Sind das alles Fehler (LDAP)
Günther J. Niederwimmer
gjn at gjn.priv.at
Fr Nov 4 16:57:21 CET 2016
Hallo,
Version 2.2.25
ich plage mich jetzt schon einige Zeit mit diesem Problem herum:-(.
auch nach nochmaligen lesen des Buches und such im Internet kommt mir das
ganze nicht sauber vor ?
Es funktioniert aber anscheinend jetzt so einiger maßen.........
Nur kommen mit die Ldap abfragen zu "massig" vor darum würde ich Euch Bitten
mal einen Blick auf die Logs zu werfen.
doveadm user '*'
funktioniert jetzt auch auf "mailAlternatAddress" ob die da wirklich rein
gehören ist mir noch nicht klar ?
Jedenfalls bekomme ich beim Start von Dovecot diese Fehlermeldung ?
mx01 dovecot: auth-worker(8460): Debug: ldap(*): result: uid=office
mailAlternateAddress=info at example.com; userPassword missing.
mit
dovadm auth test info at examle.com
spricht doveadm von erfolgreich ?
Was dovecot an dem User office nicht passt (log.txt) ist mir ein Rätsel, es
gibt noch einen anderen User der erscheint fast nie in den Logs ?
Jetzt noch die Bitte könnt Ihr noch einen Blick auf meine dovecot-
ldap.conf.ext werfen ob Ihr da noch Fehler findet ?
Danke
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
-------------- nächster Teil --------------
Nov 4 16:34:28 mx01 dovecot: auth: Debug: master in: PASS#0111#011office at example.com#011service=doveadm#011lip=192.168.100.203#011lport=10993#011rip=192.168.100.213#011rport=33582
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): cache hit: <hidden>#011user=office#011userdb_home=/srv/vmail/office#011userdb_uid=10000#011userdb_gid=10000
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): username changed office at example.com -> office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: passdb out: PASS#0111#011user=office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: master in: USER#0112#011office at example.com#011service=doveadm#011lip=192.168.100.203#011lport=10993#011rip=192.168.100.213#011rport=33582
Nov 4 16:34:28 mx01 dovecot: auth: Debug: prefetch(office at example.com,192.168.100.213): passdb didn't return userdb entries, trying the next userdb
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): userdb cache hit: home=/srv/vmail/office#011uid=10000#011gid=10000#011user=office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): username changed office at example.com -> office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: userdb out: USER#0112#011office#011home=/srv/vmail/office#011uid=10000#011gid=10000
Nov 4 16:34:28 mx01 dovecot: auth: Debug: master in: PASS#0111#011office at example.com#011service=doveadm#011lip=192.168.100.203#011lport=10993#011rip=192.168.100.213#011rport=33584
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): cache hit: <hidden>#011user=office#011userdb_home=/srv/vmail/office#011userdb_uid=10000#011userdb_gid=10000
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): username changed office at example.com -> office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: passdb out: PASS#0111#011user=office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: master in: USER#0112#011office at example.com#011service=doveadm#011lip=192.168.100.203#011lport=10993#011rip=192.168.100.213#011rport=33584
Nov 4 16:34:28 mx01 dovecot: auth: Debug: prefetch(office at example.com,192.168.100.213): passdb didn't return userdb entries, trying the next userdb
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): userdb cache hit: home=/srv/vmail/office#011uid=10000#011gid=10000#011user=office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: ldap(office at example.com,192.168.100.213): username changed office at example.com -> office
Nov 4 16:34:28 mx01 dovecot: auth: Debug: userdb out: USER#0112#011office#011home=/srv/vmail/office#011uid=10000#011gid=10000
No
-------------- nächster Teil --------------
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:
# access to attribute=userPassword
# by dn="<dovecot's dn>" read # add this
# by anonymous auth
# by self write
# by * none
# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = 192.168.100.204 192.168.100.214
#hosts = 192.168.100.204
#hosts = ipa.example.com
# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris = ldap://ipa.example.com ldap://ipa1.example.com
# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
# Password for LDAP server, if dn is specified.
dnpass = 'XXXXXXXXXXXXXX'
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = yes
# SASL mechanism name to use.
sasl_mech = gssapi
# SASL realm to use.
sasl_realm = example.COM
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
sasl_authz_id = imap/mx01.example.com at EXAMPLE.COM
# Use TLS to connect to the LDAP server.
#tls = yes
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = /etc/ipa/ca.crt
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
tls_require_cert = demand
# Use the given ldaprc path.
#ldaprc_path =
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 0
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn = uid=%u,cn=users,cn=accounts,dc=example,dc=com
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = cn=users,cn=accounts,dc=example,dc=com
#base = dc=example,dc=com
# Dereference: never, searching, finding, always
#deref = never
# Search scope: base, onelevel, subtree
scope = subtree
#scope = onelevel
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
#user_attrs = mail=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user at domain, same as %u if there's no domain
# %d - domain part in user at domain, empty if user there's no domain
#user_filter = (&(objectClass=mailrecipient)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(uid=%Ln)(mail=%Lu)(mailAlternateAddress=%Lu)))
#user_filter = (&(objectClass=mailrecipient)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(mail=%Lu)(mailAlternateAddress=%Lu)))
user_filter = (&(objectClass=posixaccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(mail=%Lu)(mailAlternateAddress=%Lu)))
# Password checking attributes:
# user: Virtual user name (user at domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,uid=userdb_home=/srv/vmail/%$,=userdb_uid=10000,=userdb_gid=10000
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=mailrecipient)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(uid=%Ln)(mail=%Lu)(mailAlternateAddress=%Lu)))
#pass_filter = (&(objectClass=mailrecipient)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(mail=%Lu)(mailAlternateAddress=%Lu)))
#pass_filter = (&(objectClass=posixaccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(mail=%Lu)(mailAlternateAddress=%Lu)))
# Attributes and filter to get a list of all users
#iterate_attrs = mailAlternateAddress=user,uid=user,userPassword=password
iterate_attrs = uid=user,userPassword=password,mailAlternateAddress=user
#iterate_filter = (&(objectClass=mailrecipient)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(mailAlternateAddress=%Lu))
iterate_filter = (&(objectClass=posixAccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com))
#iterate_filter = (&(objectClass=posixaccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(|(mail=%Lu)(mailAlternateAddress=%Lu)))
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
Mehr Informationen über die Mailingliste Dovecot