I'm trying to use auth bind to avoid having a plain text password in a config file. With %u instead of %n, the @domain part of the login ends up in the uid field of the search filter. As I said, my OUs have overlapping users, so I have configured things such that the users are logging in with user at domain, and need to get the domain component into the search base as you cannot filter on an Organizational Unit in an ldap filter. If I have a single search base, it will return multiple users for those %ns that overlap. If I use %u, it will return no users for any account, because the uids do not have the @domain in them. I tried both ways. Luke On Mon, Aug 31, 2020 at 09:45:17PM +0200, Marc Roos wrote:> You have two ways of authenticating against ldap. I decided to use the > method where a single account has access to the user credentials. > (Advantage of this method, you can limit ldap lookups eg do not have to > do 2nd for the userdb) > > debug_level = 1 > uris = ldaps://ldap.local:8443 > dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local > dnpass = xxxx > base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local > scope = subtree > > user_filter = (&(objectClass=posixAccount)(uid=%u) > pass_attrs = > uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uidNu > mber=userdb_uid,gidNumber=userdb_gid > > However I did not have any issues authenticating against ldap with yours > also. But using the %u > > > > > > -----Original Message----- > From: Luke Schierer [mailto:luke-dovecot at schierer.org] > Sent: maandag 31 augustus 2020 21:32 > To: dovecot at dovecot.org > Subject: using %d as a variable in the ldap search base > > Hi, > > I'm trying to configure dovecot to use LDAP authentication directly, and > I'm having a bit of trouble. I have a somewhat unusual setup, in that I > have an LDAP directory that has 3 OUs each of which have their own set > of users, some of which overlap. As I was trying to figure things out, > I was setting the search base in my /etc/dovecot/dovecot-ldap.conf.ext > file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext file > to > > base = ou=%d,dc=thecrazyguys,dc=net > > however, the resulting searches against the directory endup just > dropping the %d, resulting in > > ou=,dc=thecrazyguys,dc=net > > which is invalid. On a whim, I tried a search base of > > base = dc=%d,dc=thecrazyguys,dc=net > > and found that it did correctly substitute in the variable, which would > be correct, except that my ldap tree is set up with OUs and not an extra > DC segment. > > for whatever reason, it will do variable substitution for dc=%d, but not > for ou=%d. this is certainly not documented, and seems like wrong > behavior, since having an ou in a search base is valid. > > I'm including configuration information below. Please let me know if > I've missed including information that is required. > > Thanks! > Luke > > > luke at schierer@littera001:/etc/dovecot$ lsb_release -rd > Description: Ubuntu 18.04.5 LTS > Release: 18.04 > luke at schierer@littera001:/etc/dovecot$ > > luke at schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii > dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-imapd > 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 amd64 > ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 > luke at schierer@littera001:/etc/dovecot$ > > root at littera001:/etc/dovecot# dovecot -n # 2.2.33.2 (d6601f4ec): > /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: > Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes > first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method = > dotlock mail_cache_min_mail_count = 15 mail_fsync = always mail_location > = maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY > mail_nfs_index = yes > mail_nfs_storage = yes > mail_privileged_group = mail > mailbox_list_index = yes > maildir_broken_filename_sizes = yes > maildir_very_dirty_syncs = yes > mbox_min_index_size = 10 B > mmap_disable = yes > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > separator = / > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocols = " imap pop3" > ssl_cert = </etc/dovecot/dovecot.pem > ssl_key = # hidden, use -P to show it > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocol imap { > mail_max_userip_connections = 20 > } > root at littera001:/etc/dovecot# > > root at littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext | > grep -v ^# | uniq | more > > hosts = censor001.plerumque.thecrazyguys.net > > tls = yes > tls_require_cert = allow > > debug_level = 4 > > auth_bind = yes > > base = ou=%d,dc=thecrazyguys,dc=net > > scope = subtree > > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > > user_filter = (&(objectClass=posixAccount)(uid=%n)) > > blocking = no > root at littera001:/etc/dovecot# > >
