dovecot - Oct 2016 - Problem to configure dovecot-ldap.conf.ext

Hello,

Dovecot 2.2.25
CentOS 7

I setup ldap (FreeIPA) to have a user for dovecot that can (read search 
compare) all attributes that I need for dovecot.

I must also have  mailAlternateAddress 

When I make a ldapsearch with this user, I found all I need to configure 
dovecot.

But for me it is not possible to configure this correct ?

I can make for user

doveadm auth test office 
and
doveadm auth test office at examle.com

with success authentication

but when I make a
doveadm auth test info at example.co (mailAlternateAddress)

I have a broken authentication

Can any give me a hint what is wrong, or is this not possible ?

# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts = 192.168.100.204 192.168.100.214
#hosts = 192.168.100.204
hosts = ipa.example.com

# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris = ldap://ipa.example.com ldap://ipa1.example.com

# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com

# Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'

# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL
binds
# and auth_bind=yes don't work together.
sasl_bind = yes
# SASL mechanism name to use.
sasl_mech = gssapi
# SASL realm to use.
sasl_realm = EXAMPLE.COM
# SASL authorization ID, ie. the dnpass is for this "master user", but
the
# dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM

# Use TLS to connect to the LDAP server.
#tls = yes
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = /etc/ipa/ca.crt
#tls_ca_cert_dir #tls_cipher_suite # TLS cert/key is used only if LDAP server
requires a client certificate.
#tls_cert_file #tls_key_file # Valid values: never, hard, demand, allow, try
tls_require_cert = demand

# Use the given ldaprc path.
#ldaprc_path 
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 0

# Use authentication binding for verifying password's validity. This works
by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes

# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is
used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com


# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3

# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = cn=users,cn=accounts,dc=example,dc=com

# Dereference: never, searching, finding, always
#deref = never

# Search scope: base, onelevel, subtree
scope = subtree
#scope = onelevel

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000

# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user at domain, same as %u if there's no domain
#   %d - domain part in user at domain, empty if user there's no domain
user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
(mailAlternateAddress=%Lu)))

# Password checking attributes:
#  user: Virtual user name (user at domain), if you wish to change the
#        user-given username to something else
#  password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user

# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case
you'll
# also have to include user_attrs in pass_attrs field prefixed with
"userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
(mailAlternateAddress=%Lu)))

# Attributes and filter to get a list of all users
iterate_attrs = uid=user, mailAlternateAddress=user
iterate_filter = (objectClass=posixAccount)

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
	

-- 
mit freundlichen Gr??en / best regards,

  G?nther J. Niederwimmer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 25 Oct 2016, G?nther J. Niederwimmer wrote:
> I setup ldap (FreeIPA) to have a user for dovecot that can (read search
> compare) all attributes that I need for dovecot.
>
> I must also have  mailAlternateAddress
>
> When I make a ldapsearch with this user, I found all I need to configure
> dovecot.
>
> doveadm auth test office
> and
> doveadm auth test office at examle.com
>
> with success authentication
>
> but when I make a
> doveadm auth test info at example.co (mailAlternateAddress)
I guess the missing 'm' in .co is a typo?

