If you already tested %d in the ou of the auth user bind, and it is not working. I guess you are just left with options like
1. 3 different vm's 2. auth bind = no base, scope subtree that is parent of those 3 ou's and then apply filters something like pass_filter = (&(objectClass=posixAccount)(uid=%n)(ou:dn:=%d)) 3. investigate if nslcd(/ssss?) has an option to use multiple queries for passwd and have dovecot authenticate against the system. -----Original Message----- Cc: dovecot; luke-dovecot Subject: Re: using %d as a variable in the ldap search base I'm trying to use auth bind to avoid having a plain text password in a config file. With %u instead of %n, the @domain part of the login ends up in the uid field of the search filter. As I said, my OUs have overlapping users, so I have configured things such that the users are logging in with user@domain, and need to get the domain component into the search base as you cannot filter on an Organizational Unit in an ldap filter. If I have a single search base, it will return multiple users for those %ns that overlap. If I use %u, it will return no users for any account, because the uids do not have the @domain in them. I tried both ways. Luke On Mon, Aug 31, 2020 at 09:45:17PM +0200, Marc Roos wrote: > You have two ways of authenticating against ldap. I decided to use the > method where a single account has access to the user credentials. > (Advantage of this method, you can limit ldap lookups eg do not have > to do 2nd for the userdb) > > debug_level = 1 > uris = ldaps://ldap.local:8443 > dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local > dnpass = xxxx > base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local > scope = subtree > > user_filter = (&(objectClass=posixAccount)(uid=%u) > pass_attrs = > uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uid > Nu > mber=userdb_uid,gidNumber=userdb_gid > > However I did not have any issues authenticating against ldap with > yours also. But using the %u > > > > > > -----Original Message----- > From: Luke Schierer [mailto:luke-dove...@schierer.org] > Sent: maandag 31 augustus 2020 21:32 > To: dovecot@dovecot.org > Subject: using %d as a variable in the ldap search base > > Hi, > > I'm trying to configure dovecot to use LDAP authentication directly, > and I'm having a bit of trouble. I have a somewhat unusual setup, in > that I have an LDAP directory that has 3 OUs each of which have their > own set of users, some of which overlap. As I was trying to figure > things out, I was setting the search base in my > /etc/dovecot/dovecot-ldap.conf.ext > file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext > file to > > base = ou=%d,dc=thecrazyguys,dc=net > > however, the resulting searches against the directory endup just > dropping the %d, resulting in > > ou=,dc=thecrazyguys,dc=net > > which is invalid. On a whim, I tried a search base of > > base = dc=%d,dc=thecrazyguys,dc=net > > and found that it did correctly substitute in the variable, which > would be correct, except that my ldap tree is set up with OUs and not > an extra DC segment. > > for whatever reason, it will do variable substitution for dc=%d, but > not for ou=%d. this is certainly not documented, and seems like wrong > behavior, since having an ou in a search base is valid. > > I'm including configuration information below. Please let me know if > I've missed including information that is required. > > Thanks! > Luke > > > luke@schierer@littera001:/etc/dovecot$ lsb_release -rd > Description: Ubuntu 18.04.5 LTS > Release: 18.04 > luke@schierer@littera001:/etc/dovecot$ > > luke@schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii > dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-imapd > 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 > amd64 ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 > luke@schierer@littera001:/etc/dovecot$ > > root@littera001:/etc/dovecot# dovecot -n # 2.2.33.2 (d6601f4ec): > /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: > Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes > first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method = > dotlock mail_cache_min_mail_count = 15 mail_fsync = always > mail_location = maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY > mail_nfs_index = yes > mail_nfs_storage = yes > mail_privileged_group = mail > mailbox_list_index = yes > maildir_broken_filename_sizes = yes > maildir_very_dirty_syncs = yes > mbox_min_index_size = 10 B > mmap_disable = yes > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > separator = / > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocols = " imap pop3" > ssl_cert = </etc/dovecot/dovecot.pem > ssl_key = # hidden, use -P to show it userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocol imap { > mail_max_userip_connections = 20 > } > root@littera001:/etc/dovecot# > > root@littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext | > grep -v ^# | uniq | more > > hosts = censor001.plerumque.thecrazyguys.net > > tls = yes > tls_require_cert = allow > > debug_level = 4 > > auth_bind = yes > > base = ou=%d,dc=thecrazyguys,dc=net > > scope = subtree > > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > > user_filter = (&(objectClass=posixAccount)(uid=%n)) > > blocking = no > root@littera001:/etc/dovecot# > >