If you already tested %d in the ou of the auth user bind, and it is not working. I guess you are just left with options like 1. 3 different vm's 2. auth bind = no base, scope subtree that is parent of those 3 ou's and then apply filters something like pass_filter = (&(objectClass=posixAccount)(uid=%n)(ou:dn:=%d)) 3. investigate if nslcd(/ssss?) has an option to use multiple queries for passwd and have dovecot authenticate against the system. -----Original Message----- Cc: dovecot; luke-dovecot Subject: Re: using %d as a variable in the ldap search base I'm trying to use auth bind to avoid having a plain text password in a config file. With %u instead of %n, the @domain part of the login ends up in the uid field of the search filter. As I said, my OUs have overlapping users, so I have configured things such that the users are logging in with user at domain, and need to get the domain component into the search base as you cannot filter on an Organizational Unit in an ldap filter. If I have a single search base, it will return multiple users for those %ns that overlap. If I use %u, it will return no users for any account, because the uids do not have the @domain in them. I tried both ways. Luke On Mon, Aug 31, 2020 at 09:45:17PM +0200, Marc Roos wrote:> You have two ways of authenticating against ldap. I decided to use the> method where a single account has access to the user credentials. > (Advantage of this method, you can limit ldap lookups eg do not have > to do 2nd for the userdb) > > debug_level = 1 > uris = ldaps://ldap.local:8443 > dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local > dnpass = xxxx > base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local > scope = subtree > > user_filter = (&(objectClass=posixAccount)(uid=%u) > pass_attrs > uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uid > Nu > mber=userdb_uid,gidNumber=userdb_gid > > However I did not have any issues authenticating against ldap with > yours also. But using the %u > > > > > > -----Original Message----- > From: Luke Schierer [mailto:luke-dovecot at schierer.org] > Sent: maandag 31 augustus 2020 21:32 > To: dovecot at dovecot.org > Subject: using %d as a variable in the ldap search base > > Hi, > > I'm trying to configure dovecot to use LDAP authentication directly, > and I'm having a bit of trouble. I have a somewhat unusual setup, in > that I have an LDAP directory that has 3 OUs each of which have their > own set of users, some of which overlap. As I was trying to figure > things out, I was setting the search base in my > /etc/dovecot/dovecot-ldap.conf.ext > file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext > file to > > base = ou=%d,dc=thecrazyguys,dc=net > > however, the resulting searches against the directory endup just > dropping the %d, resulting in > > ou=,dc=thecrazyguys,dc=net > > which is invalid. On a whim, I tried a search base of > > base = dc=%d,dc=thecrazyguys,dc=net > > and found that it did correctly substitute in the variable, which > would be correct, except that my ldap tree is set up with OUs and not > an extra DC segment. > > for whatever reason, it will do variable substitution for dc=%d, but > not for ou=%d. this is certainly not documented, and seems like wrong > behavior, since having an ou in a search base is valid. > > I'm including configuration information below. Please let me know if > I've missed including information that is required. > > Thanks! > Luke > > > luke at schierer@littera001:/etc/dovecot$ lsb_release -rd > Description: Ubuntu 18.04.5 LTS > Release: 18.04 > luke at schierer@littera001:/etc/dovecot$ > > luke at schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii > dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-imapd > 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 > amd64 ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 > luke at schierer@littera001:/etc/dovecot$ > > root at littera001:/etc/dovecot# dovecot -n # 2.2.33.2 (d6601f4ec): > /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS:> Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes > first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method => dotlock mail_cache_min_mail_count = 15 mail_fsync = always > mail_location = maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY > mail_nfs_index = yes > mail_nfs_storage = yes > mail_privileged_group = mail > mailbox_list_index = yes > maildir_broken_filename_sizes = yes > maildir_very_dirty_syncs = yes > mbox_min_index_size = 10 B > mmap_disable = yes > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > separator = / > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocols = " imap pop3" > ssl_cert = </etc/dovecot/dovecot.pem > ssl_key = # hidden, use -P to show it userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocol imap { > mail_max_userip_connections = 20 > } > root at littera001:/etc/dovecot# > > root at littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext |> grep -v ^# | uniq | more > > hosts = censor001.plerumque.thecrazyguys.net > > tls = yes > tls_require_cert = allow > > debug_level = 4 > > auth_bind = yes > > base = ou=%d,dc=thecrazyguys,dc=net > > scope = subtree > > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > > user_filter = (&(objectClass=posixAccount)(uid=%n)) > > blocking = no > root at littera001:/etc/dovecot# > >
On Tue, Sep 01, 2020 at 03:03:34PM +0200, Marc Roos wrote:> > If you already tested %d in the ou of the auth user bind, and it is not > working. I guess you are just left with options like > > 1. 3 different vm's > 2. auth bind = no base, scope subtree that is parent of those 3 ou's and > then apply filters something like > pass_filter = (&(objectClass=posixAccount)(uid=%n)(ou:dn:=%d))It seems that at least some (perhaps most?) LDAP server implementations do not allow this. Filtering on an OU is not allowed in an ldap query by either active directory or fedora's 389-ds. I'm not sure about openldap. I'm currently using fedora's 389-ds.