Re: [Dovecot] Dovecot deliver with AD LDAP userdb [SOLVED]

2009-10-16 Thread Mark Schaub 
> Well, does the port 389 work then? It's mentioned there only because
> someone complained that 389 didn't work.. Perhaps because it required
> TLS? Or something, I don't know.

I will have to play with it some. Just switching to port 389 really
slowed everything down and may have caused some other problems, but
that could also be due to my configuration. It may be possible to use
the GC port for the pass_filter queries and 389 on the user_filter
queries. The more I think about it the more it makes sense in this
case to add the otherMailbox field to the global catalog and index it,
as this will be a very common ldap search.

Re: [Dovecot] Dovecot deliver with AD LDAP userdb [SOLVED]

2009-10-16 Thread Mark Schaub 
> Then there's something different what Dovecot and ldapsearch does. They
> have the same dn, dnpass, neither uses tls, same base, deref, scope?
>

I figured it out, there certainly is something different! The
AuthDatabase/LDAP documentation on the Dovecot Wiki says "When
connecting to AD, use port 3268". Port 3268 is used for Global Catalog
searching. By default the Active Directory Global Catalog wouldn't
include attributes like otherMailbox, but would include mail and sn.
The solution here would be to either use port 389 and search the
domain like ldapsearch or to add the otherMailbox attribute (or any
others I want to search on) to the global catalog.

It might be worth updating the wiki to mention the reasoning behind
using port 3268 and the implications it can cause.

Thanks for the help!

Re: [Dovecot] Dovecot deliver with AD LDAP userdb

2009-10-16 Thread Mark Schaub 
> What about pass_filter, does that work with imap/pop3 logins?

Interesting question. Typically users only try to login with their
sAMAccountName and thats always worked just fine. I just tested this
and pass_filter seems to be running in to the same issue. If I set the
pass_filter to:

pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(otherMailbox=%n)))

Then I am not able to log in using my email alias. However if I set it to:

pass_filter = (&(objectclass=person)(|(sAMAccountName=%n)(sn=%n)))

Then I am able to log in using my last name. Just like before other
fields like postalCode and title will not work. For each attribute
that does not work I have verified that an ldapsearch using the same
filter returns exactly 1 sAMAccountName.

All the log shows for the failure (when I attempt to login as my
"postmaster" alias) is:

Info: ldap(postmaster,127.0.0.1): unknown user

But if I set the filter to check the mail attribute and login using my
mail it correctly changes my username (as my mail address is different
from my username):

Info: auth(mark.schaub,127.0.0.1): username changed mark.schaub -> mschaub
Info: ldap(mschaub,127.0.0.1): result: sAMAccountName(user)=mschaub
Info: client out: OK 1   user=mschaub

Re: [Dovecot] Dovecot deliver with AD LDAP userdb

2009-10-16 Thread Mark Schaub 
I have tried the user_filter you suggested, it did not change
anything. I played around with some Active Directory permissions today
and set it up so that I could perform anonymous queries and verified
that they were successful with ldapsearch on the command line. This
still didn't seem to help the problem.

As far as I can tell userdb ldap queries are run using the user
specified in dn with the password specified in dnpass. I know those
fields are correct as userdb has no problem querying users by
sAMAccountName or mail attributes. I also know that the user_filter
string works as I can run an ldapsearch using dn, dnpass, and
user_filter and that returns the correct information. For some reason
when the deliver process does this nothing is returned.

As I mentioned in the initial post, some fields work and others do
not. If I change the filter to look for sn=%n and try to deliver to my
last name then it delivers fine. If I set the filter to title=%n and
try to deliver to my title then I get the same problem as with
otherMailbox.

Is there schema information dovecot is using that defines certain
userdb attributes it can and can't use?

On Thu, Oct 15, 2009 at 12:28 PM, Timo Sirainen  wrote:
> On Wed, 2009-10-14 at 16:00 -0400, Mark Schaub wrote:
>> user_filter = 
>> (&(objectclass=person)(|(sAMAccountName=%n)(mail...@sau24.org)(othermailbox...@sau24.org)))
>
> My LDAP knowledge isn't that great, but does | accept more than one
> parameter? Try changing this to:
>
> user_filter = 
> (&(objectclass=person)(|(sAMAccountName=%n)(|(mail...@sau24.org)(othermailbox...@sau24.org
>
> Other than that, I don't really have much ideas. Does the same filter
> work with e.g. ldapsearch?
>
>

[Dovecot] Dovecot deliver with AD LDAP userdb

2009-10-14 Thread Mark Schaub 
Good Afternoon,

I have my virtual users stored in an Active Directory database. As far
as mail info goes the 2 important fields are: mail (their primary
email address) and otherMailbox (a multivalue attribute containing
their mail aliases). Right now all email addresses belong in the same
domain and there are no immediate plans to change this.

