Alexandr Sabitov
2012-Dec-20 02:11 UTC
[Dovecot] Director and forwarding LDAP user as Master user
Hello guys,
Would you be able to help me with this little issue. I bet someone has the same
config so if you can copy-paste it I will very appreciate it.
So main idea is to enable Dovecot director to authenticate a LDAP user with
plain or encrypted password and send the user to back-end Dovecot server after
the authentication.
According to Wiki it is only possible if we use the master user to communicate
to the back-end server.
On the back-end Dovecot server it is working fine, I can log in as normal
user/user_password or as user*masteruser/master_password. The back-end config
is:
auth_master_user_separator = *
passdb {
driver = passwd-file
args = /usr/local/dovecot/etc/dovecot/passwd.masterusers
master = yes
pass = yes
}
passdb {
driver = ldap
args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
Now front-end: how to get director forward the user to the back-end after
authentication on the director? With my director config the user stays on the
director all the time:
passdb {
driver = static
args = proxy=y master=masteruser pass=master_password destuser=%u*masteruser
}
passdb {
driver = ldap
args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
The only way to forward the user is to setup nopassword=y in args of static
passdb but in that case the user will be authenticated on the backend but not on
the director...
What do I missing ? Please help me
Best Regards,
Alexandr Sabitov
Timo Sirainen
2013-Jan-04 03:53 UTC
[Dovecot] Director and forwarding LDAP user as Master user
On 20.12.2012, at 4.11, Alexandr Sabitov <alexandr.sabitov at netregistry.com.au> wrote:> Hello guys, > > Would you be able to help me with this little issue. I bet someone has the same config so if you can copy-paste it I will very appreciate it. > So main idea is to enable Dovecot director to authenticate a LDAP user with plain or encrypted password and send the user to back-end Dovecot server after the authentication. > According to Wiki it is only possible if we use the master user to communicate to the back-end server.If you use auth_bind=yes this doesn't work. If you don't, this should work:> On the back-end Dovecot server it is working fine, I can log in as normal user/user_password or as user*masteruser/master_password. The back-end config is: > > auth_master_user_separator = * > passdb { > driver = passwd-file > args = /usr/local/dovecot/etc/dovecot/passwd.masterusers > master = yes > pass = yes > } > > passdb { > driver = ldap > args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext > } > > userdb { > driver = ldap > args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext > }The above looks ok. "pass = yes" is the important part, so simply adding this should work:> Now front-end: how to get director forward the user to the back-end after authentication on the director? With my director config the user stays on the director all the time: > > passdb { > driver = static > args = proxy=y master=masteruser pass=master_password destuser=%u*masteruserpass = yes> } > > passdb { > driver = ldap > args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext > } > > userdb { > driver = ldap > args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext > } > > The only way to forward the user is to setup nopassword=y in args of static passdb but in that case the user will be authenticated on the backend but not on the director... > What do I missing ? Please help me > > Best Regards, > Alexandr Sabitov