Re: [Dovecot] LDAP for Virtual Domains
20.05.2007 23:00 Bryan Vyhmeister: query_filter = (&(mail=%s)) mailacceptinggeneralid=%s ist the default value for query_filter. maybe the &-operator ANDs your expression to the default. anyway, if you just want to filter for the mail address, the &- operator is unneccessary. try query_filter = (mail=%s) instead. Marc
Re: [Dovecot] LDAP for Virtual Domains
20.05.2007 23:00 Bryan Vyhmeister: query_filter = (&(mail=%s)) mailacceptinggeneralid=%s ist the default value for query_filter. maybe the &-operator ANDs your expression to the default. anyway, if you just want to filter for the mail address, the &- operator is unneccessary. try query_filter = (mail=%s) instead. Marc
Re: [Dovecot] LDAP for Virtual Domains
On May 20, 2007, at 10:17 PM, Daniel L. Miller wrote: This is a problem in basic understanding of Postfix's (or just about any LDAP enabled program, for that matter) LDAP handling. The docs reference mailacceptinggeneralid in the examples (and I still don't know what LDAP schema Wietse may have pulled that from) - and it is a default - but YOU explicitly tell Postfix how to use your LDAP configuration. If you look at my files, the virtual_mailbox_maps parameter specifies a file - which I created. That file tells Postfix exactly how to work with LDAP. You can see the query is searching the LDAP "mail" field, and returns the value of the "mail" field in a particular format. Nowhere in my query_filter and result_attribute do you see mailacceptinggeneralid - so I assume you didn't implement my sample config. If Dovecot is now using your LDAP properly, we're probably getting off-topic now and you should continue this on the Postfix mailing list. If you want to contact me directly I will try to help you as well. Thanks. Pascal was a big help off-list and it is working fine now. Once I finish my configuration completely, I will add it to the wiki and write a separate howto as well. Thank you. Bryan
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote: On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. I just asked Pascal as well how he gets around Postfix asking for mailacceptinggeneralid in order to allow messages to be accepted. How do you get around that? Dovecot is working fine but I can't get Postfix to accept messages because it keeps trying to find mailacceptinggeneralid. Bryan This is a problem in basic understanding of Postfix's (or just about any LDAP enabled program, for that matter) LDAP handling. The docs reference mailacceptinggeneralid in the examples (and I still don't know what LDAP schema Wietse may have pulled that from) - and it is a default - but YOU explicitly tell Postfix how to use your LDAP configuration. If you look at my files, the virtual_mailbox_maps parameter specifies a file - which I created. That file tells Postfix exactly how to work with LDAP. You can see the query is searching the LDAP "mail" field, and returns the value of the "mail" field in a particular format. Nowhere in my query_filter and result_attribute do you see mailacceptinggeneralid - so I assume you didn't implement my sample config. If Dovecot is now using your LDAP properly, we're probably getting off-topic now and you should continue this on the Postfix mailing list. If you want to contact me directly I will try to help you as well. -- Daniel
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: The attachments contain my configuration. Maybe you could document some more on the wiki? dn: dc=mail,dc=quies,dc=net objectClass: top objectClass: dcObject objectClass: organizationalRole dc: mail cn: Quies Net mail division dn: cn=dovecot,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: dovecot description: Dovecot daemon userPassword: not public dn: ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalUnit ou: accounts dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: posixGroup cn: quies.net gidNumber: 1 dn: [EMAIL PROTECTED],cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: [EMAIL PROTECTED] uidNumber: 1 gidNumber: 1 homeDirectory: /var/spool/imap/net.quies/pascal userPassword: not public cn: Pascal de Kloe givenName: Pascal sn: de Kloe etc. I recognize that this is the dovecot list, not the Postfix list but I wasn't sure if you were using Postfix as well. If so, how are you getting around Postfix wanting mailacceptinggeneralid in order to accept messages? Thank you. