On Wed, 2008-04-16 at 08:16 +0000, Rob Coward wrote: > I cant help you with what is going wrong for you, but we use dovecot > very successfully with ldap lookups against Active Directory, using > auth_bind=yes, and it does not require anonymous connections. The > initial connection is by an un-privileged user that searches for the > user, then a 2nd connection is used, authenticating against AD as the > looked up user using the password supplied to dovecot.
This is exactly what I am trying to achieve, though I am using
OpenLDAP.
> Our setup looks like this:
> user_attrs = mail=user
> user_filter = (&(objectClass=user)(mail=%u))
> pass_attrs = mail=user,userPassword=password,mail=userdb_user
> pass_filter = (&(objectClass=user)(mail=%u))
> user_global_uid = dovecot
> user_global_gid = dovecot
Hmmm. I am not using LDAP for userdb. The only userdb information that
is needed is the homedir for the mail (and the uid/gid, but these are
always "varmail"). In my case, this is always determined by the email
address:
[EMAIL PROTECTED] -> /var/mail/lorentz.com/jackmc
Thus, I have this in my config:
userdb:
driver: static
args: uid=varmail gid=varmail home=/var/mail/%Ld/%Ln
Looking at your config, it seems that your passdb for LDAP depends on
your userdb, as you have mail= twice in your pass_attrs, once for
userdb_user.
For that matter, why do you have userPassword=password? dovecot should
never need to see the contents of this field. Indeed, this is the whole
point of using auth_bind: instead of dovecot retrieving the password
from LDAP and checking it against the user-supplied one, dovecot should
_send_ the password to LDAP in the form of a bind and have LDAP accept
or reject it.
--
Jack McKinney
GPG 1024D/99C6A174
[EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz
Beware geeks bearing diffs
signature.asc
Description: This is a digitally signed message part
