This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 1 and 6 (spanning 5 versions)
Revision 1 as of 2009-02-22 03:53:51
Size: 2542
Editor: TimoSirainen
Comment:
Revision 6 as of 2015-06-04 16:48:04
Size: 2744
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from AuthDatabase/LDAP/Binding
Line 3: Line 4:
Advantages over [:AuthDatabase/LDAP/PasswordLookups:password lookups]: Advantages over [[AuthDatabase/LDAP/PasswordLookups|password lookups]]:
Line 6: Line 7:
 * A bit more secure, as a security hole in Dovecot doesn't give attacker access to all the users' passwords.  * A bit more secure, as a security hole in Dovecot doesn't give attacker access to all the users' password hashes. (And Dovecot admins in general don't have direct access to them.)
Line 11: Line 12:
DN is looked up by sending a {{{pass_filter}}} LDAP request and getting the DN from the reply. This is very similar to doing a [:AuthDatabase/LDAP/PasswordLookups:password lookup]. The only difference is that userPassword attribute isn't returned. Just as with password lookups, the {{{pass_attrs}}} may contain special [:PasswordDatabase/ExtraFields:extra fields]. DN is looked up by sending a {{{pass_filter}}} LDAP request and getting the DN from the reply. This is very similar to doing a [[AuthDatabase/LDAP/PasswordLookups|password lookup]]. The only difference is that userPassword attribute isn't returned. Just as with password lookups, the {{{pass_attrs}}} may contain special [[PasswordDatabase/ExtraFields|extra fields]].
Line 23: Line 24:
The main reason to use DN template is to avoid doing the DN lookup, so that the authentication consists only of one LDAP request. With IMAP and POP3 logins the same optimization can be done by using [:UserDatabase/Prefetch:prefetch userdb] and returning userdb info in the DN lookup (a total of two LDAP requests per login in both cases). If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization doesn't help. The main reason to use DN template is to avoid doing the DN lookup, so that the authentication consists only of one LDAP request. With IMAP and POP3 logins the same optimization can be done by using [[UserDatabase/Prefetch|prefetch userdb]] and returning userdb info in the DN lookup (a total of two LDAP requests per login in both cases). If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization doesn't help.
Line 25: Line 26:
If you're using DN template, {{{pass_attrs}}} and {{{pass_filter}}} settings are completely ignored. That means you can't make passdb return any [:PasswordDatabase/ExtraFields:extra fields]. You should also set {{{auth_username_format = %Lu}}} in {{{dovecot.conf}}} to normalize the username by lowercasing it. If you're using DN template, {{{pass_attrs}}} and {{{pass_filter}}} settings are completely ignored. That means you can't make passdb return any [[PasswordDatabase/ExtraFields|extra fields]]. You should also set {{{auth_username_format = %Lu}}} in {{{dovecot.conf}}} to normalize the username by lowercasing it.
Line 36: Line 37:
When using auth binds, the userdb lookups should use a separate connection to the LDAP server. That way it can send LDAP requests asynchronously to the server, which improves the performance. This can be done by specifying different filenames in the LDAP passdb and userdb args. The second file could be a symlink to the first one. For example: When using
 * auth binds and
 * userdb ldap lookup
s,
the userdb lookups should use a separate connection to the LDAP server. That way it can send LDAP requests asynchronously to the server, which improves the performance. This can be done by specifying different filenames in the LDAP passdb and userdb args. The second file could be a symlink to the first one. For example:
Line 39: Line 43:
passdb ldap {
  args = /etc/dovecot/dovecot-ldap.conf
passdb {
  driver =
ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
Line 42: Line 47:
userdb ldap {
  args = /etc/dovecot/dovecot-ldap-userdb.conf
userdb {
  driver =
ldap
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
Line 50: Line 56:
ln -s /etc/dovecot/dovecot-ldap.conf /etc/dovecot/dovecot-ldap-userdb.conf ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext

Passdb LDAP with authentication binds

Advantages over password lookups:

  • LDAP server verifies the password, so Dovecot doesn't need to know what format the password is stored in.
  • A bit more secure, as a security hole in Dovecot doesn't give attacker access to all the users' password hashes. (And Dovecot admins in general don't have direct access to them.)

You can enable authentication binds by setting auth_bind=yes. Next Dovecot needs to know what DN to use in the binding. There are two ways to configure this: lookup or template.

DN lookup

DN is looked up by sending a pass_filter LDAP request and getting the DN from the reply. This is very similar to doing a password lookup. The only difference is that userPassword attribute isn't returned. Just as with password lookups, the pass_attrs may contain special extra fields.

Example:

auth_bind = yes
pass_attrs = uid=user
pass_filter = (&(objectClass=posixAccount)(uid=%u))

DN template

The main reason to use DN template is to avoid doing the DN lookup, so that the authentication consists only of one LDAP request. With IMAP and POP3 logins the same optimization can be done by using prefetch userdb and returning userdb info in the DN lookup (a total of two LDAP requests per login in both cases). If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization doesn't help.

If you're using DN template, pass_attrs and pass_filter settings are completely ignored. That means you can't make passdb return any extra fields. You should also set auth_username_format = %Lu in dovecot.conf to normalize the username by lowercasing it.

Example:

auth_bind = yes
auth_bind_userdn = cn=%u,ou=people,o=org

Connection optimization

When using

  • auth binds and
  • userdb ldap lookups,

the userdb lookups should use a separate connection to the LDAP server. That way it can send LDAP requests asynchronously to the server, which improves the performance. This can be done by specifying different filenames in the LDAP passdb and userdb args. The second file could be a symlink to the first one. For example:

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}

And create the symlink:

ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext

None: AuthDatabase/LDAP/AuthBinds (last edited 2015-06-04 16:48:04 by TimoSirainen)