This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Passdb LDAP with password lookups

Advantages over authentication binds:

LDAP server permissions

Normally LDAP server doesn't give anyone access to users' passwords, so you'll need to create an administrator account that has access to the userPassword field. With OpenLDAP this can be done by modifying /etc/ldap/slapd.conf:

# there should already be something like this in the file:
access to attribute=userPassword
        by dn="<dovecot's dn>" read  # just add this line
        by anonymous auth
        by self write
        by * none

Replace <dovecot's dn> with the DN you specified in dovecot-ldap.conf's dn setting.

Dovecot configuration

The two important settings in password lookups are:

Usually the LDAP attribute names aren't the same as the field names that Dovecot uses internally. You must create a mapping between them to get the wanted results. This is done by listing the fields as <ldap attribute>=<dovecot field>. For example:

pass_attrs = uid=user, userPassword=password

This maps the LDAP "uid" attribute to Dovecot's "user" field and LDAP's "userPassword" attribute to Dovecot's "password" field. These two fields should always be returned, but it's also possible to return other special extra fields.

Password

Most importantly the pass_attrs must return a "password" field, which contains the user's password. The next thing Dovecot needs to know is what format the password is in. If all the passwords are in same format, you can use default_pass_scheme setting in dovecot-ldap.conf to specify it. Otherwise each password needs to be prefixed with "{password-scheme}", for example "{plain}plaintext-password". See Authentication/PasswordSchemes for a list of supported password schemes.

Username

LDAP lookups are case-insensitive. Unless you somehow normalize the username, it's possible that a user logging in as "user", "User" and "uSer" are treated differently. The easiest way to handle this is to tell Dovecot to change the username to the same case as it's in the LDAP database. You can do this by returning "user" field in the pass_attrs, as shown in the above example.

If you can't normalize the username in LDAP, you can alternatively lowercase the username in dovecot.conf:

auth_username_format = %Lu

Example

A typical configuration would look like:

auth_bind = no
pass_attrs = uid=user, userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = MD5

AuthDatabase/LDAP/PasswordLookups (last edited 2010-11-26 19:12:07 by TimoSirainen)