dear Rob, thank you for support!
there are small differences in mine and yours config, like:
- you do not have auth_bind_userdn defined. if i comment my out i cannot
authenticate at all - log file:
auth(default): ldap(wojtek,192.168.0.200): unknown user
dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
- you have user_attrs = mail=user, me: user_attrs =
homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
- i did not have deref = never. do you know what does it do? i do not
understand man ldapsearch explanation :(
Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please?
maybe i am making some simple mistake with my ldap config...
cheers, Wojtek
Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot
very successfully with ldap lookups against Active Directory, using
auth_bind=yes, and it does not require anonymous connections. The
initial connection is by an un-privileged user that searches for the
user, then a 2nd connection is used, authenticating against AD as the
looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot
dovecot-1.0-1.2.0.el5
# dovecot -n
# /etc/dovecot.conf
protocols: imap pop3
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_user: dovecotlogin
login_process_size: 64
login_processes_count: 10
login_max_processes_count: 64
first_valid_uid: 97
default_mail_env: maildir:/data/shared/mailstore/%d/%n
mail_location: maildir:/data/shared/mailstore/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
passdb:
driver: ldap
args: /etc/dovecot-ldap.conf
passdb:
driver: ldap
args: /etc/dovecot-ldap-fr.conf
passdb:
driver: ldap
args: /etc/dovecot-ldap-se.conf
userdb:
driver: ldap
args: /etc/dovecot-ldap.conf
userdb:
driver: ldap
args: /etc/dovecot-ldap-fr.conf
userdb:
driver: ldap
args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf
hosts = ad.our.net
dn=CN=Lookup,CN=Users,DC=our,DC=net
dnpass=XXXXXXXX
auth_bind = yes
ldap_version = 3
base = OU=Stores,OU=UK,DC=our,DC=net
deref = never
scope = subtree
user_attrs = mail=user
user_filter = (&(objectClass=user)(mail=%u))
pass_attrs = mail=user,userPassword=password,mail=userdb_user
pass_filter = (&(objectClass=user)(mail=%u))
user_global_uid = dovecot
user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to
limit the searches of our AD schema to specific sub-trees, both for
performance and as there are other users elsewhere in our schema that we
dont want dovecot to allow to connect.
Hope this helps you.
Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf:
access to attr=uid,homeDirectory,uidNumber
by anonymous read
I do not have this in my configuration, and dovecot does indeed use the
credential I provide to successfully query LDAP for the user based on
the (mail=%u) criteria. However, it does not see the reply.
The fact that it does perform the query successfully implies to me that
it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like
there are 2 queries to ldap: 1. to check provided password for provided
user name, 2. to find a user related information (and from what Steffen
wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related
information, i am binding with provided user and with provided password.
this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in
anonymous connection even from command line, using: ldapsearch -x -b
'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))'
homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my
/etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline"
attrs=uid,homeDirectory,uidNumber
by anonymous read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=frontline" write
by anonymous auth
by self write
by * none
access to dn.children="ou=Users,dc=frontline"
by dn="cn=root,ou=Users,dc=frontline" read
by anonymous auth
by self write
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=frontline" write
by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded ‘Retailer of the Year’ at the 2006 and 2007 Golden Joystick Awards and
'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you have received this e-mail in error please
notify the system manager at:
mailto:[EMAIL PROTECTED]
The recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore
THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of
any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by
anti-virus software for the presence of computer viruses.
http://www.game.co.uk
http://www.gamegroup.plc.uk
Registered Number: 1937170
Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ
Registered in England and Wales.
