I have _almost_ got Dovecot working! One little snag...
My users login using their email address as username. Each domain has
their own LDAP subtree. Each user has an entry in the ou=users subtree
of the domain subtree, and has a mail: field (inetOrgPerson) listing
their email address/login name.
I am trying to use auth_bind: when I login with jackmc at lorentz.com,
dovecot should search for mail=jackmc at lorentz.com in the onelevel below
ou=users,dc=lorentz,dc=com and find me as "cn=Jack
McKinney,ou=users,dc=lorentz,dc=com".
I have created an entry in LDAP (varmail) that should be able to do
this query. Indeed, from the command line, it works:
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D
'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel
'(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users, dc=lorentz, dc=com> with scope oneLevel
# filter: (&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))
# requesting: ALL
#
# Jack McKinney, users, lorentz.com
dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Jack McKinney
givenName: Jack McKinney
sn: McKinney
mail: jackmc at lorentz.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
' However, it appears that dovecot performs the above query
successfully, but then never uses the password and retrieved DN to
attempt to bind and authenticate the user. Instead, it just times out.
My dovecot-ldap.conf is:
hosts = ldap.lrtz
dn = cn=varmail,ou=users,dc=lorentz,dc=com
dnpass = *********
ldap_version = 3
auth_bind = yes
pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu))
base = ou=users, dc=%Dd
scope = onelevel
The dovecot log shows:
Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection:
pid=15774
Apr 3 08:13:30 fourier dovecot: auth(default): client in:
AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden>
Apr 3 08:13:30 fourier dovecot: auth(default):
ldap(jackmc at lorentz.com,y.y.y.y): bind search: base=ou=users,
dc=lorentz,dc=com
filter=(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))
Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity:
method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS
The OpenLDAP log shows that the query is received and that it returns a
match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH
base="ou=users,dc=lorentz,dc=com" scope=1 deref=0
filter="(&(objectClass=inetOrgPerson)(mail=jackmc at
lorentz.com))"
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text
When I do the query from the command line, there is an additional pair
of lines:
Apr 3 08:18:10 fourier slapd[16106]: conn=22 op=2 UNBIND
Apr 3 08:18:10 fourier slapd[16106]: conn=22 fd=28 closed
I thus conclude that Dovecot is not closing the connection.
--
Jack McKinney
GPG 1024D/99C6A174
jackmc at lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz
"There is no parameter that makes it impossible for you to perform still
more excellently."
-Mario Cuomo, on the lack of a clock in baseball
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080403/70dd4249/attachment-0002.bin>