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/ user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. I just asked Pascal as well how he gets around Postfix asking for mailacceptinggeneralid in order to allow messages to be accepted. How do you get around that? Dovecot is working fine but I can't get Postfix to accept messages because it keeps trying to find mailacceptinggeneralid. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 11:33 PM, Daniel L. Miller wrote: Thank you for that info. Do you mind posting the relevant portions of your Postfix config? main.cf: virtual_mailbox_base = /var/mail virtual_mailbox_domains = virtual_mailbox_maps = ldap:/etc/postfix/maps/ldap-virtual.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:8 virtual_alias_maps = hash:/etc/postfix/maps/virtual-aliases ##EOF ldap-virtual.cf: server_host = localhost search_base = ou=People,dc=amfeslan,dc=local query_filter = (&(mail=%s)) result_attribute = mail result_format = /%d/%u/ version = 3 The ldap-virtual settings look a little odd - but I'm rather proud of my gimmick. You look for the mail address matching the sender (mail = %s). Return that same address - but format it as domain/ user. Append it to /var/mail and there it is! virtual-aliases is a simple file for me - I haven't settled on an LDAP implentation for aliases yet I'm satisfied with. I'm using ldap-account-manager for adminstration, and there's no explicit provision for aliases within LAM or the base schemas used. Thank you. I'll try this out. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 7:34 AM, Daniel L. Miller wrote: I am using almost this exact setup. What I love about this is my LDAP config is minimal - no special schemas required (just core, cosine, nis, and inetorgperson). Everything is driven by the "mail" field - you store the full mail address, with domain, and the userPassword. I'm using Postfix and Dovecot. Thank you for that info. Do you mind posting the relevant portions of your Postfix config? Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 18, 2007, at 2:14 AM, Pascal S. de Kloe wrote: That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve. It seemed like the most portable and extendable configuration. You could modify the LDAP homeDirectory at a later time with a simple query. I'll have to try this configuration on Sunday and see if I can get it to work. The ideal would be for only Dovecot to access LDAP so that I don't have to worry about Postfix dealing with that. Bryan
Re: [Dovecot] LDAP for Virtual Domains
Timo Sirainen wrote: On Fri, 2007-05-18 at 07:34 -0700, Daniel L. Miller wrote: userdb passwd { args = /etc/dovecot/dovecot-ldap.conf } This probably isn't doing what you're thinking :) The args is completely ignored here, so it just looks up the username from NSS. Thanks. Probably left over from when I was trying to implement the single LDAP lookup configuration - which I gave up on. Haven't noticed any significant performance hit using the separate user/pass lookups - though I'll revisit it soon I'm sure. -- Daniel
Re: [Dovecot] LDAP for Virtual Domains
