Franta Hanzlík
2018-Feb-06 18:46 UTC
LDAP userdb and dovecot LDA/LMTP - different requirements
Hi,
I want to use Dovecot LDA (or rather LMTP) use as local deliver with
Postfix MTA. Users are in LDAP DB with structure as:
dn: cn=username, ou=rank, o=myorg
cn: username
objectClass: Person
gidNumber: uNNN
uidNumber: gNNN
userPassword: (somehow hashed, can only bind verification)
homeDirectory: /Home/$rank/$username
mailActive: 0/1
mail: usera at OneDomain
mail: userb at SecDomain (not all users have 2+ addresses]
uid: username
groupMembership: group DN (can be multiple times for different groups)
...
where:
- cn = uid = expected IMAP login username (which hasn't @domain part)
- user1 (and user2) isn't always same as username
Now I not know, how to solve IMO diferent requirements to userdb:
- LDA/LMTP need LDAP userdb unit, that can retrieve the name from an
email address (ie for "usera at myDomain" returns cn/uid (as dovecot
"username").
- IMAP server need LDAP userdb unit, that will have the user login
(username) as the input parameter, and which returns information
whether or not the user exists.
Can be these different requirements solved in one userdb unit?
Or is it possible to have one userdb unit for LDA/LMTP, and another
one for IMAP and other Dovecot components?
I have also encountered entries getting the values from LDAP userdb
in the form as:
user_attrs = \
=user=%{ldap:uid}, \
@mail=base(%{ldap:mailDN}), \
=uid=%{ldap:uidNumber at mail}, \
=gid=%{ldap:gidNumber at mail}, \
=home=%{ldap:rootPath at mail}/%d/%n
or
user_attrs = \
=home=%{ldap:homeDirectory}, \
=uid=%{ldap:uidNumber},
=gid=%{ldap:gidNumber},
=quota_rule=*:bytes=%{ldap:quotaBytes},
=namespace/default/separator=%{ldap:mailSeparator}
Can anyone explain how these constructions work?
And what do mean attribute notations in the form '=attr=' or
'@attr='
or 'quota_rule=*:storage=100M' ?
Nowhere have I found a sufficiently comprehensible description of these
constructions...
Help very much appreciated.
Thanks, Franta Hanzlik
Steffen Kaiser
2018-Feb-07 07:14 UTC
LDAP userdb and dovecot LDA/LMTP - different requirements
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 6 Feb 2018, Franta Hanzl?k wrote:> I want to use Dovecot LDA (or rather LMTP) use as local deliver with > Postfix MTA. Users are in LDAP DB with structure as: > > dn: cn=username, ou=rank, o=myorg > cn: username > objectClass: Person > gidNumber: uNNN > uidNumber: gNNN > userPassword: (somehow hashed, can only bind verification) > homeDirectory: /Home/$rank/$username > mailActive: 0/1 > mail: usera at OneDomain > mail: userb at SecDomain (not all users have 2+ addresses] > uid: username > groupMembership: group DN (can be multiple times for different groups) > ... > > where: > - cn = uid = expected IMAP login username (which hasn't @domain part)> - user1 (and user2) isn't always same as username?? What means this requirement?> Now I not know, how to solve IMO diferent requirements to userdb: > > - LDA/LMTP need LDAP userdb unit, that can retrieve the name from an > email address (ie for "usera at myDomain" returns cn/uid (as dovecot > "username").For LDA, just use another config.> - IMAP server need LDAP userdb unit, that will have the user login > (username) as the input parameter, and which returns information > whether or not the user exists.user_filter = (&(|(mail=%n)(uid=%u))(mailActive=1)(objectClass=person)) this assumes that usera (without @domain) is not the username of another entry and that there is one entry for each mail address only. Users may login with their mail address. On the other hand, can you solve the aliases in LDAP into usernames by Postfix: http://www.postfix.org/ldap_table.5.html> user_attrs = \ > =home=%{ldap:homeDirectory}, \ > =uid=%{ldap:uidNumber}, > =gid=%{ldap:gidNumber}, > =quota_rule=*:bytes=%{ldap:quotaBytes}, > =namespace/default/separator=%{ldap:mailSeparator} > > Can anyone explain how these constructions work? > And what do mean attribute notations in the form '=attr=' or '@attr=' > or 'quota_rule=*:storage=100M' ? > Nowhere have I found a sufficiently comprehensible description of these > constructions...https://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb?highlight=%28%40mail%29 - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWnqnY8QnQQNheMxiAQKihgf/bNNeVf+I4k75Buub0y1i46SIfqLdVdpb /qRTMz/ZJKZcNM5yu4st6HS/z8adZU5/UGC/sSrjTyYajtsXsXpKjKm+vzi25ylU X+C3Eq2Z6V07ijr20uqJVcO0JxoQ86aqVEoN+gP1IkvymjFPJdAZKXwooaAevX44 /cwCvykYeYlAYhF2ONGbcES+rwirQkBQOebzOuA+ncyiKhbjjwjzRfy6kdMMHtGn 06AKeENBjsXIHkoMdR+AyKFWN4lGcOqEYK56g231CwsMHz5VQCskRo6ZyIlKwKjx BFU/N4Wy1V4jQ56czLCEq+bM3wGDjMvmkh2xuHFPeX8xL/JOCt9Rhg==czTH -----END PGP SIGNATURE-----
