> Here are my default olcAccess settings after installation:
don't put samba stuff here, just focus on one application's access.
> olcAccess: {10} to * by * read
>
> However, I am not satisfied with these settings because using the
> anonymous user, anyone can browse the entire LDAP tree. While passwords
> are not visible with anonymous login, user data in the LDAP domain is
> exposed.
Is this the default when you install? Pretty terrible still, no wonder
everyones data is everywhere. So make sure you firewall your ldap.
But indeed, you should work the other way around start with something no one
can access
olcAccess: {0} to dn.exact="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by
ssf=256 anonymous auth by * none
olcAccess: {3} to * by * none
check also these ssf=256, otherwise your data can go over plain connections.
Then test if you can authenticate only over ssl with your ldap entries. Make
sure your commandlines work first, does not make sense to look at dovecot at
this stage.
ldapsearch -W -s sub -b "uid=test,dc=local" -D "uid=test,dc=local" -H
ldap://ldap.local:389/
make sure to increase logging so you can see what dovecot is trying to query on
the ldap. Create ldifs to increase/decrease logging and update your acls like
this.
ldapadd -D "cn=admin,cn=config" -W -H ldapi:/// -f /home/scripts/inclogging.ldif
> If I change the last olcAccess entry from "olcAccess: {10} to * by *
> read" to "olcAccess: {10} to * by anonymous auth," the anonymous user
> cannot browse LDAP, but the mail client user also cannot log in.
If you are not doing this acl stuf to often, it is really annoying
> What should be the correct configuration?
>
Can't remember exactly, this is what I have from trying to create a stateless
container with docker. It also depends on your use case. I can't really
remember why I have the auth_bind = no, I think it was related to reducing the
amount of queries to ldap.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
