Re: [Dovecot] LDAP for Virtual Domains
20.05.2007 23:00 Bryan Vyhmeister: query_filter = (&(mail=%s)) mailacceptinggeneralid=%s ist the default value for query_filter. maybe the &-operator ANDs your expression to the default. anyway, if you just want to filter for the mail address, the &- operator is unneccessary. try query_filter = (mail=%s) instead. Marc
Re: [Dovecot] LDAP for Virtual Domains
20.05.2007 23:00 Bryan Vyhmeister: query_filter = (&(mail=%s)) mailacceptinggeneralid=%s ist the default value for query_filter. maybe the &-operator ANDs your expression to the default. anyway, if you just want to filter for the mail address, the &- operator is unneccessary. try query_filter = (mail=%s) instead. Marc
Re: [Dovecot] LDAP for Virtual Domains
On May 20, 2007, at 10:17 PM, Daniel L. Miller wrote: This is a problem in basic understanding of Postfix's (or just about any LDAP enabled program, for that matter) LDAP handling. The docs reference mailacceptinggeneralid in the examples (and I still don't know what LDAP schema Wietse may have pulled that from) - and it is a default - but YOU explicitly tell Postfix how to use your LDAP configuration. If you look at my files, the virtual_mailbox_maps parameter specifies a file - which I created. That file tells Postfix exactly how to work with LDAP. You can see the query is searching the LDAP "mail" field, and returns the value of the "mail" field in a particular format. Nowhere in my query_filter and result_attribute do you see mailacceptinggeneralid - so I assume you didn't implement my sample config. If Dovecot is now using your LDAP properly, we're probably getting off-topic now and you should continue this on the Postfix mailing list. If you want to contact me directly I will try to help you as well. Thanks. Pascal was a big help off-list and it is working fine now. Once I finish my configuration completely, I will add it to the wiki and write a separate howto as well. Thank you. Bryan
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote: On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. I just asked Pascal as well how he gets around Postfix asking for mailacceptinggeneralid in order to allow messages to be accepted. How do you get around that? Dovecot is working fine but I can't get Postfix to accept messages because it keeps trying to find mailacceptinggeneralid. Bryan This is a problem in basic understanding of Postfix's (or just about any LDAP enabled program, for that matter) LDAP handling. The docs reference mailacceptinggeneralid in the examples (and I still don't know what LDAP schema Wietse may have pulled that from) - and it is a default - but YOU explicitly tell Postfix how to use your LDAP configuration. If you look at my files, the virtual_mailbox_maps parameter specifies a file - which I created. That file tells Postfix exactly how to work with LDAP. You can see the query is searching the LDAP "mail" field, and returns the value of the "mail" field in a particular format. Nowhere in my query_filter and result_attribute do you see mailacceptinggeneralid - so I assume you didn't implement my sample config. If Dovecot is now using your LDAP properly, we're probably getting off-topic now and you should continue this on the Postfix mailing list. If you want to contact me directly I will try to help you as well. -- Daniel
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: The attachments contain my configuration. Maybe you could document some more on the wiki? dn: dc=mail,dc=quies,dc=net objectClass: top objectClass: dcObject objectClass: organizationalRole dc: mail cn: Quies Net mail division dn: cn=dovecot,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: dovecot description: Dovecot daemon userPassword: not public dn: ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalUnit ou: accounts dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: posixGroup cn: quies.net gidNumber: 1 dn: [EMAIL PROTECTED],cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: [EMAIL PROTECTED] uidNumber: 1 gidNumber: 1 homeDirectory: /var/spool/imap/net.quies/pascal userPassword: not public cn: Pascal de Kloe givenName: Pascal sn: de Kloe etc. I recognize that this is the dovecot list, not the Postfix list but I wasn't sure if you were using Postfix as well. If so, how are you getting around Postfix wanting mailacceptinggeneralid in order to accept messages? Thank you. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/ user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. I just asked Pascal as well how he gets around Postfix asking for mailacceptinggeneralid in order to allow messages to be accepted. How do you get around that? Dovecot is working fine but I can't get Postfix to accept messages because it keeps trying to find mailacceptinggeneralid. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/ user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. Thank you. I'll try this out. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 7:34 AM, Daniel L. Miller wrote: I am using almost this exact setup. What I love about this is my LDAP config is minimal - no special schemas required (just core, cosine, nis, and inetorgperson). Everything is driven by the "mail" field - you store the full mail address, with domain, and the userPassword. I'm using Postfix and Dovecot. Thank you for that info. Do you mind posting the relevant portions of your Postfix config? Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 2:14 AM, Pascal S. de Kloe wrote: That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve. It seemed like the most portable and extendable configuration. You could modify the LDAP homeDirectory at a later time with a simple query. I'll have to try this configuration on Sunday and see if I can get it to work. The ideal would be for only Dovecot to access LDAP so that I don't have to worry about Postfix dealing with that. Bryan
Re: [Dovecot] LDAP for Virtual Domains
Timo Sirainen wrote:
On Fri, 2007-05-18 at 07:34 -0700, Daniel L. Miller wrote:
userdb passwd {
args = /etc/dovecot/dovecot-ldap.conf
}
This probably isn't doing what you're thinking :) The args is completely
ignored here, so it just looks up the username from NSS.
