我想通过 LDAP(基于 Samba 4 的 AD)对 dovecot 进行身份验证。文件存储在 /var/mail/vmail/ 中,其所有者为 vmail:vmail 。一个用户正在工作,因为它使用 vmail 作为 uid 和 gid:
$ sudo doveadm user du
field value
uid vmail
gid vmail
home
mail maildir:/var/mail/vmail//du
所有其他用户都无法更改目录(因此不存储任何邮件),它们看起来像这样:
$ sudo doveadm user sh
field value
uid 2035
gid 5074
home
mail maildir:/var/mail/vmail//sh
我不知道为什么该用户不使用 vmail 作为虚拟用户来更改 maildir。
相关配置如下:
disable_plaintext_auth = no
auth_mechanisms = plain login
mail_uid = vmail
mail_gid = vmail
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
mail_plugins = quota
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
log_timestamp = "%Y-%m-%d %H:%M:%S "
protocols = imap
listen = *
mail_location = maildir:/var/mail/vmail/%d/%n
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
service auth {
unix_listener /var/spool/postfix/private/auth_dovecot {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = root
}
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
}
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
protocol imap {
mail_plugins = quota imap_quota
}
plugin {
quota = maildir:User quota
}
还有 Dovecot LDAP:
uris = ldaps://ucs01.domain.tld
dn = cn=ldap-read,ou=Users,ou=domain,dc=domain,dc=tld
dnpass = ***********
tls_ca_cert_dir = /etc/ssl/certs/
tls_require_cert = never
auth_bind = yes
ldap_version = 3
base = ou=domain,dc=domain,dc=tld
scope = subtree
user_filter = (sAMAccountName=%Ln)
pass_filter = (sAMAccountName=%Ln)
iterate_attrs = uid=user
iterate_filter = (objectClass=person)
default_pass_scheme = CRYPT
答案1
home从 LDAP 目录中获取 dovecot 虚拟用户和的数值 uid 和数值 gid 似乎很常见maildir。也就是说,由于您没有预取设置,因此应该结合user_filter和user_attrs从中获取用户/组信息dovecot-ldap.conf.ext。
我只能推测,但我在你的文件中找不到,user_attrs而且由于 dovecot 的示例配置文件通常包含默认设置,所以我查看了pass_attrsdovecot-ldap.conf.extdovecot-ldap.conf.扩展名来自官方 github repo。结果发现,它包含一个数字 uid 和 gid 映射。以下是代码片段的最后一行。
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
现在开始讨论最有趣的部分:您是否碰巧在 LDAP 实体上查询了属性(通常是某些属性uidNumber或objectClass )?如果是这样,请检查您在 dovecot 的 vmail 文件夹中观察到的 uid/gid 值是否与存储在 LDAP 中的值相对应。gidNumberpersonaccount