Passdb LDAP with authentication binds ===================================== Advantages over [AuthDatabase.LDAP.PasswordLookups.txt]: * LDAP server verifies the password, so Dovecot doesn't need to know what format the password is stored in. * A bit more secure, as a security hole in Dovecot doesn't give attacker access to all the users' password hashes. (And Dovecot admins in general don't have direct access to them.) You can enable authentication binds by setting 'auth_bind=yes'. Next Dovecot needs to know what DN to use in the binding. There are two ways to configure this: lookup or template. DN lookup --------- DN is looked up by sending a 'pass_filter' LDAP request and getting the DN from the reply. This is very similar to doing a [AuthDatabase.LDAP.PasswordLookups.txt]. The only difference is that userPassword attribute isn't returned. Just as with password lookups, the 'pass_attrs' may contain special [PasswordDatabase.ExtraFields.txt]. Example: ---%<------------------------------------------------------------------------- auth_bind = yes pass_attrs = uid=user pass_filter = (&(objectClass=posixAccount)(uid=%u)) ---%<------------------------------------------------------------------------- DN template ----------- The main reason to use DN template is to avoid doing the DN lookup, so that the authentication consists only of one LDAP request. With IMAP and POP3 logins the same optimization can be done by using [UserDatabase.Prefetch.txt] and returning userdb info in the DN lookup (a total of two LDAP requests per login in both cases). If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization doesn't help. If you're using DN template, 'pass_attrs' and 'pass_filter' settings are completely ignored. That means you can't make passdb return any [PasswordDatabase.ExtraFields.txt]. You should also set 'auth_username_format = %Lu' in 'dovecot.conf' to normalize the username by lowercasing it. Example: ---%<------------------------------------------------------------------------- auth_bind = yes auth_bind_userdn = cn=%u,ou=people,o=org ---%<------------------------------------------------------------------------- Connection optimization ----------------------- When using * auth binds and * userdb ldap lookups, the userdb lookups should use a separate connection to the LDAP server. That way it can send LDAP requests asynchronously to the server, which improves the performance. This can be done by specifying different filenames in the LDAP passdb and userdb args. The second file could be a symlink to the first one. For example: ---%<------------------------------------------------------------------------- passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } ---%<------------------------------------------------------------------------- And create the symlink: ---%<------------------------------------------------------------------------- ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext ---%<------------------------------------------------------------------------- (This file was created from the wiki on 2017-10-10 04:42)