||<>|| = Introduction = This guide will help you configure the [[Dovecot]] IMAP/POP3 server program to use LDAP for user authentication. = Prerequisites = It's probably a good idea to install and configure Dovecot first without using LDAP that way you'll be sure to have a working installation to go back to. To install and configure Dovecot to use the Linux system users follow the [[Dovecot]] guide. The next thing you'll need is a working LDAP server. This guide is written using OpenLDAP, but Dovecot can be configured to use other LDAP servers. For instructions on installing and configuring OpenLDAP see the [[OpenLDAPServer]] page. = Configuration = == Ubuntu 10.04 and newer == Install dovecot-ldap package: {{{ sudo apt-get install dovecot-ldap }}} To configure Dovecot to use LDAP first edit '''/etc/dovecot/dovecot-ldap.conf.ext''' this file contains details about your LDAP server. The first setting you'll need to set is '''hosts''' this is the hostname or IP Address of the machine running your LDAP server: {{{ hosts = ldap.example.org }}} The next setting needed is '''dn''' and '''dnpass''' this is the DN of the user used to connect to and search through the LDAP directory. {{{ dn = cn=Manager,dc=example,dc=org dnpass = secret }}} If you've configured your LDAP server to use TLS set the '''tls''' setting to yes: {{{ tls = yes }}} This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server. To verify the user's password set the '''auth_bind''' setting. Dovecot will bind to the LDAP directory using the mail client user's credentials. {{{ auth_bind = yes }}} If your users are set up under one area in your LDAP directory set the '''auth_bind_userdn''' setting. This will save a LDAP request per login, but isn't strictly necessary. {{{ auth_bind_userdn = cn=%u,ou=People,dc=example,dc=org }}} In this example all user objects are under the People OU in the directory. Depending on how you've configured your LDAP server you'll need to set the '''ldap_version''' setting appropriately: {{{ ldap_version = 3 }}} LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well. Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the ''auth_bind'' setting. Also related to searching the directory is the '''scope''' setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to ''subtree'' {{{ base = ou=People, dc=example, dc=org scope = subtree }}} You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the '''user_attrs''' setting: {{{ user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid }}} The '''user_filter''' setting will be used when Dovecot searches LDAP for user accounts: {{{ user_filter = (&(objectClass=posixAccount)(uid=%u)) }}} The '''%u''' will be replaced by the user's username entered into their mail client. Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the ''user_attrs'' setting this is done with the '''pass_attrs''' setting: {{{ pass_attrs = uid=user,userPassword=password }}} Like the ''user_filter'' you need to set the '''pass_filter''' setting: {{{ pass_filter = (&(objectClass=posixAccount)(uid=%u)) }}} Just as with the user_filter the ''%u'' is replaced with the username. Now that you have configured the LDAP configuration, you need to enable LDAP authentication itself. Edit '''/etc/dovecot/conf.d/10-auth.conf''' and uncomment this line: {{{ #!include auth-ldap.conf.ext }}} == Ubuntu 9.10 and older == === /etc/dovecot/dovecot-ldap.conf === To configure Dovecot to use LDAP first edit '''/etc/dovecot/dovecot-ldap.conf''' this file contains details about your LDAP server. The first setting you'll need to set is '''host''' this is the hostname or IP Address of the machine running your LDAP server: {{{ host = ldap.example.org }}} The next setting needed is '''dn''' and '''dnpass''' this is the DN of the user used to connect to and search through the LDAP directory. {{{ dn = cn=Manager,dc=example,dc=org dnpass = secret }}} If you've configured your LDAP server to use TLS set the '''tls''' setting to yes: {{{ tls = yes }}} This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server. '''Note''': This option is not available with the version of Dovecot shipped with Ubuntu 6.06 (Dapper), Ubuntu 6.10 (Edgy), or Ubuntu 7.04 (Feisty). To verify the user's password set the '''auth_bind''' setting. Dovecot will bind to the LDAP directory using the mail client user's credentials. {{{ auth_bind = yes }}} If your users are set up under one area in your LDAP directory set the '''auth_bind_userdn''' setting. This will save a LDAP request per login, but isn't strictly necessary. {{{ auth_bind_userdn = cn=%u,ou=People,dc=example,dc=org }}} In this example all user objects are under the People OU in the directory. Depending on how you've configured your LDAP server you'll need to set the '''ldap_version''' setting appropriately: {{{ ldap_version = 3 }}} LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well. Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the ''auth_bind'' setting. Also related to searching the directory is the '''scope''' setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to ''subtree'' {{{ base = ou=People, dc=example, dc=org scope = subtree }}} You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the '''user_attrs''' setting: {{{ user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid }}} The '''user_filter''' setting will be used when Dovecot searches LDAP for user accounts: {{{ user_filter = (&(objectClass=posixAccount)(uid=%u)) }}} The '''%u''' will be replaced by the user's username entered into their mail client. Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the ''user_attrs'' setting this is done with the '''pass_attrs''' setting: {{{ pass_attrs = uid=user,userPassword=password }}} Like the ''user_filter'' you need to set the '''pass_filter''' setting: {{{ pass_filter = (&(objectClass=posixAccount)(uid=%u)) }}} Just as with the user_filter the ''%u'' is replaced with the username. === /etc/dovecot/dovecot.conf === Now that Dovecot knows the details of your LDAP server you need to configure Dovecot to use it. This is done by editing the '''/etc/dovecot/dovecot.conf''' file. The first setting to change is under the ''auth_default'' section '''passwd ldap''': {{{ # LDAP database passdb ldap { # Path for LDAP configuration file, see doc/dovecot-ldap.conf for example args = /etc/dovecot/dovecot-ldap.conf } }}} This setting tells Dovecot to use LDAP to lookup passwords. Next the '''user ldap''' setting, which tells Dovecot to use LDAP to find users, needs to be configured: {{{ # LDAP database userdb ldap { # Path for LDAP configuration file, see doc/dovecot-ldap.conf for example args = /etc/dovecot/dovecot-ldap.conf } }}} = Testing = Now that Dovecot is configured to use LDAP it'll need to be restarted to use the new settings: {{{ /etc/init.d/dovecot restart }}} To test that Dovecot is indeed using LDAP for user authentication simply configure a mail client to connect to the server using either IMAP or POP3 (whichever you've configured Dovecot to serve). If all goes well you should be able to login and get email. Another way to test is to start '''slapd''' in a console session with debug output: {{{ /etc/init.d/slapd stop (this will stop slapd in case it's already running) slapd -f /etc/ldap/slapd.conf -d -1 }}} Whenever a user connects to Dovecot you should see the LDAP debug output in the console window. * This is also a great way to make sure you've configured Dovecot to use LDAP correctly. '''Note''': This guide has been tested on Ubuntu 6.06 (Dapper), Ubuntu 7.04 (Feitsy), and Ubuntu (Gutsy). ---- CategoryEmail