On Fri, 2007-05-18 at 07:34 -0700, Daniel L. Miller wrote: > userdb passwd { > args = /etc/dovecot/dovecot-ldap.conf > } This probably isn't doing what you're thinking :) The args is completely ignored here, so it just looks up the username from NSS. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote: On May 17, 2007, at 12:06 AM, Gavin Henry wrote: Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information. What config have you tried? Sorry, I should have given more detail. Right now, I have one server which is authenticating off of a passwd file from Dovecot. Postfix accesses Dovecot's auth socket interface for SMTP AUTH passwords and such. I use a virtual mailbox map and virtual alias map through Postfix to decide where to deliver mail. In Dovecot, I have mail_location set as follows: mail_location = maildir:/var/vmail/domains/%d%n Hope you've got a "/" between the %d and %n that got dropped off That allows it to work fine for finding my mailboxes. I have tried the default Dovecot LDAP file but I am not sure I really understand how it all works. I guess this also involves picking a logical way to setup my LDAP structure as well. LDAP is one of the biggest headaches you get into - despite the fact that lots of people seem to think it's THE solution for centralized user management. Google, read, google, read, curse, google, read, try, fail, google, read . . . get it working (still not understanding why), touch something, break it, curse, google, read, google, read, try again . . . I think I could make this work by making the LDAP uid [EMAIL PROTECTED] I don't think this is the best way of setting it up though. All of my users login with [EMAIL PROTECTED] and I want to keep it that way. It does not seem like LDAP was designed to authenticate this way quite as well. uid should be . . . uid. One of the key items to understand about LDAP integration with most programs is there IS NO STANDARD. YOU define which fields are used. So you tell Dovecot, Postfix, or whatever which fields to search, and which fields to return, and what information is meaningful. Your login format will work just fine - but LDAP needs to have a field with that information stored (mail), and your LDAP-using servers need to be told which field to use. The only key mail program I haven't been able to use with my setup is maildrop - I would have to store the mailfolder in LDAP, which I refuse to do. So I have a second database I need to maintain (for courier-authlib) for the couple users that use maildrop until I can come up with an alternative. -- Daniel
Re: [Dovecot] LDAP for Virtual Domains
Bryan Vyhmeister wrote: Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information. Bryan I am using almost this exact setup. What I love about this is my LDAP config is minimal - no special schemas required (just core, cosine, nis, and inetorgperson). Everything is driven by the "mail" field - you store the full mail address, with domain, and the userPassword. I'm using Postfix and Dovecot. ## Dovecot.conf ... default_mail_env = maildir:/var/mail/%d/%n valid_chroot_dirs = /var/mail passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } userdb passwd { args = /etc/dovecot/dovecot-ldap.conf } userdb ldap { args = /etc/dovecot/dovecot-ldap.conf } ... ## EOF ## Dovecot-ldap.conf hosts = localhost auth_bind = no auth_bind_userdn = uid=%n, ou=People, dc=amfeslan, dc=local ldap_version = 3 base = ou=People, dc=amfeslan, dc=local ## here's your magic lines user_attrs = %d/%n=mail user_filter = (mail=%u) pass_attrs = (&userPassword=password)(mail=%u)) user_global_uid = 5000 user_global_gid = 8 ## EOF -- Daniel
Re: [Dovecot] LDAP for Virtual Domains
On Friday 18 May 2007 03:52:40 Bryan Vyhmeister wrote: > On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: > > The attachments contain my configuration. Maybe you could document > > some > > more on the wiki? > > If I understand your config correctly, you set your home directory in > LDAP and then just deliver to ~/Maildir/ which goes to the correct / > var/spool/imap/domain/user like I mentioned. In that case, do > additional folders get created inside your Maildir or in the home > folder itself? That is correct. All mail goes into the Maildir folder and the SIEVE scripts are at ~/.dovecot.sieve. It seemed like the most portable and extendable configuration. You could modify the LDAP homeDirectory at a later time with a simple query. signature.asc Description: This is a digitally signed message part.
