Thanks Kees. The doveadm command is showing the same behavior as I can see from
postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH
base="ou=users,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=mor...@example.com))"
Why is dovecot still using the default filter setting even though my config now
looks like this:
hosts = openldap:1389
base = ou=users,dc=example,dc=com
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
pass_attrs = \
=user=%{ldap:mail}, \
=password=%{ldap:userPassword}
user_attrs = \
=user=%{ldap:mail}
user_filter = (mail=%u)
iterate_attrs = mail=user
Anyway, I might have discovered the flaw in my assumptions. I thought I can use
"auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass"
(or allow anonymous access) since there would be no need to search for matching
dn's.
But I guess that is only true for the authentication use case and not in the
case where postfix just needs to know if a user exists or not (like the doveadm
user command).
Is my (new) understanding correct that I always need a dovecot user (or
anonymous read access) in the LDAP database?
Thanks,
Moritz
> On 08/05/2023 23:36 CEST Kees van Vloten <keesvanvlo...@gmail.com> wrote:
>
>
> On 08-05-2023 16:43, Moritz Pflanzer wrote:
> > Hi all,
> >
> > so far I had a setup where Dovecot was using a passwd file as userdb and
> > passdb. Postfix was then authenticating with Dovecot via SASL to validate
> > user accounts.
> >
> > Now I added an LDAP backend and would like to use that for Dovecot and
> > Postfix. My first approach was to change the passdb to use the LDAP driver
> > with the following settings:
> >
> > hosts = openldap:1389
> > base = ou=users,dc=example,dc=com
> > auth_bind = yes
> > auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
> >
> > And I changed the userdb driver to static since anyway there is just the
> > vmail system account for all virtual user mailboxes.
> >
> > This is working as expected for the IMAP connections. But postfix
> > authentication fails as it is apparently using a wrong user_filter. This is
> > what I see in the logs from OpenLDAP:
> >
> > docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12
> > ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389)
> > docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND
> > dn="" method=128
> > docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT
> > tag=97 err=0 qtime=0.000009 etime=0.000072 text=
> > docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]:
> > 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51]
> > docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]:
> > 8A9FC1E03C5: message-id=<713569303.508224.1683556526...@webmail.strato.de>
> > docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5:
> > from=<mor...@pflanzer.eu>, size=3340, nrcpt=1 (queue active)
> > docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect
> > from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1
> > rcpt=1 data=1 quit=1 commands=7
> > docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH
> > base="ou=users,dc=example,dc=com" scope=2 deref=0
> > filter="(&(objectClass=posixAccount)(uid=mor...@example.com))"
> > docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH
> > attr=uid
> > docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH
> > RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
> >
> > I tried setting the user_filter manually to "user_filter = (mail=%u)" but
> > that doesn't have any effect.
> >
> > Is this the expected behavior from Dovecot? I guess I can get it working by
> > using the ldap driver for the userdb as well. But is that the best approach
> > since I technically don't need it for dovecot itself. Or should I now
> > change the postfix config as well to directly authenticate against the LDAP
> > server instead of using SASL with Dovecot?
> >
> > Looking forward to recommendations,
> > Moritz
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
> First setup and test dovecot-ldap.conf.ext, only when your queries are
> correct it makes sense to continue with the rest of the configuration.
> Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter,
> iterate_attrs.
> That last one can be tested with: doveadm user -u "*" and should list
> all users.
>
> When these queries work it is easy to add passdb and userdb.
>
> - Kees.
>
>
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
