Fedora directory users - Apr 2006 - Dovecot and FDS

The Howto at http://directory.fedora.redhat.com/wiki/Howto:Dovecot is
really very skimpy (two lines that refer you offsite, to a Howto based
on OpenLDAP).

I spent most of yesterday banging my head, making dovecot authenticate
against FDS. The mail server on which dovecot is installed has the
nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the
following two lines:

auth_userdb = ldap /etc/dovecot-ldap.conf
auth_passdb = pam

In other words, dovecot should use LDAP to access the user database, but
PAM for authentication. This part is working, since users authenticate
and get their mails through dovecot.

/etc/dovecot-ldap.conf contains the following:

hosts = 192.168.0.2
ldap_version = 3
base = ou=People, dc=duraflex, dc=com, dc=sv
deref = never
scope = subtree
user_attrs = uid,homeDirectory,,,uidNumber,gidNumber
user_filter = (&(objectClass=posixAccount)(uid=%u))

I haven''t specified a dn or dnpass, since all I need is that dovecot
perform an anonymous query for the uid, homeDirectory, uidNumber and
gidNumber fields of its users, which are publically viewable. However,
my FDS server''s access log has entries like these:

conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to
192.168.0.2
conn=3266227 op=0 BIND dn="" method=128 version=3
conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv"
scope=1
filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL
conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0
conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv"
scope=1
filter="(&(objectClass=posixGroup)(memberUid=dovecot))"
attrs="gidNumber"
conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0
conn=3266227 op=-1 fd=138 closed - B1

Dovecot tries binding with an empty dn, fails, the queries FDS for a
user or group called dovecot (which don''t exist on the DS), and fails.

Is there a way to tell dovecot to query anonymously?
-- 
Oscar A. Valdez

Oscar A. Valdez wrote:
> The Howto at http://directory.fedora.redhat.com/wiki/Howto:Dovecot is
> really very skimpy (two lines that refer you offsite, to a Howto based
> on OpenLDAP).
>
> I spent most of yesterday banging my head, making dovecot authenticate
> against FDS. The mail server on which dovecot is installed has the
> nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the
> following two lines:
>
> auth_userdb = ldap /etc/dovecot-ldap.conf
> auth_passdb = pam
>
> In other words, dovecot should use LDAP to access the user database, but
> PAM for authentication. This part is working, since users authenticate
> and get their mails through dovecot.
>
> /etc/dovecot-ldap.conf contains the following:
>
> hosts = 192.168.0.2
> ldap_version = 3
> base = ou=People, dc=duraflex, dc=com, dc=sv
> deref = never
> scope = subtree
> user_attrs = uid,homeDirectory,,,uidNumber,gidNumber
> user_filter = (&(objectClass=posixAccount)(uid=%u))
>
> I haven''t specified a dn or dnpass, since all I need is that
dovecot
> perform an anonymous query for the uid, homeDirectory, uidNumber and
> gidNumber fields of its users, which are publically viewable. However,
> my FDS server''s access log has entries like these:
>
> conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to
> 192.168.0.2
> conn=3266227 op=0 BIND dn="" method=128 version=3
> conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
> conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv"
scope=1
> filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL
> conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0
> conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv"
scope=1
> filter="(&(objectClass=posixGroup)(memberUid=dovecot))"
> attrs="gidNumber"
> conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0
> conn=3266227 op=-1 fd=138 closed - B1
>
> Dovecot tries binding with an empty dn, fails,
It doesn''t fail, according to the log - the result of the BIND request 
is err=0 i.e. success.
In LDAP, dn="" is an anonymous BIND.  So, two possible problems:
1) Did you try that same search from the command line using ldapsearch?  
Same results?
2) Did you set up your ACIs to allow anonymous read/search/compare 
access to those entries and attributes?
> the queries FDS for a
> user or group called dovecot (which don''t exist on the DS), and
fails.
>
> Is there a way to tell dovecot to query anonymously?
>

El vie, 07-04-2006 a las 10:08 -0600, Richard Megginson
escribió:
> Oscar A. Valdez wrote:
> >
> > my FDS server''s access log has entries like these:
> >
> > conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to
> > 192.168.0.2
> > conn=3266227 op=0 BIND dn="" method=128 version=3
> > conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn=""
> > conn=3266227 op=1 SRCH
base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1
> > filter="(&(objectClass=posixAccount)(uid=dovecot))"
attrs=ALL
> > conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0
> > conn=3266227 op=2 SRCH
base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1
> > filter="(&(objectClass=posixGroup)(memberUid=dovecot))"
> > attrs="gidNumber"
> > conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0
> > conn=3266227 op=-1 fd=138 closed - B1
> >
> > Dovecot tries binding with an empty dn, fails,
> It doesn''t fail, according to the log - the result of the BIND
request
> is err=0 i.e. success.
> In LDAP, dn="" is an anonymous BIND.  So, two possible problems:
> 1) Did you try that same search from the command line using ldapsearch?  
> Same results?
> 2) Did you set up your ACIs to allow anonymous read/search/compare 
> access to those entries and attributes?
Thanks for the answer. Why the search for a dovecot user and group?
-- 
Oscar A. Valdez