Thanks Kees. The doveadm command is showing the same behavior as I can see from postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=mor...@example.com))" Why is dovecot still using the default filter setting even though my config now looks like this: hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com pass_attrs = \ =user=%{ldap:mail}, \ =password=%{ldap:userPassword} user_attrs = \ =user=%{ldap:mail} user_filter = (mail=%u) iterate_attrs = mail=user Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access) since there would be no need to search for matching dn's. But I guess that is only true for the authentication use case and not in the case where postfix just needs to know if a user exists or not (like the doveadm user command). Is my (new) understanding correct that I always need a dovecot user (or anonymous read access) in the LDAP database? Thanks, Moritz > On 08/05/2023 23:36 CEST Kees van Vloten <keesvanvlo...@gmail.com> wrote: > > > On 08-05-2023 16:43, Moritz Pflanzer wrote: > > Hi all, > > > > so far I had a setup where Dovecot was using a passwd file as userdb and > > passdb. Postfix was then authenticating with Dovecot via SASL to validate > > user accounts. > > > > Now I added an LDAP backend and would like to use that for Dovecot and > > Postfix. My first approach was to change the passdb to use the LDAP driver > > with the following settings: > > > > hosts = openldap:1389 > > base = ou=users,dc=example,dc=com > > auth_bind = yes > > auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com > > > > And I changed the userdb driver to static since anyway there is just the > > vmail system account for all virtual user mailboxes. > > > > This is working as expected for the IMAP connections. But postfix > > authentication fails as it is apparently using a wrong user_filter. This is > > what I see in the logs from OpenLDAP: > > > > docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 > > ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) > > docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND > > dn="" method=128 > > docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT > > tag=97 err=0 qtime=0.000009 etime=0.000072 text= > > docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: > > 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] > > docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: > > 8A9FC1E03C5: message-id=<713569303.508224.1683556526...@webmail.strato.de> > > docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: > > from=<mor...@pflanzer.eu>, size=3340, nrcpt=1 (queue active) > > docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect > > from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 > > rcpt=1 data=1 quit=1 commands=7 > > docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH > > base="ou=users,dc=example,dc=com" scope=2 deref=0 > > filter="(&(objectClass=posixAccount)(uid=mor...@example.com))" > > docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH > > attr=uid > > docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH > > RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text= > > > > I tried setting the user_filter manually to "user_filter = (mail=%u)" but > > that doesn't have any effect. > > > > Is this the expected behavior from Dovecot? I guess I can get it working by > > using the ldap driver for the userdb as well. But is that the best approach > > since I technically don't need it for dovecot itself. Or should I now > > change the postfix config as well to directly authenticate against the LDAP > > server instead of using SASL with Dovecot? > > > > Looking forward to recommendations, > > Moritz > > _______________________________________________ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-le...@dovecot.org > First setup and test dovecot-ldap.conf.ext, only when your queries are > correct it makes sense to continue with the rest of the configuration. > Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, > iterate_attrs. > That last one can be tested with: doveadm user -u "*" and should list > all users. > > When these queries work it is easy to add passdb and userdb. > > - Kees. > > > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org