Dovecot with LDAP
Intro
The Dovecot wiki does a really good job at explaining how to have Dovecot and OpenLDAP work together, but in this post I will describe the steps I took to configure Dovecot to work with OpenLDAP on a Linux host.
LDAP authentication
As described in the wiki - Dovecot offers two ways to perform LDAP authentication, but I chose LDAP password lookups. This is recommended over authentication binds.
10-auth.conf
Normally !include auth-system.conf.ext
is enabled, but this should be commented and !include auth-ldap.conf.ext
uncommented.
auth-ldap.conf.ext
passdb {
driver = ldap
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = home=/home/vmail/%d/%u
}
Here we’re simply telling Dovecot to use LDAP instead of PAM or MySQL, respectively. For default_fields
I’m using a domain/user
structure as referenced by the %d and %u variables you can pass to Dovecot. Following this was configuring the relevant options in dovecot-ldap.conf.ext
.
dovecot-ldap.conf.ext
hosts = ldap.domain.net ldap.domain2.net ldap.domain3.net
auth_bind = no
dn = uid=dovecot,ou=System,dc=domain,dc=net
dnpass = MyP@sswd
ldap_version = 3
base = ou=Mail,dc=domain,dc=net
deref = never
scope = subtree
default_pass_scheme = SSHA
# user filter
user_attrs = mailHomeDirectory=home,mailStorageDirectory=mail,mailUidNumber=uid,mailGidNumber=gid,mailQuota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=inetOrgPerson)(uid=%n)(mailEnabled=TRUE))
# password filter
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
iterate_attrs = mail=user
iterate_filter = (objectClass=inetOrgPerson)
Because I am using specific LDAP attributes shown in both user_attrs
and user_filter
I needed to get postfix-book.schema loaded into OpenLDAP.
Quota
While I use a global quota I also like the option of setting user specific quotas. Since I’m using postfix-book.schema in OpenLDAP, mailQuota=quota_rule=*:bytes=%$
works just fine so that the mailQuota
attribute can be added to mail user records.
dovecot.conf
PAM
One last thing I needed to do was tell PAM that Dovecot should use LDAP for authentication. This involved editing /etc/pam.d/dovecot
with the following
auth required pam_ldap.so nullok
account required pam_ldap.so
Final
Once everything has been verified the last thing is to restart Dovecot. With systemd one can execute systemctl restart dovecot
. It’s also a good idea to verify no errors are shown in the mail log usingtail -f /path/to/mail.log
.