Hello, Dovecot 2.2.25 CentOS 7 I setup ldap (FreeIPA) to have a user for dovecot that can (read search compare) all attributes that I need for dovecot. I must also have mailAlternateAddress When I make a ldapsearch with this user, I found all I need to configure dovecot. But for me it is not possible to configure this correct ? I can make for user doveadm auth test office and doveadm auth test office at examle.com with success authentication but when I make a doveadm auth test info at example.co (mailAlternateAddress) I have a broken authentication Can any give me a hint what is wrong, or is this not possible ? # Space separated list of LDAP hosts to use. host:port is allowed too. #hosts = 192.168.100.204 192.168.100.214 #hosts = 192.168.100.204 hosts = ipa.example.com # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris = ldap://ipa.example.com ldap://ipa1.example.com # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com # Password for LDAP server, if dn is specified. dnpass = 'XXXXXXXXXXXXXX' # Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. Also note that SASL binds # and auth_bind=yes don't work together. sasl_bind = yes # SASL mechanism name to use. sasl_mech = gssapi # SASL realm to use. sasl_realm = EXAMPLE.COM # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM # Use TLS to connect to the LDAP server. #tls = yes # TLS options, currently supported only with OpenLDAP: tls_ca_cert_file = /etc/ipa/ca.crt #tls_ca_cert_dir #tls_cipher_suite # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file #tls_key_file # Valid values: never, hard, demand, allow, try tls_require_cert = demand # Use the given ldaprc path. #ldaprc_path # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. #debug_level = 0 # Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes # If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: # auth_bind_userdn = cn=%u,ou=people,o=org # auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3 # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = cn=users,cn=accounts,dc=example,dc=com # Dereference: never, searching, finding, always #deref = never # Search scope: base, onelevel, subtree scope = subtree #scope = onelevel # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000 # Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): # %u - username # %n - user part in user at domain, same as %u if there's no domain # %d - domain part in user at domain, empty if user there's no domain user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu))) # Password checking attributes: # user: Virtual user name (user at domain), if you wish to change the # user-given username to something else # password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ # homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid # Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) (mailAlternateAddress=%Lu))) # Attributes and filter to get a list of all users iterate_attrs = uid=user, mailAlternateAddress=user iterate_filter = (objectClass=posixAccount) # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication #default_pass_scheme = CRYPT -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 25 Oct 2016, G?nther J. Niederwimmer wrote:> I setup ldap (FreeIPA) to have a user for dovecot that can (read search > compare) all attributes that I need for dovecot. > > I must also have mailAlternateAddress > > When I make a ldapsearch with this user, I found all I need to configure > dovecot. > > doveadm auth test office > and > doveadm auth test office at examle.com > > with success authentication > > but when I make a > doveadm auth test info at example.co (mailAlternateAddress)I guess the missing 'm' in .co is a typo? Do you find doveadm user -u office doveadm user -u office at examle.com doveadm user -u info at example.co> I have a broken authentication> Can any give me a hint what is wrong, or is this not possible ?Show us your LDAP record of this user.> # Distinguished Name - the username used to login to the LDAP server. > # Leave it commented out to bind anonymously (useful with auth_bind=yes). > dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > # Password for LDAP server, if dn is specified. > dnpass = 'XXXXXXXXXXXXXX' > > # Use SASL binding instead of the simple binding. Note that this changes > # ldap_version automatically to be 3 if it's lower. Also note that SASL binds > # and auth_bind=yes don't work together. > sasl_bind = yes > # SASL mechanism name to use. > sasl_mech = gssapi > # SASL realm to use. > sasl_realm = EXAMPLE.COM > # SASL authorization ID, ie. the dnpass is for this "master user", but the > # dn is still the logged in user. Normally you want to keep this empty. > sasl_authz_id = imap/mx01.example.com at EXAMPLE.COMDunno with SASL and Co.> # Use authentication binding for verifying password's validity. This works by > # logging into LDAP server using the username and password given by client. > # The pass_filter is used to find the DN for the user. Note that the pass_attrs > # is still used, only the password field is ignored in it. Before doing any > # search, the binding is switched back to the default DN. > auth_bind = yes > > # If authentication binding is used, you can save one LDAP request per login > # if users' DN can be specified with a common template. The template can use > # the standard %variables (see user_filter). Note that you can't > # use any pass_attrs if you use this setting. > # > # If you use this setting, it's a good idea to use a different > # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as > # the filename is different in userdb's args). That way one connection is used > # only for LDAP binds and another connection is used for user lookups. > # Otherwise the binding is changed to the default DN before each user lookup. > # > # For example: > # auth_bind_userdn = cn=%u,ou=people,o=org > # > auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=comThat one looks strange, you really have an account (uid=office at examle.com) ?