Hi there,
I?m working on a setup with postfix (2.5.5) + dovecot (1.2.11) using a
Active Directory user backend. At first, I used the instructions found
here[1] to do the base configuration. As I understand, I need to use
dovecot as a LDA to be able to use the quota plugin and have a
per-user quota configuration, and this led me to two distinct (and
opposed) configuration options. It seems that the usual dovecot + AD
configuration uses the "auth_bind = yes" option, where the dovecot
tries to bind to AD using user credentials. *But* to be able to use
LDA, dovecot cant rely on user credentials, as there?s none when a
mail arrives, so one need to use "auth_bind = no" and choose a
"user"
to bind to AD, using the dn and dnpass options. Am I right until here?
I could just use auth_bind=no *IF* the "dn" user has the necessary
privileges to read other AD users passwords (like a administrator
user). Is this correct? Well, antecipating that the AD sysadmin guy
will not be happy with this, I thought that maybe I could "mix" the
two configurations, since I dont need the user password to find user
mailbox (while delivering), but I do while doing his authentication. I
may use one configuration for userdb, and another for passdb. BUT
(again!) there?s another problem, since delivering needs "email"
(user at domain) and authentication needs "user" values (and, it?s
perfectly valid that one should use "John Doe" as user, and foo at bar
as
email!). So, I messed a little with user filters and got this
configuration:
dovecot.conf:
mail_uid = 1001
mail_gid = 1001
passdb ldap {
args = /etc/dovecot/dovecot-ldap-pass.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
dovecot-ldap-pass.conf:
hosts = 10.x.x.x
base = dc=mydomain,dc=com,dc=br
ldap_version = 3
auth_bind = yes
auth_bind_userdn = mydomain\%u
dovecot-ldap-pass.conf:
hosts = 10.x.x.x
auth_bind = no
dn = cn=Unprivleged User,cn=Users,dc=mydomain,dc=com,dc=br
dnpass = 123456
ldap_version = 3
base = dc=mydomain,dc=com,dc=br
deref = never
scope = subtree
user_attrs = sAMAccountName=mail=maildir:/var/vmail/%$/Maildir
user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)))
pass_attrs = sAMAaccountName=user,userPassword=password
pass_filter = (&(objectClass=person)(sAMAaccountName=%u))
The "pass_attrs and pass_filter" in dovecot-ldap-pass.conf is not
used. The clever part, or the incredible stupid one, is the the filter
(&(objectClass=person)(|(mail=%u)(sAMAccountName=%u))) which means
"find some person with email=something OR some person with
username=user". I?m not sure of the full implications this could
have... Anyway, it?s working, as the system accepts emails and the
user can retrieve it using pop3.
Is there a better way to doing all this? Is it safe to bind dovecot to
AD with the necessary privileges to read user passwords? I?m no AD
expert, but can this special user be "read-only" ?
thanks in advance
[1] http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/
--
Christian Lyra