2022-03-08 19:42:28 +01:00
|
|
|
# SEE /usr/share/doc/dovecot/example-config/dovecot-ldap.conf.ext
|
|
|
|
# This file is commonly accessed via passdb {} or userdb {} section in
|
|
|
|
# conf.d/auth-ldap.conf.ext
|
|
|
|
|
|
|
|
# This file is opened as root, so it should be owned by root and mode 0600.
|
|
|
|
#
|
|
|
|
# http://wiki2.dovecot.org/AuthDatabase/LDAP
|
|
|
|
#
|
|
|
|
# NOTE: If you're not using authentication binds, you'll need to give
|
|
|
|
# dovecot-auth read access to userPassword field in the LDAP server.
|
|
|
|
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
|
|
|
|
# already be something like this:
|
|
|
|
|
|
|
|
# access to attribute=userPassword
|
|
|
|
# by dn="<dovecot's dn>" read # add this
|
|
|
|
# by anonymous auth
|
|
|
|
# by self write
|
|
|
|
# by * none
|
|
|
|
|
|
|
|
# Space separated list of LDAP hosts to use. host:port is allowed too.
|
|
|
|
#hosts =
|
|
|
|
|
|
|
|
# LDAP URIs to use. You can use this instead of hosts list. Note that this
|
|
|
|
# setting isn't supported by all LDAP libraries.
|
|
|
|
#uris =
|
|
|
|
#>GNUNUX
|
|
|
|
uris = ldaps://%%ldap_server_address
|
|
|
|
#<GNUNUX
|
|
|
|
|
|
|
|
# Distinguished Name - the username used to login to the LDAP server.
|
|
|
|
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
|
|
|
|
#dn =
|
|
|
|
|
|
|
|
# Password for LDAP server, if dn is specified.
|
|
|
|
#dnpass =
|
|
|
|
#>GNUNUX
|
2022-06-24 19:00:16 +02:00
|
|
|
dn = %%ldapclient_user
|
|
|
|
dnpass = %%ldapclient_user_password
|
2022-03-08 19:42:28 +01:00
|
|
|
#<GNUNUX
|
|
|
|
|
|
|
|
# Use SASL binding instead of the simple binding. Note that this changes
|
|
|
|
# ldap_version automatically to be 3 if it's lower.
|
|
|
|
#sasl_bind = no
|
|
|
|
# SASL mechanism name to use.
|
|
|
|
#sasl_mech =
|
|
|
|
# SASL realm to use.
|
|
|
|
#sasl_realm =
|
|
|
|
# SASL authorization ID, ie. the dnpass is for this "master user", but the
|
|
|
|
# dn is still the logged in user. Normally you want to keep this empty.
|
|
|
|
#sasl_authz_id =
|
|
|
|
|
|
|
|
# Use TLS to connect to the LDAP server.
|
|
|
|
#tls = no
|
|
|
|
# TLS options, currently supported only with OpenLDAP:
|
|
|
|
#tls_ca_cert_file =
|
|
|
|
#tls_ca_cert_dir =
|
|
|
|
#tls_cipher_suite =
|
|
|
|
# TLS cert/key is used only if LDAP server requires a client certificate.
|
|
|
|
#tls_cert_file =
|
|
|
|
#tls_key_file =
|
|
|
|
# Valid values: never, hard, demand, allow, try
|
|
|
|
#tls_require_cert =
|
|
|
|
#>GNUNUX
|
|
|
|
tls_cert_file = %%ldap_cert_file
|
|
|
|
tls_key_file = %%ldap_key_file
|
|
|
|
tls_ca_cert_file = %%ldap_ca_file
|
|
|
|
tls_require_cert = hard
|
|
|
|
#>GNUNUX
|
|
|
|
|
|
|
|
# Use the given ldaprc path.
|
|
|
|
#ldaprc_path =
|
|
|
|
|
|
|
|
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
|
|
|
|
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
|
|
|
|
# to get enough output.
|
|
|
|
#debug_level = 0
|
|
|
|
|
|
|
|
# Use authentication binding for verifying password's validity. This works by
|
|
|
|
# logging into LDAP server using the username and password given by client.
|
|
|
|
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
|
|
|
|
# is still used, only the password field is ignored in it. Before doing any
|
|
|
|
# search, the binding is switched back to the default DN.
|
|
|
|
#auth_bind = no
|
2022-05-23 08:55:14 +02:00
|
|
|
#>GNUNUX
|
|
|
|
auth_bind = yes
|
|
|
|
#<GNUNUX
|
2022-03-08 19:42:28 +01:00
|
|
|
|
|
|
|
# If authentication binding is used, you can save one LDAP request per login
|
|
|
|
# if users' DN can be specified with a common template. The template can use
|
|
|
|
# the standard %variables (see user_filter). Note that you can't
|
|
|
|
# use any pass_attrs if you use this setting.
|
|
|
|
#
|
|
|
|
# If you use this setting, it's a good idea to use a different
|
|
|
|
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
|
|
|
|