> # Search scope: base, onelevel, subtree > scope = subtree > #scope = onelevel > > # User attributes are given in LDAP-name=dovecot-internal-name list. The > # internal names are: > # uid - System UID > # gid - System GID > # home - Home directory > # mail - Mail location > # > # There are also other special fields which can be returned, see > # http://wiki2.dovecot.org/UserDatabase/ExtraFields > #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000 > > # Filter for user lookup. Some variables can be used (see > # http://wiki2.dovecot.org/Variables for full list): > # %u - username > # %n - user part in user at domain, same as %u if there's no domain > # %d - domain part in user at domain, empty if user there's no domain > user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) > (mailAlternateAddress=%Lu)))If doveadm user -u info at example.co returns your entry, this filter is OK.> # Password checking attributes: > # user: Virtual user name (user at domain), if you wish to change the > # user-given username to something else > # password: Password, may optionally start with {type}, eg. {crypt} > # There are also other special fields which can be returned, see > # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields > pass_attrs = uid=user,userPassword=password,mailAlternateAddress=useryou cannot return two values for user, I guess you like to have "uid", so pass_attrs = uid=user,userPassword=password> # Filter for password lookups > #pass_filter = (&(objectClass=posixAccount)(uid=%u)) > pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) > (mailAlternateAddress=%Lu)))Looks good, if doveadm user -u info at example.co returns something sensible, beause the user filter is the same.> # Attributes and filter to get a list of all users > iterate_attrs = uid=user, mailAlternateAddress=usersame as pass_attr.> iterate_filter = (objectClass=posixAccount)Looks strange, should be iterate_filter = (objectClass=mailrecipient)> # Default password scheme. "{scheme}" before password overrides this. > # List of supported schemes is in: http://wiki2.dovecot.org/Authentication > #default_pass_scheme = CRYPT > > >- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI 8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2 uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh 28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg==0e2c -----END PGP SIGNATURE-----
Hello Steffen and List, Thanks for the answer and help, I mean I found the biggest problem it is "auth_bind_userdn = " please read the rest ;-) Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen Kaiser:> On Tue, 25 Oct 2016, G?nther J. Niederwimmer wrote: > > I setup ldap (FreeIPA) to have a user for dovecot that can (read search > > compare) all attributes that I need for dovecot. > > > > I must also have mailAlternateAddress > > > > When I make a ldapsearch with this user, I found all I need to configure > > dovecot. > > > > doveadm auth test office > > and > > doveadm auth test office at examle.com > > > > with success authentication > > > > but when I make a > > doveadm auth test info at example.co (mailAlternateAddress) > > I guess the missing 'm' in .co is a typo?;-) Yes> Do you find > doveadm user -u office > doveadm user -u office at examle.com > doveadm user -u info at example.comyes this is working with all user ? doveadm user -u office userdb: office user : office home : /srv/vmail/office uid : 10000 gid : 10000 doveadm user -u info at example.com userdb: info at example.com user : office home : /srv/vmail/office uid : 10000 gid : 10000> > I have a broken authentication > > > > Can any give me a hint what is wrong, or is this not possible ? > > Show us your LDAP record of this user.this is a result from ldapsearch with dovecots special user, from the dovecot system! ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 'dc=example,dc=com' 'mail=office at example.com' I can also search for 'mailAlternateAddress=info at example.com' with the same result. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: mail=office at example.com # requesting: ALL # # office, users, accounts, example.com dn: uid=office,cn=users,cn=accounts,dc=example,dc=com st: AUSTRIA l: Salzburg postalCode: 5020 krbPasswordExpiration: 20380101000000Z krbLastPwdChange: 20160929133721Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com mailAlternateAddress: info at example.com displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy uid: office objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: mailrecipient objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash initials: GN gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy sn: Niederwimmer homeDirectory: /home/office mail: office at example.com krbPrincipalName: office at example.COM