUaZA11nyi+Ju2rYtxmZqG
4GNWxMjlXl98qzt8LPqSdnYzLJ+uzkmdh8CNQLOS5e86bwcxV5Fd5V3CbuT40/A0
odEtyvoe8czpnfOBM1CImwwoOnyK0lBi4Pk5SGwLA3qyDlac7bsNnNahUx22Nozd
VYQ3ixZODp3f3/VIloqdVmTFHly8S2vLFDZOmWo4Tc0FEYsLHqR+iA==
=fy/V
-----END PGP SIGNATURE-----

More information about the dovecot mailing list