Active directory bind and quota stuff

Fri Mar 13 13:44:19 UTC 2015

Hi list,

first of all, please excuse me for any grammar mistake on my text, I'm
still learning english.

I'm making a Dovecot installation using my Active Directory like pass
and user DB. I'm setting the per-user quota from an AD field (Initials)
and everything seems to work fine, but I would like to know if you could
help me to improve a couple of things.

---------------------------------------------------------------------------
---------------------------------------------------------------------------
I'm using CentOS 7, this is my Dovecot build:
---------------------------------------------------------------------------
# dovecot --build-options
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL driver plugins: mysql postgresql sqlite
Passdb: checkpassword ldap pam passwd passwd-file shadow sql
Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql

# dovecot --version
2.2.10

 And this is my /etc/dovecot/dovecot-ldap.conf.ext file:
---------------------------------------------------------------------------
hosts = adserver1.dom, adserver2.dom
base = DC=dom
ldap_version = 3
auth_bind = yes
auth_bind_userdn = dom\%u

dn = cn=imapUser,cn=Users,dc=dom
dnpass = ********

user_filter     =
(&(samaccountname=%u)(objectClass=person)(|(mail=%u at dom.com)(othermailbox=%u at dom.com)))
pass_filter     =
(&(samaccountname=%u)(objectClass=person)(|(mail=%u at dom.com)(othermailbox=%u at dom.com)))
pass_attrs      = userPassword=password
user_attrs      = Initials=quota_rule=*:storage=%$MB
---------------------------------------------------------------------------
---------------------------------------------------------------------------

My questions:

1) My AD doesn't allow anonymous searches and I was thinking in a way to
avoid the need of have a specific user account with his password stored
in a configuration file to do the bind. And I don't know if this is
posible, but, does it exist a way to use the same user you are trying to
validate to do bind with the AD server?

2) As you can see (user_attrs      =
Initials=quota_rule=*:storage=%$MB), to set the per-user quota value, I
require a numeric value in "Initials" field of my AD. I've realized that
if some wrong value is introduced in that field, Dovecot throws an error
when you try to validate the user, and hence, imap logon fails. Does it
exist any way to bypass that and to use the default quota value if
something is wrong with the per-user quota set?

Error log with wrong quota values (I wrote the value e34 in the Initials
field of user1 in AD, instead of a valid numeric value):

* quota refresh command:

[root at dmail02 dovecot]# doveadm quota recalc -u user1
doveadm(user1): Error: user user1: Initialization failed: Failed to
initialize quota: Invalid quota root quota: Invalid rule
*:storage=e34MB: Invalid rule limit value 'storage=e34MB': Unknown unit:
e34MB

* imap login:

Mar 13 14:12:10 dmail02 dovecot: imap(user1): Error: user user1:
Initialization failed: Failed to initialize quota: Invalid quota root
quota: Invalid rule *:storage=e34MB: Invalid rule limit value
'storage=e34MB': Unknown unit: e34MB
Mar 13 14:12:10 dmail02 dovecot: imap(user1): Error: Invalid user
settings. Refer to server log for more information.

Thank you very much in advance,
Fran