Do you find
doveadm user -u office
doveadm user -u office at examle.com
doveadm user -u info at example.co
> I have a broken authentication
> Can any give me a hint what is wrong, or is this not possible ?
Show us your LDAP record of this user.
> # Distinguished Name - the username used to login to the LDAP server.
> # Leave it commented out to bind anonymously (useful with auth_bind=yes).
> dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
>
> # Password for LDAP server, if dn is specified.
> dnpass = 'XXXXXXXXXXXXXX'
>
> # Use SASL binding instead of the simple binding. Note that this changes
> # ldap_version automatically to be 3 if it's lower. Also note that SASL
binds
> # and auth_bind=yes don't work together.
> sasl_bind = yes
> # SASL mechanism name to use.
> sasl_mech = gssapi
> # SASL realm to use.
> sasl_realm = EXAMPLE.COM
> # SASL authorization ID, ie. the dnpass is for this "master
user", but the
> # dn is still the logged in user. Normally you want to keep this empty.
> sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM
Dunno with SASL and Co.
> # Use authentication binding for verifying password's validity. This
works by
> # logging into LDAP server using the username and password given by client.
> # The pass_filter is used to find the DN for the user. Note that the
pass_attrs
> # is still used, only the password field is ignored in it. Before doing any
> # search, the binding is switched back to the default DN.
> auth_bind = yes
>
> # If authentication binding is used, you can save one LDAP request per
login
> # if users' DN can be specified with a common template. The template
can use
> # the standard %variables (see user_filter). Note that you can't
> # use any pass_attrs if you use this setting.
> #
> # If you use this setting, it's a good idea to use a different
> # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long
as
> # the filename is different in userdb's args). That way one connection
is used
> # only for LDAP binds and another connection is used for user lookups.
> # Otherwise the binding is changed to the default DN before each user
lookup.
> #
> # For example:
> #   auth_bind_userdn = cn=%u,ou=people,o=org
> #
> auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
That one looks strange, you really have an account (uid=office at examle.com) 
?
> # Search scope: base, onelevel, subtree
> scope = subtree
> #scope = onelevel
>
> # User attributes are given in LDAP-name=dovecot-internal-name list. The
> # internal names are:
> #   uid - System UID
> #   gid - System GID
> #   home - Home directory
> #   mail - Mail location
> #
> # There are also other special fields which can be returned, see
> # http://wiki2.dovecot.org/UserDatabase/ExtraFields
> #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
> user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
>
> # Filter for user lookup. Some variables can be used (see
> # http://wiki2.dovecot.org/Variables for full list):
> #   %u - username
> #   %n - user part in user at domain, same as %u if there's no domain
> #   %d - domain part in user at domain, empty if user there's no domain
> user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> (mailAlternateAddress=%Lu)))
If doveadm user -u info at example.co
returns your entry, this filter is OK.
> # Password checking attributes:
> #  user: Virtual user name (user at domain), if you wish to change the
> #        user-given username to something else
> #  password: Password, may optionally start with {type}, eg. {crypt}
> # There are also other special fields which can be returned, see
> # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
> pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
you cannot return two values for user, I guess you like to have "uid",
so

pass_attrs = uid=user,userPassword=password
> # Filter for password lookups
> #pass_filter = (&(objectClass=posixAccount)(uid=%u))
> pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> (mailAlternateAddress=%Lu)))
Looks good, if doveadm user -u info at example.co returns something sensible, 
beause the user filter is the same.
> # Attributes and filter to get a list of all users
> iterate_attrs = uid=user, mailAlternateAddress=user
same as pass_attr.
> iterate_filter = (objectClass=posixAccount)
Looks strange, should be

iterate_filter = (objectClass=mailrecipient)
> # Default password scheme. "{scheme}" before password overrides
this.
> # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
> #default_pass_scheme = CRYPT
>
>
>
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWA8xnHz1H7kL/d9rAQKjlQf/VyK1ipVnt3B+NGwWlIc29MERp7Zy1DFI
8x7GKRFSwJ9pKRalreVL/D+3hI/mKzoqQOiaWG6QSNlX+zj1uu6FkpsiJrAmuJP2
uOObVjyS9DSw8zmU9wNJmqxUvWNTb857udnwAazsMbKge+ApKa4w8GmLUIyZXBZt
oBziQZjbASlReaIGv8q+R8z5B0wUx9FRfqFuEY4N2mSudZMdf6kBsUXnFPTxWlEY
kpIFpOFhfCi0dFRYduVQXhP9qR8BMOBwjm1NizZGTFgGSHgY2sgr4ouOKtoXHePh
28EvYzRY/FHvSKGDv3R8KVqnf6BJ03SkJ5+L0Smbr9XUg+1UuaQqkg==0e2c
-----END PGP SIGNATURE-----

