On 09-05-2023 08:58, Moritz Pflanzer wrote:
Thanks Kees. The doveadm command is showing the same behavior as I can see from
postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH
base="ou=users,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=mor...@example.com))"
Why is dovecot still using the default filter setting even though my config now
looks like this:
hosts = openldap:1389
base = ou=users,dc=example,dc=com
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
pass_attrs = \
=user=%{ldap:mail}, \
=password=%{ldap:userPassword}
user_attrs = \
=user=%{ldap:mail}
user_filter = (mail=%u)
iterate_attrs = mail=user
%u refers to the current user for iterate, you iterate over all users
that have dovecot access, probably something like this:
iterate_filter = (objectClass=user)
iterate_attrs = \
=user=%{ldap:mail}
- Kees.
Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn"
setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access)
since there would be no need to search for matching dn's.
But I guess that is only true for the authentication use case and not in the
case where postfix just needs to know if a user exists or not (like the doveadm
user command).
Is my (new) understanding correct that I always need a dovecot user (or
anonymous read access) in the LDAP database?
Thanks,
Moritz
On 08/05/2023 23:36 CEST Kees van Vloten<keesvanvlo...@gmail.com> wrote:
On 08-05-2023 16:43, Moritz Pflanzer wrote:
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and
passdb. Postfix was then authenticating with Dovecot via SASL to validate user
accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix.
My first approach was to change the passdb to use the LDAP driver with the
following settings:
hosts = openldap:1389
base = ou=users,dc=example,dc=com
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail
system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix
authentication fails as it is apparently using a wrong user_filter. This is
what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT
from IP=172.19.0.7:52144 (IP=0.0.0.0:1389)
docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn=""
method=128
docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT
tag=97 err=0 qtime=0.000009 etime=0.000072 text=
docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5:
client=mo4-p01-ob.smtp.rzone.de[85.215.255.51]
docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5:
message-id=<713569303.508224.1683556526...@webmail.strato.de>
docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5:
from=<mor...@pflanzer.eu>, size=3340, nrcpt=1 (queue active)
docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from
mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
quit=1 commands=7
docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH
base="ou=users,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=mor...@example.com))"
docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH
attr=uid
docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH
RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that
doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by
using the ldap driver for the userdb as well. But is that the best approach
since I technically don't need it for dovecot itself. Or should I now change
the postfix config as well to directly authenticate against the LDAP server
instead of using SASL with Dovecot?
Looking forward to recommendations,
Moritz
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
First setup and test dovecot-ldap.conf.ext, only when your queries are
correct it makes sense to continue with the rest of the configuration.
Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter,
iterate_attrs.
That last one can be tested with: doveadm user -u "*" and should list
all users.
When these queries work it is easy to add passdb and userdb.
- Kees.
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
