Problem to configure dovecot-ldap.conf.ext

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Tue Oct 25 10:19:08 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:

> I setup ldap (FreeIPA) to have a user for dovecot that can (read search
> compare) all attributes that I need for dovecot.
>
> I must also have  mailAlternateAddress
>
> When I make a ldapsearch with this user, I found all I need to configure
> dovecot.
>
> doveadm auth test office
> and
> doveadm auth test office at examle.com
>
> with success authentication
>
> but when I make a
> doveadm auth test info at example.co (mailAlternateAddress)

I guess the missing 'm' in .co is a typo?

Do you find
doveadm user -u office
doveadm user -u office at examle.com
doveadm user -u info at example.co

> I have a broken authentication

> Can any give me a hint what is wrong, or is this not possible ?

Show us your LDAP record of this user.

> # Distinguished Name - the username used to login to the LDAP server.
> # Leave it commented out to bind anonymously (useful with auth_bind=yes).
> dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
>
> # Password for LDAP server, if dn is specified.
> dnpass = 'XXXXXXXXXXXXXX'
>
> # Use SASL binding instead of the simple binding. Note that this changes
> # ldap_version automatically to be 3 if it's lower. Also note that SASL binds
> # and auth_bind=yes don't work together.
> sasl_bind = yes
> # SASL mechanism name to use.
> sasl_mech = gssapi
> # SASL realm to use.
> sasl_realm = EXAMPLE.COM
> # SASL authorization ID, ie. the dnpass is for this "master user", but the
> # dn is still the logged in user. Normally you want to keep this empty.
> sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM

Dunno with SASL and Co.

> # Use authentication binding for verifying password's validity. This works by
> # logging into LDAP server using the username and password given by client.
> # The pass_filter is used to find the DN for the user. Note that the pass_attrs
> # is still used, only the password field is ignored in it. Before doing any
> # search, the binding is switched back to the default DN.
> auth_bind = yes
>
> # If authentication binding is used, you can save one LDAP request per login
> # if users' DN can be specified with a common template. The template can use
> # the standard %variables (see user_filter). Note that you can't
> # use any pass_attrs if you use this setting.
> #
> # If you use this setting, it's a good idea to use a different
> # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
> # the filename is different in userdb's args). That way one connection is used
> # only for LDAP binds and another connection is used for user lookups.
> # Otherwise the binding is changed to the default DN before each user lookup.
> #
> # For example:
> #   auth_bind_userdn = cn=%u,ou=people,o=org
> #
> auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com

That one looks strange, you really have an account (uid=office at examle.com) 
?

> # Search scope: base, onelevel, subtree
> scope = subtree
> #scope = onelevel
>
> # User attributes are given in LDAP-name=dovecot-internal-name list. The
> # internal names are:
> #   uid - System UID
> #   gid - System GID
> #   home - Home directory
> #   mail - Mail location
> #
> # There are also other special fields which can be returned, see
> # http://wiki2.dovecot.org/UserDatabase/ExtraFields
> #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
> user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
>
> # Filter for user lookup. Some variables can be used (see
> # http://wiki2.dovecot.org/Variables for full list):
> #   %u - username
> #   %n - user part in user at domain, same as %u if there's no domain
> #   %d - domain part in user at domain, empty if user there's no domain
> user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> (mailAlternateAddress=%Lu)))

If doveadm user -u info at example.co
returns your entry, this filter is OK.

> # Password checking attributes:
> #  user: Virtual user name (user at domain), if you wish to change the
> #        user-given username to something else
> #  password: Password, may optionally start with {type}, eg. {crypt}
> # There are also other special fields which can be returned, see
> # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
> pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user

you cannot return two values for user, I guess you like to have "uid", so

pass_attrs = uid=user,userPassword=password

> # Filter for password lookups
> #pass_filter = (&(objectClass=posixAccount)(uid=%u))
> pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> (mailAlternateAddress=%Lu)))

Looks good, if doveadm user -u info at example.co returns something sensible, 
beause the user filter is the same.

> # Attributes and filter to get a list of all users
> iterate_attrs = uid=user, mailAlternateAddress=user

same as pass_attr.

> iterate_filter = (objectClass=posixAccount)

Looks strange, should be

iterate_filter = (objectClass=mailrecipient)

> # Default password scheme. "{scheme}" before password overrides this.
> # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
> #default_pass_scheme = CRYPT
>
>
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI
8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2
uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt
oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY
kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh
28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg==
=0e2c
-----END PGP SIGNATURE-----


More information about the dovecot mailing list