Wieder mal ein LDAP Probleme :-(.

Günther J. Niederwimmer gjn at gjn.priv.at
Di Okt 11 14:09:05 CEST 2016 

Hallo,

kann mich von Euch wer auf den richtigen Weg Bringen :-(.

Ich möchte eigentlich nur die LDAP Abfrage dazu bringen auch 
mailAlternateAddress einzulesen / abzufragen ?

aber anscheinend sehe ich den Wald vor lauter Bäumen nicht ?

bei einem ldapsearch ist alles da was man braucht nur wie bringe ich es 
dovecor bei, das auch zu nutzen ?

# extended LDIF
#
# LDAPv3
# base <dc=4xxx,dc=com> (default) with scope subtree
# filter: (&(objectClass=posixaccount)(objectClass=inetorgperson))
# requesting: ALL
#
# office, users, accounts, 4xxx.com
dn: uid=office,cn=users,cn=accounts,dc=4xxx,dc=com
krbLastSuccessfulAuth: 20161006102345Z
st: AUSTRIA
l: Salzburg
postalCode: 5020
krbPasswordExpiration: 20380101000000Z
krbExtraData:: AAIRGe1Xa2FkbWluZEA0R0pOLkNPTQA=
krbLoginFailedCount: 0
krbTicketFlags: 128
krbLastPwdChange: 20160929133721Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=4xxx,dc=com
memberOf: cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com
mailAlternateAddress: info at 4xxx.com
mepManagedEntry: cn=office,cn=groups,cn=accounts,dc=4xxx,dc=com
displayName:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
uid: office
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: mailrecipient
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
initials: GN
gecos:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
sn: Niederwimmer
homeDirectory: /home/office
mail: office at 4xxx.com
krbPrincipalName: office at 4XXX.COM
givenName:: R8O8bnRoZXIgSi4=
cn:: R8O8bnRoZXIgSi4gTmllZGVyd2ltbWVy
ipaUniqueID: 3a6e2256-8648-11e6-b45d-5254002cd3fc
uidNumber: 1507800005
gidNumber: 1507800005
krbPwdPolicyReference: cn=mailusers,cn=4XXX.COM,cn=kerberos,dc=4xxx,dc=com

Dovecot müsste in diesem Beispiel also uid, mail, mailAternateAddress finden 
und das richtige Passwort dazu auslesen

Nur die richtigen Einstellungen dazu finde ich nicht ?
Außerdem sollten die AlternatAdress im gleichen Postfach landen?


[root at mx01 dovecot]# cat dovecot-ldap.conf.ext 
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext


# access to attribute=userPassword
#        by dn="<dovecot's dn>" read # add this
#        by anonymous auth
#        by self write
#        by * none

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = ipa.4xxx.com ipa1.4xxx.com

# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris = 

# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = uid=ldapbind,cn=users,cn=accounts,dc=4xxx,dc=com

# Password for LDAP server, if dn is specified.                                                                           
dnpass = 'XXXXXXXXXXXXXXX'                                                                                                 
                                                                                                                          
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = no
# SASL mechanism name to use.
sasl_mech = gssapi
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =

# Use TLS to connect to the LDAP server.
#tls = no
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
#tls_require_cert =

# Use the given ldaprc path.
#ldaprc_path =

# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 0

# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes

# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=4xxx,dc=com

# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3

# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = cn=users,cn=accounts,dc=4xxx,dc=com

# Dereference: never, searching, finding, always
deref = never

# Search scope: base, onelevel, subtree
scope = subtree

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

user_attrs = uid=user,uid=home=/srv/vmail/%$,=uid=10000,=gid=10000

#user_attrs = =home=/srv/vmail/%Ld/%Ln,=uid=10000,=gid=10000

# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user at domain, same as %u if there's no domain
#   %d - domain part in user at domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
###user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(memberof=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(mail=%u))

user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(memberof=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(|(mail=%Lu)
(maiAlternateAddress=%Lu)))

#user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(objectClass=mailRecipient)
(memberof=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(|(mail=%u)
(mailAlternateAddress=%u)))
##user_filter = (&(objectClass=inetorgperson)(objectClass=mailRecipient)
(memberof=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(|(mail=%u)
(mailAlternateAddress=%u)))

# Password checking attributes:
#  user: Virtual user name (user at domain), if you wish to change the
#        user-given username to something else
#  password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = 
uid=user,userPassword=password,uid=userdb_home=/srv/vmail/%$,=userdb_uid=10000,=userdb_gid=10000 

# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
###pass_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(memberOf=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(uid=%Ln))

pass_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(memberOf=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(|(mail=%Lu)
(mailAlternateAdress=%Lu)))

##pass_filter = (&(objectClass=inetorgperson)(objectClass=mailRecipient)
(memberOf=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)(uid=%Ln))
#pass_filter = (&(objectClass=inetorgperson)(objectClass=mailRecipient)
(memberOf=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com)((uid=%Ln)
(mailAlternateAddress=%Ln)))

# Attributes and filter to get a list of all users
iterate_attrs = uid=user
#iterate_filter = (objectClass=posixAccount)
iterate_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson)
(memberof=cn=mailusers,cn=groups,cn=accounts,dc=4xxx,dc=com))

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT


Irgendwie habe ich da einen Wirbel mit xxxx_attrs = xxxx und den Variablen 
drin :-(.

Danke für jede Hilfe,
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

Mehr Informationen über die Mailingliste Dovecot