It seems that Rob and I are doing almost exactly the same thing except:
- He uses AD, I use OpenLDAP
- His works, mine doesn't.
I have:
- Red Hat Linux release 7.2 (Enigma)
- OpenLDAP 2.3.38
- Dovecot 1.0.12, 1.0.13, and 1.1.rc4 (they all fail the same way).
Sigh... Rob, It sounds like you are trying to do EXACTLY what I am
trying to do:
1. My users login with their email address.
2a. My users are all over the tree in the sense that you cannot
determine the DN from the email alone. E.g., I am [EMAIL PROTECTED],
but my DN is "cn=Jack McKinney, ou=users, dc=lorentz, dc=com". Thus, I
need to do a lookup to get the DN to use for auth_bind. However,
2b. My users have contact databases under their DNs. For example, all
of my contacts are in ou=AddressBook,cn=Jack McKinney, ou=users,
dc=lorentz, dc=com. If I did a subtree search, then
[EMAIL PROTECTED] would pick up my DN, plus the DN of any entry in
anyone's addressbook for me. I.e., if [EMAIL PROTECTED] had an account on
my system, and they had an entry in their addressbook, then the subtree
query for [EMAIL PROTECTED] would turn up two entries:
dn: cn=Jack McKinney, ou=users, dc=lorentz, dc=com
dn: cn=Jack McKinney, ou=AddressBook, cn=Foo Bar, ou=users, dc=example,
dc=com
Thus, I do a query with base "ou=users, dc=%Dd" and scope = onelevel,
so that only the real users are matched.
3. My users do not have any logins on the system. Just like a web
server is just a web server and not a login system, the same with my
email: all mail lives under the same username and group
(varmail/varmail), and everyone's maildir
is /var/mail/domain/user/Maildir/
My config is almost exactly the same as yours, except that I use static
userdb and I do not have (nor do I understand the need for; see my
previous post) pass_attrs. I tried putting them in matching yours, but
it still fails the same way: OpenLDAP receives the query and (according
to its logs) responds with nentries=1 (i.e., exactly one match, as
expected). However, dovecot never sees the response from OpenLDAP.
On Wed, 2008-04-16 at 11:17 +0000, Rob Coward wrote:
> On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote:
> > dear Rob, thank you for support!
> > there are small differences in mine and yours config, like:
> >
> > - you do not have auth_bind_userdn defined. if i comment my out i cannot
> > authenticate at all - log file:
> > auth(default): ldap(wojtek,192.168.0.200): unknown user
> > dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
>
> Our initial connection is made using the "dn" and "dnpass" settings.
> This looks up the user's dn based on the "(&(objectClass=user)(mail=%
> u))" search criteria.
>
> My understanding of the auth_bind_userdn setting is that it is only
> useful if all your users are in a specific tree in the ldap, so that you
> can specify (from
> http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=%
> 28auth_bind_userdn%29 ) auth_bind_userdn = uid=%
> u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
>
> This I believe saves the first lookup to find the dn of the user trying
> to login. Our users are spread throughout our tree, hence using the
> initial lookup as the 'dn'/'dnpass' user to find our user's dn.
>
> If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a
> suitable unprivileged user to allow the initial lookup of the logging-in
> user's dn ?
>
> >
> > - you have user_attrs = mail=user, me: user_attrs =
> > homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
> >
>
> Our users login with their email address as the userid - hence
> "mail=user" telling dovecot that the userid is stored in the 'mail'
> attribute in the ldap results. We dont bother with 'home' or 'uid' as
> they are all virtual users, using a fixed uid set by "user_global_uid =
> dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n"
>
> > - i did not have deref = never. do you know what does it do? i do not
> > understand man ldapsearch explanation :(
>
> something to do with following links to other ldap servers I think. Dont
> think its strictly necessary in a single server setup.
>
> >
> > Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please?
> > maybe i am making some simple mistake with my ldap config...
>
> As I said, we use Active Directory (running on Win2k3 servers I
> believe), not slapd.
>
> Regards,
> Rob
>
>
> > Rob Coward wrote:
> > > I cant help you with what is going wrong for you, but we use dovecot
> > > very successfully with ldap lookups against Active Directory, using
> > > auth_bind=yes, and it does not require anonymous connections. The
> > > initial connection is by an un-privileged user that searches for the
> > > user, then a 2nd connection is used, authenticating against AD as the
> > > looked up user using the password supplied to dovecot.
