LDAP Filters as defined for dovecot UserDB and passDB
Will Merkens
william at userful.com
Fri Nov 3 17:10:21 EET 2017
On 17-11-03 01:01 AM, Steffen Kaiser wrote:
> On Fri, 3 Nov 2017, Aki Tuomi wrote:
>
> > Check your userdb, is it using same config file?
>
> some HOWTOs explicitly want you to use two config files, because Dovecot maintains two different connections for passdb and userdb queries, which is faster.
> So if you have copied the config file, instead of symlinked them, you might have to change two files.
Ok I checked for this.
# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
# driver = prefetch
#}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/var/spool/maildir/%d/%n/Maildir
}
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
#driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u
#}
Only one file is being called.
And in my 10-auth.conf at the bottom
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
ldap is the only auth system I am using.
>
> > On 02.11.2017 23:59, Will Merkens wrote:
> >> I have pretty much everything working fine.
> >>
> >> I have run into one issue with the filters that I am unsure where this a filter is being set.
> >>
> >> Dovecot 2.2.32 (dfbe293d4)
> >>
> >> I have setup dovecot-ldap.conf.ext to control my LDAP query's
> >>
> >> My current layout used filters based on looking at the posixAccount attributes
> >>
> >> user_filter = (&(objectClass=posixAccount)(uid=%u))
> >>
> >> If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
> >>
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree
> >> filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
> >>
> >> I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
> >>
> >>> From that I saw inetOrgPerson could be used. So I changed the filters.
> >>
> >> user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
> >> pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
> >> iterate_filter = (objectClass=inetOrgPerson)
> >>
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured
> >> session=Y0GBzgVdlorAqHsn lip=192.168.123.236
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales at userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search:
> >> base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales))
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales at userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales at userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales at userful.com
> >> -> sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap(sales at userful.com,192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed sales at userful.com -> sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK 1 user=sales original_user=sales at userful.com
> >>
> >> so far so good but then I get
> >>
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST 3851550721 29049 1 519189df600c24c010b57158ac01c867
> >> session_pid=29073 request_auth_token
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca
> >> scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
> >>
> >> The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
> >>
> >> I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
> >>
> >>
> >>
> >>
> >>
>
>
> -- Steffen Kaiser
--
William Merkens
IT Support Analyst
Userful Corporation
+1 403.289.2177 ext.289
+1 866 USERFUL (1-866-873-7385)
Suite 300, 736 8th Ave. SW
Calgary AB T2P 1H4
Managed Desktops Done Right.
http://www.userful.com
More information about the dovecot
mailing list