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 4:44 AM, Pascal S. de Kloe wrote: The attachments contain my configuration. Maybe you could document some more on the wiki? If I understand your config correctly, you set your home directory in LDAP and then just deliver to ~/Maildir/ which goes to the correct / var/spool/imap/domain/user like I mentioned. In that case, do additional folders get created inside your Maildir or in the home folder itself? Thank you for the response. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 17, 2007, at 12:06 AM, Gavin Henry wrote: Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information. What config have you tried? Sorry, I should have given more detail. Right now, I have one server which is authenticating off of a passwd file from Dovecot. Postfix accesses Dovecot's auth socket interface for SMTP AUTH passwords and such. I use a virtual mailbox map and virtual alias map through Postfix to decide where to deliver mail. In Dovecot, I have mail_location set as follows: mail_location = maildir:/var/vmail/domains/%d%n That allows it to work fine for finding my mailboxes. I have tried the default Dovecot LDAP file but I am not sure I really understand how it all works. I guess this also involves picking a logical way to setup my LDAP structure as well. I think I could make this work by making the LDAP uid [EMAIL PROTECTED] I don't think this is the best way of setting it up though. All of my users login with [EMAIL PROTECTED] and I want to keep it that way. It does not seem like LDAP was designed to authenticate this way quite as well. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On May 16, 2007, at 10:29 PM, razor wrote: 17.05.07 в 05:06 Bryan Vyhmeister в своём письме писал(а): Is anyone using LDAP along with Dovecot where mail is being accessed in the form of /var/vmail/${domain}/${user}? I have not figured out how to extract the domain from LDAP in order to make this work. I know this is sparse information but maybe there is an easy fix. If not, I can post more information. Bryan i am using exim+dovecot+lda+openldap Thank you for the info. Bryan
Re: [Dovecot] LDAP for Virtual Domains
On Thursday 17 May 2007 04:06:52 Bryan Vyhmeister wrote: > Is anyone using LDAP along with Dovecot where mail is being accessed > in the form of /var/vmail/${domain}/${user}? I have not figured out > how to extract the domain from LDAP in order to make this work. I > know this is sparse information but maybe there is an easy fix. If > not, I can post more information. > > Bryan The attachments contain my configuration. Maybe you could document some more on the wiki? dn: dc=mail,dc=quies,dc=net objectClass: top objectClass: dcObject objectClass: organizationalRole dc: mail cn: Quies Net mail division dn: cn=dovecot,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: dovecot description: Dovecot daemon userPassword: not public dn: ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: organizationalUnit ou: accounts dn: cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: posixGroup cn: quies.net gidNumber: 1 dn: [EMAIL PROTECTED],cn=quies.net,ou=accounts,dc=mail,dc=quies,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: [EMAIL PROTECTED] uidNumber: 1 gidNumber: 1 homeDirectory: /var/spool/imap/net.quies/pascal userPassword: not public cn: Pascal de Kloe givenName: Pascal sn: de Kloe etc. protocols = imap shutdown_clients = no log_timestamp = "%y-%m-%d %H:%M:%S " login_greeting = Quies Net IMAP service. mail_location = maildir:~/Maildir mmap_no_write = yes first_valid_uid = 1 last_valid_uid = 9 first_valid_gid = 1 last_valid_gid = 9 ssl_cert_file = /etc/ssl/lib/cert.pem ssl_key_file = /etc/ssl/private/key.pem ssl_cipher_list = TLSv1+HIGH:TLSv1+MEDIUM auth default { user = dovecot-auth mechanisms = plain passdb ldap { args = /etc/dovecot-ldap.conf } userdb ldap { args = /etc/dovecot-ldap.conf } socket listen { client { path = /var/postfix/private/auth mode = 0660 user = postfix group = postfix } master { path = /var/run/dovecot/auth-master mode = 0660 user = dovecot group = dovecot } } } protocol lda { postmaster_address = [EMAIL PROTECTED] sendmail_path = /usr/local/sbin/sendmail mail_plugins = cmusieve quota } protocol imap { mail_plugins = quota imap_quota } plugin { quota = maildir:storage=2097152:messages=10 } hosts = localhost ldap_version = 3 dn = cn=dovecot,dc=mail,dc=quies,dc=net dnpass = not public deref = never base = ou=accounts,dc=mail,dc=quies,dc=net scope = subtree user_filter = (&(objectClass=posixAccount)(uid=%u)) user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber pass_attrs = uid,userPassword pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = PLAIN signature.asc Description: This is a digitally signed message part.
Re: [Dovecot] LDAP for Virtual Domains
> Is anyone using LDAP along with Dovecot where mail is being accessed > in the form of /var/vmail/${domain}/${user}? I have not figured out > how to extract the domain from LDAP in order to make this work. I > know this is sparse information but maybe there is an easy fix. If > not, I can post more information. > > Bryan > What config have you tried? -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E [EMAIL PROTECTED] Open Source. Open Solutions(tm). http://www.suretecsystems.com/