Hello Steffen and List,

Thanks for the answer and help,

I mean I found the biggest problem it is "auth_bind_userdn = "

please read the rest ;-)

Am Dienstag, 25. Oktober 2016, 12:19:08 schrieb Steffen
Kaiser:
> On Tue, 25 Oct 2016, G?nther J. Niederwimmer wrote:
> > I setup ldap (FreeIPA) to have a user for dovecot that can (read
search
> > compare) all attributes that I need for dovecot.
> > 
> > I must also have  mailAlternateAddress
> > 
> > When I make a ldapsearch with this user, I found all I need to
configure
> > dovecot.
> > 
> > doveadm auth test office
> > and
> > doveadm auth test office at examle.com
> > 
> > with success authentication
> > 
> > but when I make a
> > doveadm auth test info at example.co (mailAlternateAddress)
> 
> I guess the missing 'm' in .co is a typo?
;-) Yes 
> Do you find
> doveadm user -u office
> doveadm user -u office at examle.com
> doveadm user -u info at example.com
yes this is working with all user ?

doveadm user -u office
userdb: office
  user      : office
  home      : /srv/vmail/office
  uid       : 10000
  gid       : 10000

doveadm user -u info at example.com
userdb: info at example.com
  user      : office
  home      : /srv/vmail/office
  uid       : 10000
  gid       : 10000

 
> > I have a broken authentication
> > 
> > Can any give me a hint what is wrong, or is this not possible ?
> 
> Show us your LDAP record of this user.
this is a result from ldapsearch with dovecots special user, from the dovecot 
system!

ldapsearch -w 'XXXXXXXXXXX' -h ipa.example.com -D 
'uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com' -s sub -b 
'dc=example,dc=com' 'mail=office at example.com'

I can also search for 'mailAlternateAddress=info at example.com' with
the same
result.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: mail=office at example.com
# requesting: ALL
#

# office, users, accounts, example.com
dn: uid=office,cn=users,cn=accounts,dc=example,dc=com
st: AUSTRIA
l: Salzburg
postalCode: 5020
krbPasswordExpiration: 20380101000000Z
krbLastPwdChange: 20160929133721Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com
mailAlternateAddress: info at example.com
displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
uid: office
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: mailrecipient
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
initials: GN
gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
sn: Niederwimmer
homeDirectory: /home/office
mail: office at example.com
krbPrincipalName: office at example.COM
givenName:: R8O8bnRoZXIgSi4cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc
uidNumber: 1507800005
gidNumber: 1507800005

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


 
> > # Distinguished Name - the username used to login to the LDAP server.
> > # Leave it commented out to bind anonymously (useful with
auth_bind=yes).
> > dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > 
> > # Password for LDAP server, if dn is specified.
> > dnpass = 'XXXXXXXXXXXXXX'
> > 
> > # Use SASL binding instead of the simple binding. Note that this
changes
> > # ldap_version automatically to be 3 if it's lower. Also note that
SASL
> > binds # and auth_bind=yes don't work together.
> > sasl_bind = yes
> > # SASL mechanism name to use.
> > sasl_mech = gssapi
> > # SASL realm to use.
> > sasl_realm = EXAMPLE.COM
> > # SASL authorization ID, ie. the dnpass is for this "master
user", but the
> > # dn is still the logged in user. Normally you want to keep this
empty.
> > sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM
> 
> Dunno with SASL and Co.
OK, OK this was a Test and I reverting this ;-).
Now I have 
#sals_bind = yes

