根据 LDAP 进行身份验证时 dovecot 有效 uid

根据 LDAP 进行身份验证时 dovecot 有效 uid

设置一个使用 openldap 作为用户帐户后端的 dovecot 实例(在 Ubuntu Bionic 下)。用户邮箱是这样的

# find /home/virtual_mail/emont/ -type d -ls
  2228468      4 drwxrwx---   8 exim     mail         4096 Jun  5 15:48 /home/virtual_mail/emont/
  2228741      4 drwxrwx---   5 exim     mail         4096 Jun  4 12:08 /home/virtual_mail/emont/.foo1
  2228744      4 drwxrwx---   2 exim     mail         4096 Jun  4 12:08 /home/virtual_mail/emont/.foo1/cur
  2228746      4 drwxrwx---   2 exim     mail         4096 Jun  4 12:08 /home/virtual_mail/emont/.foo1/tmp
  2228745      4 drwxrwx---   2 exim     mail         4096 Jun  4 12:08 /home/virtual_mail/emont/.foo1/new
  2228471     20 drwxrwx---   2 exim     mail        20480 Jun  4 12:09 /home/virtual_mail/emont/cur
  2228473      4 drwxrwx---   2 exim     mail         4096 Jun  3 15:49 /home/virtual_mail/emont/tmp

请注意,exim uid 为 1000 amd mail gid 为 8。

现在我希望 dovecot 以最小的权限访问这些内容,但我无法这样做:

# doveadm -D mailbox list -u emont 
[..]
doveadm(emont): Debug: Effective uid=0, gid=0, home=/home/emont

即使我有这个(在 dovecot-ldap.conf.ext 中,另见下文):

user_attrs = homeDirectory=home,1000=uid,8=gid

也就是说,我期待看到这样的东西:

# doveadm -D mailbox list -u emont 
[..]
doveadm(emont): Debug: Effective uid=1000, gid=8, home=/home/emont

请注意,我使用密码查找作为 ldap 身份验证后端(https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups)并且该部分工作正常(我得到用户/组并且身份验证成功)。

这是配置转储:

# doveconf -n
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-101-generic x86_64 Ubuntu 18.04.4 LTS ext4
auth_debug = yes
auth_verbose = yes
mail_location = maildir:/home/virtual_mail/%u
namespace inbox {
  hidden = no
  inbox = yes
  list = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = " imap pop3"
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

对于 ldap 来说还有这个:

# grep -v ^# dovecot-ldap.conf.ext | sort | uniq

base = dc=example,dc=de
blocking = yes
dn = uid=queryimap,cn=users,dc=example,dc=com
dnpass = xxxxxxx
hosts = myldap.example.com:7389
ldap_version = 3
scope = subtree
tls = yes
tls_ca_cert_file = /etc/myssl/mysslcert.pem
tls_require_cert = hard
user_attrs = homeDirectory=home,1000=uid,8=gid

对我做错了什么有什么建议吗?提前致谢。

答案1

我相信我已经找到了解决方案:事实证明我必须将这些添加到/etc/dovecot/conf.d/10-mail.conf

first_valid_uid = 1000
last_valid_uid = 1000
[...]
first_valid_gid = 8
last_valid_gid = 8

现在我得到了预期的结果,即:

# doveadm -D mailbox list -u emont 
[...]
doveadm(emont): Debug: Effective uid=1000, gid=8, home=/home/emont

尽管如此,我还是欢迎任何对此的反馈。干杯

相关内容