Franta Hanzlík
2018-Feb-10 20:57 UTC
LDAP userdb and dovecot LDA/LMTP - different requirements
Hallo Steffen, thanks for your advices. Something helped me, but I still have a few misunderstandings. More is beside your answers below: On Wed, 7 Feb 2018 08:14:43 +0100 (CET) Steffen Kaiser <skdovecot at inf.h-brs.de> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 6 Feb 2018, Franta Hanzl?k wrote: > > > I want to use Dovecot LDA (or rather LMTP) use as local deliver with > > Postfix MTA. Users are in LDAP DB with structure as: > > > > dn: cn=username, ou=rank, o=myorg > > cn: username > > objectClass: Person > > gidNumber: uNNN > > uidNumber: gNNN > > userPassword: (somehow hashed, can only bind verification) > > homeDirectory: /Home/$rank/$username > > mailActive: 0/1 > > mail: usera at OneDomain > > mail: userb at SecDomain (not all users have 2+ addresses] > > uid: username > > groupMembership: group DN (can be multiple times for different groups) > > ... > > > > where: > > - cn = uid = expected IMAP login username (which hasn't @domain part) > > > - user1 (and user2) isn't always same as username > > ?? What means this requirement?It isn't requirement, but it is just a statement that the login name can not be derived from the mail, and vice versa, that the email address can not be derived from the login name. LDAP database and mail practices are not my design, I just inherited them and I can not do almost anything with them.> > Now I not know, how to solve IMO diferent requirements to userdb: > > > > - LDA/LMTP need LDAP userdb unit, that can retrieve the name from an > > email address (ie for "usera at myDomain" returns cn/uid (as dovecot > > "username"). > > For LDA, just use another config.Hm.. how to do it? Dovecot LMTP has not man page, nor own help, I found only something on wiki ( https://wiki2.dovecot.org/LMTP ), but there is nothing about how to use different userdb. Perhaps is not possible to specify different full dovecot.conf file (via option switch, environment variable or so)? Maybe is possible to specify alternative path for LMTP : protocol lmtp { auth_socket_path = dovecot-lmtp-userdb } but what next? Is possible to define some non-default user-defined auth-like service with this socket?> > - IMAP server need LDAP userdb unit, that will have the user login > > (username) as the input parameter, and which returns information > > whether or not the user exists. > > > user_filter = (&(|(mail=%n)(uid=%u))(mailActive=1)(objectClass=person)) > > this assumes that usera (without @domain) is not the username of another > entry and that there is one entry for each mail address only. Users may > login with their mail address.This point is clear to me. In IMAP user filter can be even more simpler, as login uid are unique in the whole database LDAP DB.> On the other hand, can you solve the aliases in LDAP into usernames by > Postfix: > http://www.postfix.org/ldap_table.5.htmlthanks! The 'result_format' parameter has helped me. (but IMO some form of regex substitution would be much more useful)> > user_attrs = \ > > =home=%{ldap:homeDirectory}, \ > > =uid=%{ldap:uidNumber}, > > =gid=%{ldap:gidNumber}, > > =quota_rule=*:bytes=%{ldap:quotaBytes}, > > =namespace/default/separator=%{ldap:mailSeparator} > > > > Can anyone explain how these constructions work? > > And what do mean attribute notations in the form '=attr=' or '@attr=' > > or 'quota_rule=*:storage=100M' ? > > Nowhere have I found a sufficiently comprehensible description of these > > constructions... > > https://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb?highlight=%28%40mail%29Yes, I've seen this page. But, there are examples rather than definitions with good description. Excuse me, this is maybe useful for dovecot developers, but not for normal administrator. For these constructions: '=mail' '@mail' 'quota_rule=*:storage=100M' I can not see any comprehensible description. And for what I found on Dovecot site, e.g. these definitions for userdb attributes use every other form, I do understand only first one: 'https://wiki.dovecot.org/HowTo/DovecotOpenLdap': user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid (here <ldap attribute>=<dovecot field> describe mapping, not assignment) 'https://wiki.dovecot.org/Upgrading/1.2': user_attrs = homeDirectory=home=/var/mail/%$ 'https://wiki.dovecot.org/AuthDatabase/LDAP/Userdb': user_attrs = =mail=maildir:/var/spool/vmail/ What do the last two mean? Thanks, Franta Hanzlik