This is my next Problem, to find out is this correct working on my system ;-).
> > # Use authentication binding for verifying password's validity.
This works
> > by # logging into LDAP server using the username and password given by
> > client. # The pass_filter is used to find the DN for the user. Note
that
> > the pass_attrs # is still used, only the password field is ignored in
it.
> > Before doing any # search, the binding is switched back to the default
> > DN.
> > auth_bind = yes
> > 
> > # If authentication binding is used, you can save one LDAP request per
> > login # if users' DN can be specified with a common template. The
> > template can use # the standard %variables (see user_filter). Note
that
> > you can't
> > # use any pass_attrs if you use this setting.
> > #
> > # If you use this setting, it's a good idea to use a different
> > # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as
long
> > as # the filename is different in userdb's args). That way one
connection
> > is used # only for LDAP binds and another connection is used for user
> > lookups. # Otherwise the binding is changed to the default DN before
each
> > user lookup. #
> > # For example:
> > #   auth_bind_userdn = cn=%u,ou=people,o=org
> > #
> > auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=example,dc=com
> 
> That one looks strange, you really have an account (uid=office at
examle.com)
> ?
I mean I don't understand this in the Moment (?), but I can comment out this
?

I make now also Tests with commented out "#auth_bind_userdn =
uid=%n...."

now the tests are WORKING !!!

now I have to find out the correct syntax for auth_bind_userdn !!! when it is 
possible ?
> > # Search scope: base, onelevel, subtree
> > scope = subtree
> > #scope = onelevel
> > 
> > # User attributes are given in LDAP-name=dovecot-internal-name list.
The
> > # internal names are:
> > #   uid - System UID
> > #   gid - System GID
> > #   home - Home directory
> > #   mail - Mail location
> > #
> > # There are also other special fields which can be returned, see
> > # http://wiki2.dovecot.org/UserDatabase/ExtraFields
> > #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
> > user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
> > 
> > # Filter for user lookup. Some variables can be used (see
> > # http://wiki2.dovecot.org/Variables for full list):
> > #   %u - username
> > #   %n - user part in user at domain, same as %u if there's no
domain
> > #   %d - domain part in user at domain, empty if user there's no
domain
> > user_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> > (mailAlternateAddress=%Lu)))
> 
> If doveadm user -u info at example.co
> returns your entry, this filter is OK.
Yes, this filter is OK ;-) 
> > # Password checking attributes:
> > #  user: Virtual user name (user at domain), if you wish to change the
> > #        user-given username to something else
> > #  password: Password, may optionally start with {type}, eg. {crypt}
> > # There are also other special fields which can be returned, see
> > # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
> > pass_attrs = uid=user,userPassword=password,mailAlternateAddress=user
> 
> you cannot return two values for user, I guess you like to have
"uid", so
> 
> pass_attrs = uid=user,userPassword=password
OK, I change it back, this are only tests to found the correct setup for 
dovecot 
 
> > # Filter for password lookups
> > #pass_filter = (&(objectClass=posixAccount)(uid=%u))
> > pass_filter = (&(objectClass=mailrecipient)(|(uid=%Ln)(mail=%Lu)
> > (mailAlternateAddress=%Lu)))
> 
> Looks good, if doveadm user -u info at example.co returns something
sensible,
> beause the user filter is the same.
:-)
 
> > # Attributes and filter to get a list of all users
> > iterate_attrs = uid=user, mailAlternateAddress=user
> 
> same as pass_attr.
> 
> > iterate_filter = (objectClass=posixAccount)
> 
> Looks strange, should be
> 
> iterate_filter = (objectClass=mailrecipient)
Is changed to your Parameters
 
> > # Default password scheme. "{scheme}" before password
overrides this.
> > # List of supported schemes is in:
http://wiki2.dovecot.org/Authentication
> > #default_pass_scheme = CRYPT
I say it before with commented out "auth_bind_userdn" the
authentication is
also working now with "mailAlternateAddress= xxxxxxxxx"

Many thanks to hint me ;-)

-- 
mit freundlichen Gr??en / best regards,

  G?nther J. Niederwimmer