> 3. investigate if nslcd(/ssss?) has an option to use multiple queries > for passwd and have dovecot authenticate against the system.This is what I'm doing as a work around while I pursue figuring out why binding to ldap directly doesn't work. SSSD is having no problem with the domain substitution, but every once in a while the SSSD/PAM integration acts up and I hate debugging PAM. I can of course continue this route, but I shouldn't have to. Dovecot's documentation says it should be able to do this. Is there any debugging information I can provide to help drive this towards a resolution instead of being resigned to broken software? Thanks! Luke> > > > -----Original Message----- > Cc: dovecot; luke-dovecot > Subject: Re: using %d as a variable in the ldap search base > > I'm trying to use auth bind to avoid having a plain text password in a > config file. With %u instead of %n, the @domain part of the login ends > up in the uid field of the search filter. As I said, my OUs have > overlapping users, so I have configured things such that the users are > logging in with user at domain, and need to get the domain component into > the search base as you cannot filter on an Organizational Unit in an > ldap filter. If I have a single search base, it will return multiple > users for those %ns that overlap. If I use %u, it will return no users > for any account, because the uids do not have the @domain in them. I > tried both ways. > > Luke > > On Mon, Aug 31, 2020 at 09:45:17PM +0200, Marc Roos wrote: > > You have two ways of authenticating against ldap. I decided to use the > > > method where a single account has access to the user credentials. > > (Advantage of this method, you can limit ldap lookups eg do not have > > to do 2nd for the userdb) > > > > debug_level = 1 > > uris = ldaps://ldap.local:8443 > > dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local > > dnpass = xxxx > > base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local > > scope = subtree > > > > user_filter = (&(objectClass=posixAccount)(uid=%u) > > pass_attrs > > uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uid > > Nu > > mber=userdb_uid,gidNumber=userdb_gid > > > > However I did not have any issues authenticating against ldap with > > yours also. But using the %u > > > > > > > > > > > > -----Original Message----- > > From: Luke Schierer [mailto:luke-dovecot at schierer.org] > > Sent: maandag 31 augustus 2020 21:32 > > To: dovecot at dovecot.org > > Subject: using %d as a variable in the ldap search base > > > > Hi, > > > > I'm trying to configure dovecot to use LDAP authentication directly, > > and I'm having a bit of trouble. I have a somewhat unusual setup, in > > that I have an LDAP directory that has 3 OUs each of which have their > > own set of users, some of which overlap. As I was trying to figure > > things out, I was setting the search base in my > > /etc/dovecot/dovecot-ldap.conf.ext > > file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext > > file to > > > > base = ou=%d,dc=thecrazyguys,dc=net > > > > however, the resulting searches against the directory endup just > > dropping the %d, resulting in > > > > ou=,dc=thecrazyguys,dc=net > > > > which is invalid. On a whim, I tried a search base of > > > > base = dc=%d,dc=thecrazyguys,dc=net > > > > and found that it did correctly substitute in the variable, which > > would be correct, except that my ldap tree is set up with OUs and not > > an extra DC segment. > > > > for whatever reason, it will do variable substitution for dc=%d, but > > not for ou=%d. this is certainly not documented, and seems like wrong > > behavior, since having an ou in a search base is valid. > > > > I'm including configuration information below. Please let me know if > > I've missed including information that is required. > > > > Thanks! > > Luke > > > > > > luke at schierer@littera001:/etc/dovecot$ lsb_release -rd > > Description: Ubuntu 18.04.5 LTS > > Release: 18.04 > > luke at schierer@littera001:/etc/dovecot$ > > > > luke at schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii > > dovecot-core 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-imapd > > 1:2.2.33.2-1ubuntu4.6 amd64 ii dovecot-ldap 1:2.2.33.2-1ubuntu4.6 > > amd64 ii dovecot-pop3d 1:2.2.33.2-1ubuntu4.6 amd64 > > luke at schierer@littera001:/etc/dovecot$ > > > > root at littera001:/etc/dovecot# dovecot -n # 2.2.33.2 (d6601f4ec): > > /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: > > > Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes > > first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method = > > > dotlock mail_cache_min_mail_count = 15 mail_fsync = always > > mail_location = maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY > > mail_nfs_index = yes > > mail_nfs_storage = yes > > mail_privileged_group = mail > > mailbox_list_index = yes > > maildir_broken_filename_sizes = yes > > maildir_very_dirty_syncs = yes > > mbox_min_index_size = 10 B > > mmap_disable = yes > > namespace inbox { > > inbox = yes > > location > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix > > separator = / > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = " imap pop3" > > ssl_cert = </etc/dovecot/dovecot.pem > > ssl_key = # hidden, use -P to show it userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocol imap { > > mail_max_userip_connections = 20 > > } > > root at littera001:/etc/dovecot# > > > > root at littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext | > > > grep -v ^# | uniq | more > > > > hosts = censor001.plerumque.thecrazyguys.net > > > > tls = yes > > tls_require_cert = allow > > > > debug_level = 4 > > > > auth_bind = yes > > > > base = ou=%d,dc=thecrazyguys,dc=net > > > > scope = subtree > > > > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > > > > user_filter = (&(objectClass=posixAccount)(uid=%n)) > > > > blocking = no > > root at littera001:/etc/dovecot# > > > > > >