'Re: [Dovecot] dovecot-ldap : can't find user in OU subtree // solved'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dovecot
Subject:    Re: [Dovecot] dovecot-ldap : can't find user in OU subtree // solved
From:       Achim Gottinger <achim () ag-web ! biz>
Date:       2013-10-31 11:28:07
Message-ID: 52723EC7.8070807 () ag-web ! biz
[Download RAW message or body]

Am 31.10.2013 01:11, schrieb me@electronico.nc:
> Le 31/10/2013 10:42, Achim Gottinger a écrit :
>> Am 30.10.2013 21:17, schrieb me@electronico.nc:
>>> Hello and thanks for your answer.
>>>
>>> Le 30/10/2013 19:32, Steffen Kaiser a écrit :
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On Wed, 30 Oct 2013, me@electronico.nc wrote:
>>>>
>>>>>> passdb {
>>>>>>   args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>>>>>   driver = ldap
>>>>>> }
>>>>>
>>>>> /etc/dovecot/dovecot-ldap-passdb.conf.ext:
>>>>>> hosts = localhost
>>>>>> auth_bind = yes
>>>>>> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
>>>>
>>>> You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
>>>>
>>>>>> ldap_version = 3
>>>>>> base = ou=users,dc=domain,dc=lan
>>>>>> scope = subtree
>>>>>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
>>>
>> You should use
>>
>> /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>
>> hosts = localhost
>> dn = cn=ldap,cn=Users,DC=domain,DC=lan
>> dnpass = My_secret_pass
>> auth_bind = yes
>> ldap_version = 3
>> base = OU=users,DC=domain,DC=lan
>> scope = subtree
>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
>>
>> That way pass_filter should match
>> cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an
>> look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN
>> lookup vs. DN template.
>>
>>
> Hello Achim,
> Thanks for your answer :-)
> Sure it works OK, as soon as I specify dn & dnpass (that I omitted in
> passdb... :-[ )
> Many thanks again !
> Nicolas
The problem was auth_bind_userdn which only matched users in OU=users. 
If you use that type of passwort check pass_filter is not used. Now 
dovecot binds as user dn first, does an lookup of the users dn via 
pass_filter and uses the result as the dn for the password verification 
via an second bind to ldap. If you use the LDAP Server from an Active 
Directory i'd recommen you use.
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)). 
Because if you use Windows Remote Admin Tools to create users the users 
dn is usually someting like dn=cn=[Full Name],ou=Users,dc=domain,dc=lan 
and cn=[Full Name]. sAMAccountName however holds the users login name.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic