[Dovecot] dovecot-ldap : can't find user in OU subtree // solved
Achim Gottinger
achim at ag-web.biz
Thu Oct 31 13:28:07 EET 2013
Am 31.10.2013 01:11, schrieb me at electronico.nc:
> Le 31/10/2013 10:42, Achim Gottinger a écrit :
>> Am 30.10.2013 21:17, schrieb me at electronico.nc:
>>> Hello and thanks for your answer.
>>>
>>> Le 30/10/2013 19:32, Steffen Kaiser a écrit :
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On Wed, 30 Oct 2013, me at electronico.nc wrote:
>>>>
>>>>>> passdb {
>>>>>> args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>>>>> driver = ldap
>>>>>> }
>>>>>
>>>>> /etc/dovecot/dovecot-ldap-passdb.conf.ext:
>>>>>> hosts = localhost
>>>>>> auth_bind = yes
>>>>>> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
>>>>
>>>> You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
>>>>
>>>>>> ldap_version = 3
>>>>>> base = ou=users,dc=domain,dc=lan
>>>>>> scope = subtree
>>>>>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
>>>
>> You should use
>>
>> /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>
>> hosts = localhost
>> dn = cn=ldap,cn=Users,DC=domain,DC=lan
>> dnpass = My_secret_pass
>> auth_bind = yes
>> ldap_version = 3
>> base = OU=users,DC=domain,DC=lan
>> scope = subtree
>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
>>
>> That way pass_filter should match
>> cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an
>> look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN
>> lookup vs. DN template.
>>
>>
> Hello Achim,
> Thanks for your answer :-)
> Sure it works OK, as soon as I specify dn & dnpass (that I omitted in
> passdb... :-[ )
> Many thanks again !
> Nicolas
The problem was auth_bind_userdn which only matched users in OU=users.
If you use that type of passwort check pass_filter is not used. Now
dovecot binds as user dn first, does an lookup of the users dn via
pass_filter and uses the result as the dn for the password verification
via an second bind to ldap. If you use the LDAP Server from an Active
Directory i'd recommen you use.
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)).
Because if you use Windows Remote Admin Tools to create users the users
dn is usually someting like dn=cn=[Full Name],ou=Users,dc=domain,dc=lan
and cn=[Full Name]. sAMAccountName however holds the users login name.
More information about the dovecot
mailing list