ldap sasl bind and auth_bind
Matwey V. Kornilov
matwey.kornilov at gmail.com
Sat Sep 17 17:22:33 UTC 2016
Hello,
I am using
# dovecot --version
2.2.18
# dovecot -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
'imaps' protocol can no longer be specified (use protocols=imap). to
disable non-ssl imap, use service imap-login { inet_listener imap {
port=0 } }
doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
'imaps' protocol can no longer be specified (use protocols=imap). to
disable non-ssl imap, use service imap-login { inet_listener imap {
port=0 } }
# OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64)
first_valid_uid = 1
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = lmtp imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = required
ssl_ca = /etc/pki/trust/anchors/rootCA.pem
ssl_cert = </etc/openldap/openldap.crt
ssl_dh_parameters_length = 2048
ssl_key = </etc/openldap/openldap.key
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
override_fields = uid=vmail gid=vmail home=/var/spool/mail/%d/%n
}
I use LDAP for user and passwd databases as the following:
uris = ldapi:///
sasl_bind = yes
sasl_mech = EXTERNAL
auth_bind = yes
And I found that only first authentication after dovecot restart is
successful, the others always fail with temp.
The reason is that dovecot rebinds to anonymous bind after succesful
auth bind instead of rebinding to external sasl bind.
More information about the dovecot
mailing list