[Dovecot] Director and forwarding LDAP user as Master user

Alexandr Sabitov alexandr.sabitov at netregistry.com.au
Tue Jan 8 07:26:12 EET 2013 

Hi Timo,

Unfortunately adding pass=yes to dovecot director did not work for me but I found another way to enable what I need. Can you please confirm if it is alright.
This is working for me:

Task: Get LDAP users authenticate at Director with encrypted password such as cram-md5 and pass them to back-end Dovecot mail-server as a Master user.

Dovecot Director: 192.168.100.95
Dovecot: 192.168.100.96

Dovecot: 2.1.10 

dovecot-proxy.conf (NO NEED FOR STATIC PASSDB):
...
passdb {
  driver = ldap
  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = ldap
  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
service pop3-login {
  executable = pop3-login director
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
...

dovecot.conf:
...
auth_master_user_separator = *
passdb {
  driver = passwd-file
  args = /usr/local/dovecot/etc/dovecot/passwd.masterusers
  master = yes
  pass = yes
}
passdb {
  driver = static
}
userdb {
  driver = ldap
  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
}
...

dovecot-ldap.conf.ext:
...
user_attrs = homeDirectory=home, uidNumber=uid, gidNumber=gid
user_filter = (&(objectClass=nrPOPAccount)(uid=%u))
pass_attrs = uid=user, userPassword=password, =proxy=y, =destuser=%u*masteruser, =pass=mastpass
pass_filter = (&(objectClass=nrPOPAccount)(uid=%u))
...

Then telnet to the director with normail username/passwords and see where user stops at:
dovecot-shared-1:/usr/local/dovecot/etc/dovecot#  /usr/local/dovecot/bin/doveadm who -a /var/run/dovecot-proxy/anvil 
username # proto (pids) (ips) 
HE DIDNT STOP ON DIRECTOR
dovecot-shared-1:/usr/local/dovecot/etc/dovecot#  /usr/local/dovecot/bin/doveadm who -a /var/run/dovecot/anvil 
username                     # proto (pids)  (ips)                                             
migration.test at network.id.au 1 pop3  (16226) (192.168.100.96)
HE WENT THROUGH DIRECTOR AND NOW IS AT MAILSERVER

Double-check:
dovecot-shared-1:/usr/local/dovecot/etc/dovecot#  /usr/local/dovecot/bin/doveadm director status -a /var/run/dovecot-proxy/director-admin 
mail server ip vhosts                                                    users
192.168.100.96    100                                                        1

Double-check in logs:
Jan 08 04:35:11 auth: Debug: client in: AUTH    1       PLAIN   service=pop3    session=xTmneL/SGwAKAQeo        lip=192.168.100.95
      rip=10.1.7.168  lport=110       rport=39451     resp=<hidden>
Jan 08 04:35:11 auth: Debug: ldap(migration.test at network.id.au,10.1.7.168,<xTmneL/SGwAKAQeo>): pass search: base=ou=email, dc=netr
egistry, dc=net scope=subtree filter=(&(objectClass=nrPOPAccount)(uid=migration.test at network.id.au)) fields=uid,userPassword
Jan 08 04:35:11 auth: Debug: ldap(migration.test at network.id.au,10.1.7.168,<xTmneL/SGwAKAQeo>): result: uid=migration.test at network.
id.au userPassword=<hidden>
Jan 08 04:35:11 auth: Debug: client passdb out: OK      1       user=migration.test at network.id.au       proxy   destuser=migration
.test at network.id.au*masteruser        pass=<hidden>
Jan 08 04:35:11 pop3-login: Info: proxy(migration.test at network.id.au): started proxying to 192.168.100.96:110/migration.test at netwo
rk.id.au*masteruser: user=<migration.test at network.id.au>, method=PLAIN, rip=10.1.7.168, lip=192.168.100.95, session=<xTmneL/SGwAKA
Qeo>

Thundbird setup with encrypted password works good.
  
Looks like all is working good and I do not have the auth_bind=yes.

Timo, please confirm if it is OK setup. 

Best Regards,
Alexandr Sabitov
________________________________________
From: Timo Sirainen [tss at iki.fi]
Sent: Friday, January 04, 2013 2:53 PM
To: Alexandr Sabitov
Cc: dovecot at dovecot.org
Subject: Re: [Dovecot] Director and forwarding LDAP user as Master user

On 20.12.2012, at 4.11, Alexandr Sabitov <alexandr.sabitov at netregistry.com.au> wrote:

> Hello guys,
>
> Would you be able to help me with this little issue. I bet someone has the same config so if you can copy-paste it I will very appreciate it.
> So main idea is to enable Dovecot director to authenticate a LDAP user with plain or encrypted password and  send the user  to back-end Dovecot server after the authentication.
> According to Wiki it is only possible if we use the master user to communicate to the back-end server.

If you use auth_bind=yes this doesn't work. If you don't, this should work:

> On the back-end Dovecot server it is working fine, I can log in as normal user/user_password or as user*masteruser/master_password. The back-end config is:
>
> auth_master_user_separator = *
> passdb {
>  driver = passwd-file
>  args = /usr/local/dovecot/etc/dovecot/passwd.masterusers
>  master = yes
>  pass = yes
> }
>
> passdb {
>  driver = ldap
>  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
> }
>
> userdb {
>  driver = ldap
>  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
> }

The above looks ok. "pass = yes" is the important part, so simply adding this should work:

> Now  front-end:  how to get director forward the user to the back-end after authentication on the director? With my director config the user stays on the director all the time:
>
> passdb {
>  driver = static
>  args = proxy=y master=masteruser pass=master_password destuser=%u*masteruser

  pass = yes

> }
>
> passdb {
>  driver = ldap
>  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
> }
>
> userdb {
>  driver = ldap
>  args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
> }
>
> The only way to forward the user is to setup nopassword=y in args of static passdb but in that case the user will be authenticated on the backend but not on the director...
> What do I missing ? Please help me
>
> Best Regards,
> Alexandr Sabitov

More information about the dovecot mailing list