Ran Talbott
2010-Dec-23 23:53 UTC
[Dovecot] Dovecot 1.2.12+Postfix+Active Directory: virtual domain name dropped.
I have a Windoze-only client who wants to move their mail hosting from
godaddy.com hosting to an in-house system. I'm pitching Linux as an
alternative to Exchange, and trying to set up a demonstration system for
them. While a long-time Linux user, my server admin experience has been in
setting up front-ends (mostly Apache-based web interfaces) for the embedded
systems I specialize in.
The goal is to have an IMAP server where the users don't have Linux IDs,
and
only need to manually login to the Active Directory domain controller.
The client has multiple Internet domains, but all users are in the same
Active Directory realm internally.
With the help of the how-tos at linuxmail.info, I got the system to the point
of being able to authenticate logins for both IMAP and SMTP (usng
dovecot-SASL). I tried using PAM first, but it didn't work: running kinit
from the command line takes over 90 seconds to get a ticket, and Dovecot
timed out after 60 on every login attempt. So I switched to LDAP. Note: I
still don't understand why, but authentication through Active Directory
didn't work until I changed the querying distinguished name from
the "cn=,dc=,dc=" format to "user at xxxx.local" format.
I have Postfix using dovecot-deliver as the LDA, but I hit a snag: deliver is
not putting the domain name in the path to the maildir.
I have the active directory query set as:
user_filter = (&(objectClass=user)(samaccountname=%n))
user_attrs = =home=/var/mailstore/%d/%n. =uid=501, =gid=501, \
=mail=maildir:/var/mailstore/%d/%n/Maildir/
When I send mail to testing.testing at xxxx.xxx (real domain obscured), I see
this in mail.log
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master in:
USER#0111#011testing.testing at xxxx.xxx#011service=deliver
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): user
search: base=dc=lawley, dc=local scope=subtree filter=(&(objectClass=user)
(samaccountname=testing.testing)) fields
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing):
result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)=
givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)=
whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)=
uSNCreated(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)=
objectGUID(?unknown?)= userAccountControl(?unknown?)=
primaryGroupID(?unknown?)= objectSid(?unknown?)= sAMAccountName(?unknown?)=
sAMAccountType(?unknown?)= userPrincipalName(?unknown?)=
objectCategory(?unknown?)
Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master out:
USER#0111#011testing.testing#011home=/var/mailstore//testing.testing.
=uid=501#011gid=501#011mail=maildir:/var/mailstore//testing.testing/Maildir/
i.e., the domain does not appear in the paths to the home directory or
maildir.
I found a bug report in the mailing list that looks like it might be the same
problem (%d not supported in user_attrs), but the fix it references is for
2.0.
Is this a known problem in 1.x? Is there a fix/workaround for it? E.g.,
could I have Postfix generate the maidir path and pass it to deliver as
the "-m" parameter?
Thanks,
Ran
Timo Sirainen
2010-Dec-30 11:16 UTC
[Dovecot] Dovecot 1.2.12+Postfix+Active Directory: virtual domain name dropped.
On Thu, 2010-12-23 at 16:53 -0700, Ran Talbott wrote:> I have the active directory query set as: > user_filter = (&(objectClass=user)(samaccountname=%n)) > user_attrs = =home=/var/mailstore/%d/%n. =uid=501, =gid=501, \ > =mail=maildir:/var/mailstore/%d/%n/Maildir/Would be nicer to use global mail_location=maildir:~/Maildir rather than setting it here.> Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master in: > USER#0111#011testing.testing at xxxx.xxx#011service=deliver > > Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): user > search: base=dc=lawley, dc=local scope=subtree filter=(&(objectClass=user) > (samaccountname=testing.testing)) fieldsBecause you're not actually requesting any fields, "fields=" means you're getting all the fields..> Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): ldap(testing.testing): > result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= > givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= > whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= > uSNCreated(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= > objectGUID(?unknown?)= userAccountControl(?unknown?)= > primaryGroupID(?unknown?)= objectSid(?unknown?)= sAMAccountName(?unknown?)= > sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= > objectCategory(?unknown?)You could add one of these fields to user_attrs to avoid it returning everything.> Dec 23 10:49:24 IBMUBUNTU1 dovecot: auth(default): master out: > USER#0111#011testing.testing#011home=/var/mailstore//testing.testing. > =uid=501#011gid=501#011mail=maildir:/var/mailstore//testing.testing/Maildir/Still, none of this explains why the domain gets dropped. Maybe it's due to some other setting, but you didn't give dovecot -n output so I can only guess. See auth_username_format setting for example. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20101230/20021fe4/attachment-0002.bin>
Possibly Parallel Threads
- Dovecot 1.2.12 + Postfix + virtual domains: delivering to system users
- Multiple use of the same LDAP attribute
- Dovecot quota and Postfix smtpd_recipient_restrictions?
- Dovecot quota and Postfix smtpd_recipient_restrictions?
- Problems using GFS2 and clustered dovecot