If I use Postfix to do the lookups and delivery only using Dovecot for
passdb Pam driver and a static userdb then everything delivers fine to
mail and otherMailbox addresses. I have been working on switching over
to Dovecot's deliver process in order to integrate sieve capability. I
have configured userdb ldap and passdb ldap in Dovecot and have set up
master and client sockets. Before I describe my problem let me show
you my configuration (as I think the dovecot-ldap.conf in particular
needs to be explained). Here are the important parts of dovecot.conf:

auth default {
  socket listen {
master {
path = /usr/var/run/dovecot/auth-master
mode = 0666
user = vmail
group = vmail
}

client {
path = /var/spool/postfix/private/auth
mode = 0666
user = postfix
group = postfix
}
 }

 passdb ldap {
args = /etc/dovecot-ldap.conf
  }
 userdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
args = /etc/dovecot-ldap.conf
  }

and my dovecot -n:

lda:
  postmaster_address: postmas...@sau24.org
  mail_plugins: sieve
auth default:
  mechanisms: plain login
  debug: yes
  passdb:
driver: ldap
args: /etc/dovecot-ldap.conf
  userdb:
driver: ldap
args: /etc/dovecot-ldap.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/auth
  mode: 438
  user: postfix
  group: postfix
master:
  path: /usr/var/run/dovecot/auth-master
  mode: 438
  user: vmail
  group: vmail
plugin:
  sieve: ~/.dovecot.sieve
  sieve_dir: ~/sieve
  sieve_storage: ~/sieve

Further, here is my dovecot-ldap.conf:

hosts = delldb.sau24.org:3268
base = dc=sau24, dc=org
ldap_version = 3
dn = cn=Mail User,cn=Users,dc=sau24,dc=org
dnpass = secret
auth_bind = yes
scope = subtree
user_attrs = sAMAccountName=home=/home/vmail/%$,=uid=501,=gid=501
pass_attrs = sAMAccountName=user
user_filter = 
(&(objectclass=person)(|(sAMAccountName=%n)(mail...@sau24.org)(othermailbox...@sau24.org)))
pass_filter = 
(&(objectclass=person)(|(sAMAccountName=%n)(mail...@sau24.org)(othermailbox...@sau24.org)))

Now, you'll notice that the user_filter and pass_filter have the
domain statically placed after the mail and othermailbox attributes.
This reason for this is that this ldap configuration is used for both
authentication purposes and local delivery, so its not always being
passed the domain info (for authentication it gets the users IP
address). Since all my users are on the same domain I can statically
set this here. This setup authenticates users to imap and pop (users
use their sAMAccountName as their username when they log in), and
pulls their correct home directory. Checking mail is not a problem at
all.

Further, this setup will deliver mail correctly to mail addressed to
the value in the "mail" attribute. The problem seems to be in the
otherMailbox attribute, it cannot lookup the users sAMAccountName
based off of the otherMailbox field. Here is what it looks like in the
logs for mail sent to my "mail" attribute (mark.sch...@sau24.org):

Oct 14 12:36:19 auth(default): Info: master in: USER1
mark.sch...@sau24.org   service=deliver
Oct 14 12:36:19 auth(default): Info: ldap(mark.sch...@sau24.org): user
search: base=dc=sau24, dc=org scope=subtree
filter=(&(objectclass=user)(|(sAMAccountName=mark.schaub)(mail=mark.sch...@sau24.org)(othermailbox=mark.sch...@sau24.org)))
fields=sAMAccountName
Oct 14 12:36:19 auth(default): Info: ldap(mark.sch...@sau24.org):
result: sAMAccountName(home=/home/vmail/%$)=/home/vmail/mschaub
Oct 14 12:36:19 auth(default): Info: master out: USER   1
mark.sch...@sau24.org   home=/home/vmail/mschaubuid=501
gid=501
Oct 14 12:36:19 deliver(mark.sch...@sau24.org): Info: sieve:
msgid=<6b71e3a70910140936v4e8cd6fdwd847a1721a9d9...@mail.gmail.com>:
stored mail into mailbox 'INBOX'

But this is what I get when I try to send to an address listed in my
otherMailbox field (t...@sau24.org):

Oct 14 12:30:58 auth(default): Info: master in: USER1
t...@sau24.org  service=deliver
Oct 14 12:30:58 auth(default): Info: ldap(t...@sau24.org): user
search: base=dc=sau24, dc=org scope=subtree
filter=(&(objectclass=user)(|(sAMAccountName=tech)(mail=t...@sau24.org)(othermailbox=t...@sau24.org)))
fields=sAMAccountName
Oct 14 12:30:58 auth(default): Info: ldap(t...@sau24.org): Unknown user
Oct 14 12:30:58 auth(default): Info: master out: NOTFOUND   1

As a test I tried modifying my dovecot-ldap.conf to use different
fields instead of otherMailbox. Sending to some of those attributes
worked, others didnt. I could use the "sn" and "givenN