dovecot - Mar 2007 - user_global_uid - tricky to set

Hola!

Dovecot should serve virtual mail users. So I've set user_global_uid
and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've
commented auth the user_attrs field. Still Dovecot tries to switch to
the uid that is defined in the LDAP entry. 

It took me some time to figure out, that the only way to prevent this
is to set
user_attrs = foo=uid,bar=gid
or something like this, so Dovecot doesn't have a chance to find the
uid/gid. Still it will perform some LDAP lookups.

In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP if
the user_attrs field is undefined.

I'm using Dovecot 1.0rc24 on Debian sid.

Regards,
A.

On Thu, 2007-03-01 at 22:02 +0100, Alexej Davidov wrote:
> Hola!
> 
> Dovecot should serve virtual mail users. So I've set user_global_uid
> and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've
> commented auth the user_attrs field. Still Dovecot tries to switch to
> the uid that is defined in the LDAP entry. 
> 
> It took me some time to figure out, that the only way to prevent this
> is to set
> user_attrs = foo=uid,bar=gid
> or something like this, so Dovecot doesn't have a chance to find the
> uid/gid. Still it will perform some LDAP lookups.
> 
> In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP if
> the user_attrs field is undefined.
Commenting out user_attrs is the same as setting it to the default
value. Setting "user_attrs =" should have worked. However if you
don't
want userdb LDAP lookup at all, use userdb static instead.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070306/6111944a/attachment.bin>

On Tue, 06 Mar 2007 16:55:25 +0200
Timo Sirainen <tss at iki.fi> wrote:
> On Thu, 2007-03-01 at 22:02 +0100, Alexej Davidov wrote:
> > Hola!
> > 
> > Dovecot should serve virtual mail users. So I've set
user_global_uid
> > and user_global_gid in dovecot_ldap.conf to vmail/vmail. Also I've
> > commented auth the user_attrs field. Still Dovecot tries to switch
> > to the uid that is defined in the LDAP entry. 
> > 
> > It took me some time to figure out, that the only way to prevent
> > this is to set
> > user_attrs = foo=uid,bar=gid
> > or something like this, so Dovecot doesn't have a chance to find
the
> > uid/gid. Still it will perform some LDAP lookups.
> > 
> > In my oppinion, Dovecot shouldn't try to get the uid/gid from LDAP
> > if the user_attrs field is undefined.
> 
> Commenting out user_attrs is the same as setting it to the default
> value. Setting "user_attrs =" should have worked. However if you
don't
> want userdb LDAP lookup at all, use userdb static instead.
I want to use ldap for authorization. The entries just happen to
contain a uid field, which should not be used for file access, though.

Setting "user_attrs =" did not work. Dovecot still looked up the uid
from ldap. I always got:
Mar  1 21:31:54 myhost dovecot: imap-login: Login:
user=<foo at bar.net>, method=PLAIN, rip=xxx.xxx.xxx.xxx,
lip=xxx.xxx.xxx.xxx, TLS
Mar  1 21:31:54 myhost dovecot: IMAP(foo at bar.net):
stat(/var/vmail/foo/cur) failed: Permission denied 

I tried again with "user_attrs =" and strange enough the error is now
different:
Mar  6 19:11:52 myhost dovecot: imap-login: Internal login failure:
user=<foo at bar.net>, method=PLAIN, rip=xxx.xxx.xxx.xxx,
lip=xxx.xxx.xxx.xxx, TLS 
Mar  6 19:11:52 myhost dovecot: child 9966 (auth) killed with signal 11

After setting user_attrs back to "foo=uid,bar=gid" everything works
again.

A.