> > >
> > > Our setup looks like this:
> > >
> > > # rpm -q dovecot
> > > dovecot-1.0-1.2.0.el5
> > >
> > > # dovecot -n
> > > # /etc/dovecot.conf
> > > protocols: imap pop3
> > > login_dir: /var/run/dovecot/login
> > > login_executable(default): /usr/libexec/dovecot/imap-login
> > > login_executable(imap): /usr/libexec/dovecot/imap-login
> > > login_executable(pop3): /usr/libexec/dovecot/pop3-login
> > > login_user: dovecotlogin
> > > login_process_size: 64
> > > login_processes_count: 10
> > > login_max_processes_count: 64
> > > first_valid_uid: 97
> > > default_mail_env: maildir:/data/shared/mailstore/%d/%n
> > > mail_location: maildir:/data/shared/mailstore/%d/%n
> > > mail_executable(default): /usr/libexec/dovecot/imap
> > > mail_executable(imap): /usr/libexec/dovecot/imap
> > > mail_executable(pop3): /usr/libexec/dovecot/pop3
> > > mail_plugin_dir(default): /usr/lib64/dovecot/imap
> > > mail_plugin_dir(imap): /usr/lib64/dovecot/imap
> > > mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
> > > auth default:
> > > passdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap.conf
> > > passdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap-fr.conf
> > > passdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap-se.conf
> > > userdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap.conf
> > > userdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap-fr.conf
> > > userdb:
> > > driver: ldap
> > > args: /etc/dovecot-ldap-se.conf
> > >
> > > # cat /etc/dovecot-ldap.conf
> > > hosts = ad.our.net
> > > dn=CN=Lookup,CN=Users,DC=our,DC=net
> > > dnpass=XXXXXXXX
> > > auth_bind = yes
> > > ldap_version = 3
> > > base = OU=Stores,OU=UK,DC=our,DC=net
> > > deref = never
> > > scope = subtree
> > > user_attrs = mail=user
> > > user_filter = (&(objectClass=user)(mail=%u))
> > > pass_attrs = mail=user,userPassword=password,mail=userdb_user
> > > pass_filter = (&(objectClass=user)(mail=%u))
> > > user_global_uid = dovecot
> > > user_global_gid = dovecot
> > >
> > > We use multiple userdb / passdb definitions and ldap configs in order to
> > > limit the searches of our AD schema to specific sub-trees, both for
> > > performance and as there are other users elsewhere in our schema that we
> > > dont want dovecot to allow to connect.
> > >
> > > Hope this helps you.
> > > Rob
> > >
> > > On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
> > >>>> /etc/ldap/sldap.conf:
> > >>>> access to attr=uid,homeDirectory,uidNumber
> > >>>> by anonymous read
> > >>> I do not have this in my configuration, and dovecot does indeed
> > >>> use the
> > >>> credential I provide to successfully query LDAP for the user based on
> > >>> the (mail=%u) criteria. However, it does not see the reply.
> > >>> The fact that it does perform the query successfully implies to
> > >>> me that
> > >>> it does not use an anonymous connection. Very puzzling.
> > >>
> > >> i have no idea what dovecot is doing :-) from the log file it looks like
> > >> there are 2 queries to ldap: 1. to check provided password for provided
> > >> user name, 2. to find a user related information (and from what Steffen
> > >> wrote this one is done with anonymous user - correct?).
> > >>
> > >> [on the margin: why isn't it done in one query: get me the user related
> > >> information, i am binding with provided user and with provided password.
> > >> this way it would be one query for two things.]
> > >>
> > >> in my case, i cannot list user related information from ldap in
> > >> anonymous connection even from command line, using: ldapsearch -x -b
> > >> 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))'
> > >> homeDirectory
> > >>
> > >> so i guess that i have to workout ldap settings for anonymous query. my
> > >> /etc/ldap/slapd.conf related to access permissions is:
> > >>
> > >> access to dn.children="ou=Users,dc=frontline"
> > >> attrs=uid,homeDirectory,uidNumber
> > >> by anonymous read
> > >> access to attrs=userPassword,sambaNTPassword,sambaLMPassword
> > >> by dn="cn=admin,dc=frontline" write
> > >> by anonymous auth
> > >> by self write
> > >> by * none
> > >> access to dn.children="ou=Users,dc=frontline"
> > >> by dn="cn=root,ou=Users,dc=frontline" read
> > >> by anonymous auth
> > >> by self write
> > >> access to dn.base="" by * read
> > >> access to *
> > >> by dn="cn=admin,dc=frontline" write
> > >> by * read
> > >>
> > >> maybe the problem is here... any hints please?
> > >>
> > >> regards, Wojtek
> > >
>
>
> Please consider the environment before printing this email.
>
>
> GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and
> 2007 Golden Joystick Awards and
> 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
>
> This e-mail and any files transmitted with it are confidential and intended
> solely for the use of the
> individual or entity to whom they are addressed. If you have received this
> e-mail in error please
> notify the system manager at:
>
> mailto:[EMAIL PROTECTED]
>
> The recipient acknowledges that the transmissions made via the Internet can
> be corrupted and therefore
> THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to
> the quality or accuracy of
> any information contained in the message or assume any liability for it or
> for its transmission, reception or storage.
>
> This footnote also confirms that this e-mail message has been swept by
> anti-virus software for the presence of computer viruses.
>
> http://www.game.co.uk
> http://www.gamegroup.plc.uk
>
> Registered Number: 1937170
> Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21
> 6YJ Registered in England and Wales.
--
Jack McKinney
GPG 1024D/99C6A174
[EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz
Beware geeks bearing diffs
signature.asc
Description: This is a digitally signed message part
