Hi list,
I'm new on this mailing list and I'm kind of stucked at the moment.
I managed to get Postfix and Dovecot working together with Amavis,
OpenLDAP und SASL on Ubuntu Linux Release "Dapper Drake". The Dovecot
version shipped with Dapper is 1.0-beta3 (at least, that's what the
package database tells me), I also tried this with a Debian Backport of
version 1.0-rc15.
And here is my problem:
A customer of mine needs usernames different from the mail address for
his third party software to work. In other words, I need the ability to
login with the username foo to get access to the mailbox
bar at example.com. So I tried to override the mail_location property for
this user with a separate mailDirectory attribute in my LDAP tree.
Speaking in dovecot.conf words:
mail_location = maildir:/var/spool/dovecot/mail/%d/%n
auth default {
machanisms = plain
passdb ldap {
args = /etc/dovecot/dovecot-ldap.com
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.com
}
userdb static {
args = uid=vmail gid=vmail
user = dovecot
}
and dovecot-ldap.conf:
hosts = localhost
dn = cn=admin,dc=ekits,dc=de
dnpass = secret
auth_bind = yes
ldap_version = 3
base = ou=mailsystem,dc=ekits,dc=de
scope = subtree
user_attrs = mailDirectory=mail
user_filter = (&(objectClass=ekitsMailAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=ekitsMailAccount)(uid=%u))
user_global_uid = vmail
user_global_gid = vmail
a typical ldap entry looks something like this:
dn: cn=Patrick Kranz,o=EK IT-Solutions,ou=mailsystem,dc=ekits,dc=de
ekitsMailDestination: patrick at ekits.de
objectClass: ekitsMailAccount
objectClass: top
cn: Patrick Kranz
structuralObjectClass: ekitsMailAccount
entryUUID: b4ebb9e8-6d8d-102b-9dc9-9edb870845a4
creatorsName: cn=admin,dc=ekits,dc=de
createTimestamp: 20070323132526Z
userPassword:: YVBhc3MmailDirectory:
maildir:/var/spool/dovecot/mail/ekits.de/blubb
uid: patrick
As far as I can interpret the log of slapd, dovecot doesn't even ask for
the attribute "mailDirectory". I also tried this with userdb prefetch.
With this it did actually ask for the attribute but it still had no
effect. With this configuration dovecot creates the directory
/var/spool/spool/dovecot/mail/patrick if I login with the uid patrick
but I wanted access to /var/spool/dovecot/mail/ekits.de/blubb
If anybody has any clue what I did wrong or if I have a conceptional
misunderstanding, I would appreciate every help.
Thanks in advance.
Greetings,
Patrick
On Mon, 2007-03-26 at 20:44 +0200, Patrick Kranz wrote:> Hi list, > > I'm new on this mailing list and I'm kind of stucked at the moment. > > I managed to get Postfix and Dovecot working together with Amavis, > OpenLDAP und SASL on Ubuntu Linux Release "Dapper Drake". The Dovecot > version shipped with Dapper is 1.0-beta3 (at least, that's what the > package database tells me), I also tried this with a Debian Backport of > version 1.0-rc15.I'd of course recommend the latest RC :)> userdb ldap { > args = /etc/dovecot/dovecot-ldap.com > } > > userdb static { > args = uid=vmail gid=vmailIf the users exist in the ldap, the static userdb is useless here. userdb static i> user_attrs = mailDirectory=mailLooks OK for rc15. I don't remember if beta3 supported this format.> mailDirectory: maildir:/var/spool/dovecot/mail/ekits.de/blubbStill ok.> As far as I can interpret the log of slapd, dovecot doesn't even ask for > the attribute "mailDirectory".Set auth_debug=yes and show the logs.> I also tried this with userdb prefetch. > With this it did actually ask for the attribute but it still had no > effect. With this configuration dovecot creates the directory > /var/spool/spool/dovecot/mail/patrick if I login with the uid patrick > but I wanted access to /var/spool/dovecot/mail/ekits.de/blubb > > If anybody has any clue what I did wrong or if I have a conceptional > misunderstanding, I would appreciate every help.All the settings you showed above looked correct, so there's something else that's wrong. Could you show "dovecot -n" output instead of the copy&pasted dovecot.conf? That shows what Dovecot is really seeing in the configuration. For example if the static userdb is actually before ldap userdb, the ldap is never used at all. Also a better way to implement aliases is to change the username instead of the mail directory. You can do this with something like: pass_filter = (&(objectClass=ekitsMailAccount)(|(uid=%u)(userAlias=%u))) Because pass_attrs contains uid=user, the username is always changed to uid's contents no matter how the filter lookup matched. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070326/b18ea951/attachment.bin>
Hi Timo and thanks for the quick answer! Timo Sirainen schrieb:> On Mon, 2007-03-26 at 20:44 +0200, Patrick Kranz wrote: > >> Hi list, >> >> I'm new on this mailing list and I'm kind of stucked at the moment. >> >> I managed to get Postfix and Dovecot working together with Amavis, >> OpenLDAP und SASL on Ubuntu Linux Release "Dapper Drake". The Dovecot >> version shipped with Dapper is 1.0-beta3 (at least, that's what the >> package database tells me), I also tried this with a Debian Backport of >> version 1.0-rc15. >> > > I'd of course recommend the latest RC :) >I also would prefer this but I also like the comfort of a package management system, so I don't have to compile from scratch for every new version, especially not on a live system that isn't mine ;)> >> userdb ldap { >> args = /etc/dovecot/dovecot-ldap.com >> } >> >> userdb static { >> args = uid=vmail gid=vmail >> > > If the users exist in the ldap, the static userdb is useless here. > userdb static i > >Now that you mention it :) Especially because I gain the wanted effect with user_global_uid/gid in the dovevot-ldap.conf.... But this seemed to be the source of all problems because it was exactly as you said. Removing the static userdb made dovecot look up my attributes in LDAP and everything worked :) I also think I'm gonna stick with your suggestion regarding the pass_filter. It seems less error-prone and that's exactly what I need for this customer :) Thanks very much for your quick help! Have a nice evening, Patrick