Hi,
I reviewed your guidelines and focused only on how olcAccess works to block
anonymous users. I installed a blank native Debian and interestingly, the
default Debian rules also allow anonymous reading of the LDAP directory.
olcAccess by Debian olcAccess: {0} to attrs=userPassword by self write by
anonymous auth by * none olcAccess: {1} to attrs=shadowLastChange by self
write by * read olcAccess: {2} to * by * read
After analyzing everything and testing, I started with two rules that block
anonymous users and at the same time grant access to logged-in users. I
realize that this is probably not enough and I should include some
permissions in this, but this is the initial setting on which I can
continue to work.
olcAccess by me olcAccess: {0} to attrs=userPassword,shadowLastChange by
self write by anonymous auth by * none olcAccess: {1} to * by self write by
users read by anonymous auth by * none
Thank you for your help.
On Wed, May 17, 2023 at 7:57 AM Andrzej Milewski <andrzej.milew...@gmail.com>
wrote:
> Hi,
> I'm trying to set up a production mail server. I have installed Dovecot on
> Debian from the package. For authentication, I have another machine running
> OpenLDAP, also installed on Debian. I would like the end mail client to
> authenticate with Dovecot using the login and password set in LDAP.
>
> In the LDAP-related configuration, I have:
> auth_bind=yes
> base = ou=Users,dc=example,dc=com
> user_attrs =
> mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
> user_filter = (&(objectClass=posixAccount)(uid=%u))
> pass_attrs = uid=user,userPassword=password,\
> pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> The LDAP user is entered as uid=u...@example.com. With the default
> olcAccess permissions, it works and logs in correctly.
>
> Here are my default olcAccess settings after installation:
> # {1}mdb, config
> dn: olcDatabase={1}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
> attrs=userPassword,
> shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous a
> uth by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=laktopol,dc=p
> l" write by * none
> olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by
> dn=
> "cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
> write b
> y * read
> olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
> attrs=userPassword,s
> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous au
> th by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=example,dc=com
> " write by * none
> olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by
> dn="
> cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
> write by
> * read
> olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
> attrs=userPassword,s
> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous au
> th by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=nsspam,dc=laktopol,dc=p
> l" write by dn="cn=admin,dc=example,dc=com" write by * none
> olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write by
> dn=
> "cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=example,dc=com"
> write
> by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {6}to filter=(objectClass=sambaDomain) by
> dn="cn=samba,dc=laktopol,
> dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by
> dn="cn=samba,dc
> =laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {8}to
> attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa
> ssword by self write by anonymous auth by
> dn="cn=nsspam,dc=example,dc=com" wr
> ite by dn="cn=admin,dc=example,dc=com" write by * none
> olcAccess: {9}to attrs=shadowLastChange by self write by * read
> olcAccess: {10} to * by * read
>
> However, I am not satisfied with these settings because using the
> anonymous user, anyone can browse the entire LDAP tree. While passwords are
> not visible with anonymous login, user data in the LDAP domain is exposed.
>
> If I change the last olcAccess entry from "olcAccess: {10} to * by * read"
> to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot
> browse LDAP, but the mail client user also cannot log in.
>
> What should be the correct configuration?
> --
> Andrzej
>
--
Andrzej Milewski
andrzej.milew...@gmail.com
tel. 0603957324
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
