OpenLDAP/Services/Dovecot

Материал из ALT Linux Wiki
Freesource-logo.png Blue Glass Arrow.svg MediaWiki logo.png
Эта страница была перемещена с freesource.info.
Эта страница наверняка требует чистки и улучшения — смело правьте разметку и ссылки.
Просьба по окончанию убрать этот шаблон со страницы.


OpenLDAP и Dovecot

Сервисы на LDAP


Описание ситуации

  • ldap.my.lan — LDAP сервер.
  • mail.my.lan — данный mail сервер. Не исключено, что mail серверов в данной сети будет несколько (свой каждому подразделению).
  • dn=dc=lan — корень достаточно развесистого LDAP дерева.
  • Без TLS/SSL (включение описано здесь: Open LDAP? и TLS/SSL)

Настройка Dovecot

За взаимодействие с LDAP сервером обычно отвечает файл /etc/dovecot/dovecot-ldap.conf (сделан на базе dovecot-ldap-example.conf, присутствующего в поставке):

# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:

# access to attribute=userPassword
#        by dn="<dovecot's dn>" read # add this
#        by anonymous auth
#        by self write
#        by * none

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = ldap.my.lan

# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris = 

# Distinguished Name - the username used to login to the LDAP server
dn = ou=dovecot_ldap,cn=rantalmail.my.lan,ou=Hosts,dc=my,dc=lan

# Password for LDAP server
dnpass = secret 

# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =

# Use TLS to connect to the LDAP server.
#tls = no

# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes

# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the
# filename is different in userdb's args). That way one connection is used only
# for LDAP binds and another connection is used for user lookups. Otherwise
# the binding is changed to the default DN before each user lookup.
#
# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =

# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3

# LDAP base. %variables can be used here.
base = dc=lan

# Dereference: never, searching, finding, always
#deref = never

# Search scope: base, onelevel, subtree
scope = subtree

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/UserDatabase/ExtraFields
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# Filter for user lookup. Some variables can be used (see
# http://wiki.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
# Ограничиваемся только теми пользователями, чей ящик на данном сервере:
user_filter = (&(objectClass=posixAccount)(objectClass=inetLocalMailRecipient)(mailHost=mail.my.lan)(uid=%u))
# где mail.my.lan -- сервер обслуживающий ящик пользователя.

# Password checking attributes:
#  user: Virtual user name (user@domain), if you wish to change the
#        user-given username to something else
#  password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password

# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
# Аналогично user_filter:
pass_filter = (&(objectClass=posixAccount)(objectClass=inetLocalMailRecipient)(mailHost=mail.my.lan)(uid=%u))

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki.dovecot.org/Authentication
default_pass_scheme = CRYPT

# You can use same UID and GID for all user accounts if you really want to.
# If the UID/GID is still found from LDAP reply, it overrides these values.
user_global_uid = dovecot 
user_global_gid = mail

Теперь подключаем данный файл в /etc/dovecot/dovecot.conf (привожу избранные моменты):

...

##
## Mailbox locations and namespaces
##

mail_location = maildir:/var/spool/mail/dovecot/%u
# Каталог /var/spool/mail/dovecot надо будт создать руками.

...

##
## Authentication processes
##

...

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  # NOTE: See also disable_plaintext_auth setting.
  #mechanisms = plain cram-md5 digest-md5
  mechanisms = plain
  # Механизмы cram-md5 digest-md5 у меня не заработали.

  ...

  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
  passdb ldap {
    # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
    args = /etc/dovecot/dovecot-ldap.conf 
  }

  ...

  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
  userdb ldap {
    # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
    args = /etc/dovecot/dovecot-ldap.conf 
  }

  ...

}

...

Ссылки