Thanks. Probably left over from when I was trying to implement the
single LDAP lookup configuration - which I gave up on. Haven't noticed
any significant performance hit using the separate user/pass lookups -
though I'll revisit it soon I'm sure.
--
Daniel
Re: [Dovecot] LDAP for Virtual Domains
On Fri, 2007-05-18 at 07:34 -0700, Daniel L. Miller wrote:
> userdb passwd {
> args = /etc/dovecot/dovecot-ldap.conf
> }
This probably isn't doing what you're thinking :) The args is completely
ignored here, so it just looks up the username from NSS.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote:
On May 17, 2007, at 12:06 AM, Gavin Henry wrote:
Is anyone using LDAP along with Dovecot where mail is being accessed
in the form of /var/vmail/${domain}/${user}? I have not figured out
how to extract the domain from LDAP in order to make this work. I
know this is sparse information but maybe there is an easy fix. If
not, I can post more information.
What config have you tried?
Sorry, I should have given more detail. Right now, I have one server
which is authenticating off of a passwd file from Dovecot. Postfix
accesses Dovecot's auth socket interface for SMTP AUTH passwords and
such. I use a virtual mailbox map and virtual alias map through
Postfix to decide where to deliver mail. In Dovecot, I have
mail_location set as follows:
mail_location = maildir:/var/vmail/domains/%d%n
Hope you've got a "/" between the %d and %n that got dropped off
That allows it to work fine for finding my mailboxes. I have tried the
default Dovecot LDAP file but I am not sure I really understand how it
all works. I guess this also involves picking a logical way to setup
my LDAP structure as well.
LDAP is one of the biggest headaches you get into - despite the fact
that lots of people seem to think it's THE solution for centralized user
management. Google, read, google, read, curse, google, read, try, fail,
google, read . . . get it working (still not understanding why), touch
something, break it, curse, google, read, google, read, try again . . .
I think I could make this work by making the LDAP uid [EMAIL PROTECTED]
I don't think this is the best way of setting it up though. All of my
users login with [EMAIL PROTECTED] and I want to keep it that way. It
does not seem like LDAP was designed to authenticate this way quite as
well.
uid should be . . . uid. One of the key items to understand about LDAP
integration with most programs is there IS NO STANDARD. YOU define
which fields are used. So you tell Dovecot, Postfix, or whatever which
fields to search, and which fields to return, and what information is
meaningful. Your login format will work just fine - but LDAP needs to
have a field with that information stored (mail), and your LDAP-using
servers need to be told which field to use.
The only key mail program I haven't been able to use with my setup is
maildrop - I would have to store the mailfolder in LDAP, which I refuse
to do. So I have a second database I need to maintain (for
courier-authlib) for the couple users that use maildrop until I can come
up with an alternative.
--
Daniel
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote:
Is anyone using LDAP along with Dovecot where mail is being accessed
in the form of /var/vmail/${domain}/${user}? I have not figured out
how to extract the domain from LDAP in order to make this work. I know
this is sparse information but maybe there is an easy fix. If not, I
can post more information.
Bryan
I am using almost this exact setup. What I love about this is my LDAP
config is minimal - no special schemas required (just core, cosine, nis,
and inetorgperson). Everything is driven by the "mail" field - you
store the full mail address, with domain, and the userPassword. I'm
using Postfix and Dovecot.
## Dovecot.conf
...
default_mail_env = maildir:/var/mail/%d/%n
valid_chroot_dirs = /var/mail
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb passwd {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
...
## EOF
## Dovecot-ldap.conf
hosts = localhost
auth_bind = no
auth_bind_userdn = uid=%n, ou=People, dc=amfeslan, dc=local
ldap_version = 3
base = ou=People, dc=amfeslan, dc=local
## here's your magic lines
user_attrs = %d/%n=mail
user_filter = (mail=%u)
pass_attrs = (&userPassword=password)(mail=%u))
user_global_uid = 5000
user_global_gid = 8
## EOF
--
Daniel
Re: [Dovecot] LDAP for Virtual Domains
On Friday 18 May 2007 03:52:40 Bryan Vyhmeister wrote: > On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: > > The attachments contain my configuration. Maybe you could document > > some > > more on the wiki? > > If I understand your config correctly, you set your home directory in > LDAP and then just deliver to ~/Maildir/ which goes to the correct / > var/spool/imap/domain/user like I mentioned. In that case, do > additional folders get created inside your Maildir or in the home > folder itself? That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve. It seemed like the most portable and extendable configuration. You could modify the LDAP homeDirectory at a later time with a simple query. signature.asc Description: This is a digitally signed message part.
