Introduction
This guide will help you configure the Dovecot IMAP/POP3 server program to use LDAP for user authentication.
Prerequisites
It's probably a good idea to install and configure Dovecot first without using LDAP that way you'll be sure to have a working installation to go back to. To install and configure Dovecot to use the Linux system users follow the Dovecot guide.
The next thing you'll need is a working LDAP server. This guide is written using OpenLDAP, but Dovecot can be configured to use other LDAP servers. For instructions on installing and configuring OpenLDAP see the OpenLDAPServer page.
Configuration
Ubuntu 10.04 and newer
Install dovecot-ldap package:
sudo apt-get install dovecot-ldap
To configure Dovecot to use LDAP first edit /etc/dovecot/dovecot-ldap.conf.ext this file contains details about your LDAP server.
The first setting you'll need to set is hosts this is the hostname or IP Address of the machine running your LDAP server:
hosts = ldap.example.org
The next setting needed is dn and dnpass this is the DN of the user used to connect to and search through the LDAP directory.
dn = cn=Manager,dc=example,dc=org dnpass = secret
If you've configured your LDAP server to use TLS set the tls setting to yes:
tls = yes
This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server.
To verify the user's password set the auth_bind setting. Dovecot will bind to the LDAP directory using the mail client user's credentials.
auth_bind = yes
If your users are set up under one area in your LDAP directory set the auth_bind_userdn setting. This will save a LDAP request per login, but isn't strictly necessary.
auth_bind_userdn = cn=%u,ou=People,dc=example,dc=org
In this example all user objects are under the People OU in the directory.
Depending on how you've configured your LDAP server you'll need to set the ldap_version setting appropriately:
ldap_version = 3
LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well.
Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the auth_bind setting. Also related to searching the directory is the scope setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to subtree
base = ou=People, dc=example, dc=org scope = subtree
You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the user_attrs setting:
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
The user_filter setting will be used when Dovecot searches LDAP for user accounts:
user_filter = (&(objectClass=posixAccount)(uid=%u))
The %u will be replaced by the user's username entered into their mail client.
Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the user_attrs setting this is done with the pass_attrs setting:
pass_attrs = uid=user,userPassword=password
Like the user_filter you need to set the pass_filter setting:
pass_filter = (&(objectClass=posixAccount)(uid=%u))
Just as with the user_filter the %u is replaced with the username.
Now that you have configured the LDAP configuration, you need to enable LDAP authentication itself. Edit /etc/dovecot/conf.d/10-auth.conf and uncomment this line:
Ubuntu 9.10 and older
/etc/dovecot/dovecot-ldap.conf
To configure Dovecot to use LDAP first edit /etc/dovecot/dovecot-ldap.conf this file contains details about your LDAP server.
The first setting you'll need to set is host this is the hostname or IP Address of the machine running your LDAP server:
host = ldap.example.org
The next setting needed is dn and dnpass this is the DN of the user used to connect to and search through the LDAP directory.
dn = cn=Manager,dc=example,dc=org dnpass = secret
If you've configured your LDAP server to use TLS set the tls setting to yes:
tls = yes
This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server.
Note: This option is not available with the version of Dovecot shipped with Ubuntu 6.06 (Dapper), Ubuntu 6.10 (Edgy), or Ubuntu 7.04 (Feisty).
To verify the user's password set the auth_bind setting. Dovecot will bind to the LDAP directory using the mail client user's credentials.
auth_bind = yes
If your users are set up under one area in your LDAP directory set the auth_bind_userdn setting. This will save a LDAP request per login, but isn't strictly necessary.
auth_bind_userdn = cn=%u,ou=People,dc=example,dc=org
In this example all user objects are under the People OU in the directory.
Depending on how you've configured your LDAP server you'll need to set the ldap_version setting appropriately:
ldap_version = 3
LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well.
Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the auth_bind setting. Also related to searching the directory is the scope setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to subtree
base = ou=People, dc=example, dc=org scope = subtree
You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the user_attrs setting:
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
The user_filter setting will be used when Dovecot searches LDAP for user accounts:
user_filter = (&(objectClass=posixAccount)(uid=%u))
The %u will be replaced by the user's username entered into their mail client.
Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the user_attrs setting this is done with the pass_attrs setting:
pass_attrs = uid=user,userPassword=password
Like the user_filter you need to set the pass_filter setting:
pass_filter = (&(objectClass=posixAccount)(uid=%u))
Just as with the user_filter the %u is replaced with the username.
/etc/dovecot/dovecot.conf
Now that Dovecot knows the details of your LDAP server you need to configure Dovecot to use it. This is done by editing the /etc/dovecot/dovecot.conf file.
The first setting to change is under the auth_default section passwd ldap:
# LDAP database
passdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
args = /etc/dovecot/dovecot-ldap.conf
}This setting tells Dovecot to use LDAP to lookup passwords.
Next the user ldap setting, which tells Dovecot to use LDAP to find users, needs to be configured:
# LDAP database
userdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
args = /etc/dovecot/dovecot-ldap.conf
}
Testing
Now that Dovecot is configured to use LDAP it'll need to be restarted to use the new settings:
/etc/init.d/dovecot restart
To test that Dovecot is indeed using LDAP for user authentication simply configure a mail client to connect to the server using either IMAP or POP3 (whichever you've configured Dovecot to serve). If all goes well you should be able to login and get email.
Another way to test is to start slapd in a console session with debug output:
/etc/init.d/slapd stop (this will stop slapd in case it's already running) slapd -f /etc/ldap/slapd.conf -d -1
Whenever a user connects to Dovecot you should see the LDAP debug output in the console window.
- This is also a great way to make sure you've configured Dovecot to use LDAP correctly.
Note: This guide has been tested on Ubuntu 6.06 (Dapper), Ubuntu 7.04 (Feitsy), and Ubuntu (Gutsy).