I think you need also add "by users read" but the problem in this setup
is to find the user you have a filter so you need to search for this .
So you need either specify a special binding account or the format of
the biding user
This is from the default config on debian :
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
On 5/17/23 08:57, Andrzej Milewski wrote:
Hi,
I'm trying to set up a production mail server. I have installed
Dovecot on Debian from the package. For authentication, I have another
machine running OpenLDAP, also installed on Debian. I would like the
end mail client to authenticate with Dovecot using the login and
password set in LDAP.
In the LDAP-related configuration, I have:
auth_bind=yes
base = ou=Users,dc=example,dc=com
user_attrs =
mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password,\
pass_filter = (&(objectClass=posixAccount)(uid=%u))
The LDAP user is entered as uid=u...@example.com. With the default
olcAccess permissions, it works and logs in correctly.
Here are my default olcAccess settings after installation:
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
attrs=userPassword,
shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
anonymous a
uth by dn="cn=samba,dc=example,dc=com" write by
dn="cn=admin,dc=laktopol,dc=p
l" write by * none
olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self
write by dn=
"cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
write b
y * read
olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
anonymous au
th by dn="cn=samba,dc=example,dc=com" write by
dn="cn=admin,dc=example,dc=com
" write by * none
olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write
by dn="
cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
write by
* read
olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
anonymous au
th by dn="cn=samba,dc=example,dc=com" write by
dn="cn=nsspam,dc=laktopol,dc=p
l" write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self
write by dn=
"cn=samba,dc=example,dc=com" write by
dn="cn=nsspam,dc=example,dc=com" write
by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {6}to filter=(objectClass=sambaDomain) by
dn="cn=samba,dc=laktopol,
dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by
dn="cn=samba,dc
=laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {8}to
attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa
ssword by self write by anonymous auth by
dn="cn=nsspam,dc=example,dc=com" wr
ite by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {9}to attrs=shadowLastChange by self write by * read
olcAccess: {10} to * by * read
However, I am not satisfied with these settings because using the
anonymous user, anyone can browse the entire LDAP tree. While
passwords are not visible with anonymous login, user data in the LDAP
domain is exposed.
If I change the last olcAccess entry from "olcAccess: {10} to * by *
read" to "olcAccess: {10} to * by anonymous auth," the anonymous user
cannot browse LDAP, but the mail client user also cannot log in.
What should be the correct configuration?
--
Andrzej
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