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: The attachments contain my configuration. Maybe you could document some more on the wiki? If I understand your config correctly, you set your home directory in LDAP and then just deliver to ~/Maildir/ which goes to the correct / var/spool/imap/domain/user like I mentioned. In that case, do additional folders get created inside your Maildir or in the home folder itself? Thank you for the response. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 12:06 AM, Gavin Henry wrote:
Is anyone using LDAP along with Dovecot where mail is being accessed
in the form of /var/vmail/${domain}/${user}? I have not figured out
how to extract the domain from LDAP in order to make this work. I
know this is sparse information but maybe there is an easy fix. If
not, I can post more information.
What config have you tried?
Sorry, I should have given more detail. Right now, I have one server
which is authenticating off of a passwd file from Dovecot. Postfix
accesses Dovecot's auth socket interface for SMTP AUTH passwords and
such. I use a virtual mailbox map and virtual alias map through
Postfix to decide where to deliver mail. In Dovecot, I have
mail_location set as follows:
mail_location = maildir:/var/vmail/domains/%d%n
That allows it to work fine for finding my mailboxes. I have tried
the default Dovecot LDAP file but I am not sure I really understand
how it all works. I guess this also involves picking a logical way to
setup my LDAP structure as well.
I think I could make this work by making the LDAP uid
[EMAIL PROTECTED] I don't think this is the best way of setting it up
though. All of my users login with [EMAIL PROTECTED] and I want to keep
it that way. It does not seem like LDAP was designed to authenticate
this way quite as well.
Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 16, 2007, at 10:29 PM, razor wrote:
17.05.07 в 05:06 Bryan Vyhmeister в своём письме
писал(а):
Is anyone using LDAP along with Dovecot where mail is being
accessed in the form of /var/vmail/${domain}/${user}? I have not
figured out how to extract the domain from LDAP in order to make
this work. I know this is sparse information but maybe there is an
easy fix. If not, I can post more information.
Bryan
i am using exim+dovecot+lda+openldap
Thank you for the info.
Bryan
Re: [Dovecot] LDAP for Virtual Domains
On Thursday 17 May 2007 04:06:52 Bryan Vyhmeister wrote:
> Is anyone using LDAP along with Dovecot where mail is being accessed
> in the form of /var/vmail/${domain}/${user}? I have not figured out
> how to extract the domain from LDAP in order to make this work. I
> know this is sparse information but maybe there is an easy fix. If
> not, I can post more information.
>
> Bryan
The attachments contain my configuration. Maybe you could document some
more on the wiki?
dn: dc=mail,dc=quies,dc=net
objectClass: top
objectClass: dcObject
objectClass: organizationalRole
dc: mail
cn: Quies Net mail division
dn: cn=dovecot,dc=mail,dc=quies,dc=net
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: dovecot
description: Dovecot daemon
userPassword: not public
dn: ou=accounts,dc=mail,dc=quies,dc=net
objectClass: top
objectClass: organizationalUnit
ou: accounts
dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net
objectClass: top
objectClass: posixGroup
cn: quies.net
gidNumber: 1
dn:
[EMAIL PROTECTED],cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: [EMAIL PROTECTED]
uidNumber: 1
gidNumber: 1
homeDirectory: /var/spool/imap/net.quies/pascal
userPassword: not public
cn: Pascal de Kloe
givenName: Pascal
sn: de Kloe
etc.
protocols = imap
shutdown_clients = no
log_timestamp = "%y-%m-%d %H:%M:%S "
login_greeting = Quies Net IMAP service.
mail_location = maildir:~/Maildir
mmap_no_write = yes
first_valid_uid = 1
last_valid_uid = 9
first_valid_gid = 1
last_valid_gid = 9
ssl_cert_file = /etc/ssl/lib/cert.pem
ssl_key_file = /etc/ssl/private/key.pem
ssl_cipher_list = TLSv1+HIGH:TLSv1+MEDIUM
auth default {
user = dovecot-auth
mechanisms = plain
passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot-ldap.conf
}
socket listen {
client {
path = /var/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = dovecot
group = dovecot
}
}
}
protocol lda {
postmaster_address = [EMAIL PROTECTED]
sendmail_path = /usr/local/sbin/sendmail
mail_plugins = cmusieve quota
}
protocol imap {
mail_plugins = quota imap_quota
}
plugin {
quota = maildir:storage=2097152:messages=10
}
hosts = localhost
ldap_version = 3
dn = cn=dovecot,dc=mail,dc=quies,dc=net
dnpass = not public
deref = never
base = ou=accounts,dc=mail,dc=quies,dc=net
scope = subtree
user_filter = (&(objectClass=posixAccount)(uid=%u))
user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber
pass_attrs = uid,userPassword
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = PLAIN
signature.asc
Description: This is a digitally signed message part.
Re: [Dovecot] LDAP for Virtual Domains
> Is anyone using LDAP along with Dovecot where mail is being accessed
> in the form of /var/vmail/${domain}/${user}? I have not figured out
> how to extract the domain from LDAP in order to make this work. I
> know this is sparse information but maybe there is an easy fix. If
> not, I can post more information.
>
> Bryan
>
What config have you tried?
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E [EMAIL PROTECTED]
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