# the filename is different in userdb's args). That way one connection is used
|
|
|
|
# only for LDAP binds and another connection is used for user lookups.
|
|
|
|
# Otherwise the binding is changed to the default DN before each user lookup.
|
|
|
|
#
|
|
|
|
# For example:
|
|
|
|
# auth_bind_userdn = cn=%u,ou=people,o=org
|
|
|
|
#
|
|
|
|
#auth_bind_userdn =
|
|
|
|
|
|
|
|
# LDAP protocol version to use. Likely 2 or 3.
|
|
|
|
#ldap_version = 3
|
|
|
|
|
|
|
|
# LDAP base. %variables can be used here.
|
|
|
|
# For example: dc=mail, dc=example, dc=org
|
|
|
|
# GNUNUX base =
|
2022-08-18 10:19:43 +02:00
|
|
|
base = %%ldapclient_search_dn
|
2022-03-08 19:42:28 +01:00
|
|
|
|
|
|
|
# Dereference: never, searching, finding, always
|
|
|
|
#deref = never
|
|
|
|
|
|
|
|
# Search scope: base, onelevel, subtree
|
|
|
|
#scope = subtree
|
|
|
|
|
|
|
|
# User attributes are given in LDAP-name=dovecot-internal-name list. The
|
|
|
|
# internal names are:
|
|
|
|
# uid - System UID
|
|
|
|
# gid - System GID
|
|
|
|
# home - Home directory
|
|
|
|
# mail - Mail location
|
|
|
|
#
|
|
|
|
# There are also other special fields which can be returned, see
|
|
|
|
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
|
|
|
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
2022-05-04 10:29:03 +02:00
|
|
|
#>GNUNUX
|
|
|
|
user_attrs = homeDirectory=home
|
|
|
|
#<GNUNUX
|
2022-03-08 19:42:28 +01:00
|
|
|
|
|
|
|
# Filter for user lookup. Some variables can be used (see
|
|
|
|
# http://wiki2.dovecot.org/Variables for full list):
|
|
|
|
# %u - username
|
|
|
|
# %n - user part in user@domain, same as %u if there's no domain
|
|
|
|
# %d - domain part in user@domain, empty if user there's no domain
|
|
|
|
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
|
|
|
#>GNUNUX
|
2022-05-23 08:55:14 +02:00
|
|
|
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
|
2022-03-08 19:42:28 +01:00
|
|
|
#<GNUNUX
|
|
|
|
|
|
|
|
# Password checking attributes:
|
|
|
|
# user: Virtual user name (user@domain), if you wish to change the
|
|
|
|
# user-given username to something else
|
|
|
|
# password: Password, may optionally start with {type}, eg. {crypt}
|
|
|
|
# There are also other special fields which can be returned, see
|
|
|
|
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
|
|
|
#pass_attrs = uid=user,userPassword=password
|
|
|
|
|
|
|
|
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
|
|
|
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
|
|
|
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
|
|
|
|
# string. For example:
|
|
|
|
#pass_attrs = uid=user,userPassword=password,\
|
|
|
|
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
|
|
|
|
|
|
|
|
# Filter for password lookups
|
|
|
|
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
|
|
|
#>GNUNUX
|
|
|
|
pass_attrs = cn=user
|
|
|
|
pass_filter = (&(objectClass=inetOrgPerson)(cn=%u))
|
|
|
|
#<GNUNUX
|
|
|
|
|
|
|
|
# Attributes and filter to get a list of all users
|
|
|
|
#iterate_attrs = uid=user
|
|
|
|
#iterate_filter = (objectClass=posixAccount)
|
|
|
|
#>GNUNUX
|
|
|
|
iterate_attrs = cn=user
|
|
|
|
iterate_filter = (&(objectClass=inetOrgPerson)(cn=%u))
|
|
|
|
#<GNUNUX
|
|
|
|
|
|
|
|
# Default password scheme. "{scheme}" before password overrides this.
|
|
|
|
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
|
|
|
|
#default_pass_scheme = CRYPT
|
|
|
|
|
|
|
|
# By default all LDAP lookups are performed by the auth master process.
|
|
|
|
# If blocking=yes, auth worker processes are used to perform the lookups.
|
|
|
|
# Each auth worker process creates its own LDAP connection so this can
|
|
|
|
# increase parallelism. With blocking=no the auth master process can
|
|
|
|
# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
|
|
|
|
# each connection has a maximum of 1 request running. For small systems the
|
|
|
|
# blocking=no is sufficient and uses less resources.
|
|
|
|
#blocking = no
|