givenName:: R8O8bnRoZXIgSi4cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc uidNumber: 1507800005 gidNumber: 1507800005 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1> > # Distinguished Name - the username used to login to the LDAP server. > > # Leave it commented out to bind anonymously (useful with auth_bind=yes). > > dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > > > # Password for LDAP server, if dn is specified. > > dnpass = 'XXXXXXXXXXXXXX' > > > > # Use SASL binding instead of the simple binding. Note that this changes > > # ldap_version automatically to be 3 if it's lower. Also note that SASL > > binds # and auth_bind=yes don't work together. > > sasl_bind = yes > > # SASL mechanism name to use. > > sasl_mech = gssapi > > # SASL realm to use. > > sasl_realm = EXAMPLE.COM > > # SASL authorization ID, ie. the dnpass is for this "master user", but the > > # dn is still the logged in user. Normally you want to keep this empty. > > sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM > > Dunno with SASL and Co.OK, OK this was a Test and I reverting this ;-). Now I have #sals_bind = yes This is my next Problem, to find out is this correct working on my system ;-).> > # Use authentication binding for verifying password's validity. This works > > by # logging into LDAP server using the username and password given by > > client. # The pass_filter is used to find the DN for the user. Note that > > the pass_attrs # is still used, only the password field is ignored in it. > > Before doing any # search, the binding is switched back to the default > > DN. > > auth_bind = yes > > > > # If authentication binding is used, you can save one LDAP request per > > login # if users' DN can be specified with a common template. The > > template can use # the standard %variables (see user_filter). Note that > > you can't > > # use any pass_attrs if you use this setting. > > # > > # If you use this setting, it's a good idea to use a different > > # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long > > as # the filename is different in userdb's args). That way one connection > > is used # only for LDAP binds and another connection is used for user > > lookups. # Otherwise the binding is changed to the default DN before each > > user lookup. # > > # For example: > > # auth_bind_userdn = cn=%u,ou=people,o=org > > # > > auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com > > That one looks strange, you really have an account (uid=office at examle.com) > ?I mean I don't understand this in the Moment (?), but I can comment out this ? I make now also Tests with commented out "#auth_bind_userdn = uid=%n...." now the tests are WORKING !!! now I have to find out the correct syntax for auth_bind_userdn !!! when it is possible ?> > # Search scope: base, onelevel, subtree > > scope = subtree > > #scope = onelevel > > > > # User attributes are given in LDAP-name=dovecot-internal-name list. The > > # internal names are: > > # uid - System UID > > # gid - System GID > > # home - Home directory > > # mail - Mail location > > # > > # There are also other special fields which can be returned, see > > # http://wiki2.dovecot.org/UserDatabase/ExtraFields > > #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > > user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000 > > > > # Filter for user lookup. Some variables can be used (see > > # http://wiki2.dovecot.org/Variables for full list): > > # %u - username > > # %n - user part in user at domain, same as %u if there's no domain > > # %d - domain part in user at domain, empty if user there's no domain > > user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) > > (mailAlternateAddress=%Lu))) > > If doveadm user -u info at example.co > returns your entry, this filter is OK.Yes, this filter is OK ;-)> > # Password checking attributes: > > # user: Virtual user name (user at domain), if you wish to change the > > # user-given username to something else > > # password: Password, may optionally start with {type}, eg. {crypt} > > # There are also other special fields which can be returned, see > > # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields > > pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user > > you cannot return two values for user, I guess you like to have "uid", so > > pass_attrs = uid=user,userPassword=passwordOK, I change it back, this are only tests to found the correct setup for dovecot> > # Filter for password lookups > > #pass_filter = (&(objectClass=posixAccount)(uid=%u)) > > pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu) > > (mailAlternateAddress=%Lu))) > > Looks good, if doveadm user -u info at example.co returns something sensible, > beause the user filter is the same.:-)> > # Attributes and filter to get a list of all users > > iterate_attrs = uid=user, mailAlternateAddress=user > > same as pass_attr. > > > iterate_filter = (objectClass=posixAccount) > > Looks strange, should be > > iterate_filter = (objectClass=mailrecipient)Is changed to your Parameters> > # Default password scheme. "{scheme}" before password overrides this. > > # List of supported schemes is in: http://wiki2.dovecot.org/Authentication > > #default_pass_scheme = CRYPTI say it before with commented out "auth_bind_userdn" the authentication is also working now with "mailAlternateAddress= xxxxxxxxx" Many thanks to hint me ;-) -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer