Problem to configure dovecot-ldap.conf.ext

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Wed Oct 26 05:58:27 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:

> Thanks for the answer and help,
>
> I mean I found the biggest problem it is "auth_bind_userdn = "
>
> Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:
>> On Tue, 25 Oct 2016, Günther J. Niederwimmer wrote:
>>> I setup ldap (FreeIPA) to have a user for dovecot that can (read search
>>> compare) all attributes that I need for dovecot.
>>>
>>> I must also have  mailAlternateAddress
>>>
>>> When I make a ldapsearch with this user, I found all I need to configure
>>> dovecot.
>>>
>>> doveadm auth test office
>>> and
>>> doveadm auth test office at examle.com
>>>
>>> with success authentication
>>>
>>> but when I make a
>>> doveadm auth test info at example.co (mailAlternateAddress)
>>
>> I guess the missing 'm' in .co is a typo?
>
> ;-) Yes
>
>> Do you find
>> doveadm user -u office
>> doveadm user -u office at examle.com
>> doveadm user -u info at example.com
>
> yes this is working with all user ?
>
> doveadm user -u office
> userdb: office
>  user      : office
>  home      : /srv/vmail/office
>  uid       : 10000
>  gid       : 10000
>
> doveadm user -u info at example.com
> userdb: info at example.com
>  user      : office
>  home      : /srv/vmail/office
>  uid       : 10000
>  gid       : 10000
>
>
>>> I have a broken authentication
>>>
>>> Can any give me a hint what is wrong, or is this not possible ?
>>
>> Show us your LDAP record of this user.
> this is a result from ldapsearch with dovecots special user, from the dovecot
> system!
>
> ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D
> 'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b
> 'dc=example,dc=com' 'mail=office at example.com'
>
> I can also search for 'mailAlternateAddress=info at example.com' with the same
> result.
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> with scope subtree
> # filter: mail=office at example.com
> # requesting: ALL
> #
>
> # office, users, accounts, example.com
> dn: uid=office,cn=users,cn=accounts,dc=example,dc=com
> st: AUSTRIA
> l: Salzburg
> postalCode: 5020
> krbPasswordExpiration: 20380101000000Z
> krbLastPwdChange: 20160929133721Z
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
> memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com
> mailAlternateAddress: info at example.com
> displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
> uid: office
> objectClass: ipaobject
> objectClass: person
> objectClass: top
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: mailrecipient
> objectClass: organizationalperson
> objectClass: krbticketpolicyaux
> objectClass: krbprincipalaux
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/bash
> initials: GN
> gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
> sn: Niederwimmer
> homeDirectory: /home/office
> mail: office at example.com
> krbPrincipalName: office at example.COM
> givenName:: R8O8bnRoZXIgSi4=
> cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
> ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc
> uidNumber: 1507800005
> gidNumber: 1507800005
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>>> # For example:
>>> #   auth_bind_userdn = cn=%u,ou=people,o=org
>>> #
>>> auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
>>
>> That one looks strange, you really have an account (uid=office at examle.com)
>> ?
>
> I mean I don't understand this in the Moment (?), but I can comment out this ?

Well, you must comment this setting, because:

http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds?highlight=%28auth_bind_userdn%29

"If you're using DN template, pass_attrs and pass_filter settings are 
completely ignored."

That is: Only if *all* your users log in using their "uid" attribute and 
are located at a single predictable hierarchie level, you can use this in 
order to avoid the LDAP query with passdb_filter to locate the user's DN.

> I make now also Tests with commented out "#auth_bind_userdn = uid=%n...."
>
> now the tests are WORKING !!!
>
> now I have to find out the correct syntax for auth_bind_userdn !!! when it is
> possible ?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWBBGA3z1H7kL/d9rAQKsEgf8C0xuesf4YJYD6sHF1eMMhAbQew3I9gP1
TxSVkRJP2VYZM4mkIfPEnyK0GOGU1uri8yT65gQLSxZCg+R77UZjIls9pUsZ3Zqq
Ko/jBWbXzphglHlppLQ6EiLnaRfiLPT5dO7EynQm7RiFWiwhc4mL9Gc8w0X6Gye8
copDqauC3hm9LHtxfcQe28K82A0WuJHHxyz7AchT38N4EzzkAp5jOeNvt4fV4L+s
C9Juxz2uVE5/qhHE1/w3BWY0dpy+1SRdVoXHX8iix4Lz3STUcVDSuiYptNhLjKPv
2KEF/7gPRONCz7b6wDqIfVDoYrBYcueACASdtg3re/xrVjbh7fsG/Q==
=wO5h
-----END PGP SIGNATURE-----


More information about the dovecot mailing list