“UbuntuHelp:DovecotLDAP”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/DovecotLDAP}} {{Languages|UbuntuHelp:DovecotLDAP}} == Introduction == This guide will help you configure the UbuntuHelp:Dovecot IMAP/POP3 s...) |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/DovecotLDAP}} | {{From|https://help.ubuntu.com/community/DovecotLDAP}} | ||
{{Languages|UbuntuHelp:DovecotLDAP}} | {{Languages|UbuntuHelp:DovecotLDAP}} | ||
| − | |||
| − | |||
== Introduction == | == Introduction == | ||
| − | |||
This guide will help you configure the [[UbuntuHelp:Dovecot]] IMAP/POP3 server program to use LDAP for user authentication. | This guide will help you configure the [[UbuntuHelp:Dovecot]] IMAP/POP3 server program to use LDAP for user authentication. | ||
| − | |||
== Prerequisites == | == Prerequisites == | ||
| − | |||
It's probably a good idea to install and configure Dovecot first without using LDAP that way you'll be sure to have a working installation to go back to. To install and configure Dovecot to use the Linux system users follow the [[UbuntuHelp:Dovecot]] guide. | It's probably a good idea to install and configure Dovecot first without using LDAP that way you'll be sure to have a working installation to go back to. To install and configure Dovecot to use the Linux system users follow the [[UbuntuHelp:Dovecot]] guide. | ||
| − | |||
The next thing you'll need is a working LDAP server. This guide is written using OpenLDAP, but Dovecot can be configured to use other LDAP servers. For instructions on installing and configuring OpenLDAP see the [[UbuntuHelp:OpenLDAPServer]] page. | The next thing you'll need is a working LDAP server. This guide is written using OpenLDAP, but Dovecot can be configured to use other LDAP servers. For instructions on installing and configuring OpenLDAP see the [[UbuntuHelp:OpenLDAPServer]] page. | ||
| − | |||
== Configuration == | == Configuration == | ||
| − | |||
=== /etc/dovecot/dovecot-ldap.conf === | === /etc/dovecot/dovecot-ldap.conf === | ||
To configure Dovecot to use LDAP first edit '''/etc/dovecot/dovecot-ldap.conf''' this file contains details about your LDAP server. | To configure Dovecot to use LDAP first edit '''/etc/dovecot/dovecot-ldap.conf''' this file contains details about your LDAP server. | ||
| − | |||
The first setting you'll need to set is '''host''' this is the hostname or IP Address of the machine running your LDAP server: | The first setting you'll need to set is '''host''' this is the hostname or IP Address of the machine running your LDAP server: | ||
<pre><nowiki> | <pre><nowiki> | ||
host = ldap.example.org | host = ldap.example.org | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The next setting needed is '''dn''' and '''dnpass''' this is the DN of the user used to connect to and search through the LDAP directory. | The next setting needed is '''dn''' and '''dnpass''' this is the DN of the user used to connect to and search through the LDAP directory. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第28行: | 第18行: | ||
dnpass = secret | dnpass = secret | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
If you've configured you're LDAP server to use TLS set the '''tls''' setting to yes: | If you've configured you're LDAP server to use TLS set the '''tls''' setting to yes: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第34行: | 第23行: | ||
</nowiki></pre> | </nowiki></pre> | ||
This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server. | This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server. | ||
| − | |||
'''Note''': This option is not available with the version of Dovecot shipped with Ubuntu 6.06 (Dapper), Ubuntu 6.10 (Edgy), or Ubuntu 7.04 (Feisty). | '''Note''': This option is not available with the version of Dovecot shipped with Ubuntu 6.06 (Dapper), Ubuntu 6.10 (Edgy), or Ubuntu 7.04 (Feisty). | ||
| − | |||
To verify the user's password set the '''auth_bind''' setting. Dovecot will bind to the LDAP directory using the mail client user's credentials. | To verify the user's password set the '''auth_bind''' setting. Dovecot will bind to the LDAP directory using the mail client user's credentials. | ||
<pre><nowiki> | <pre><nowiki> | ||
auth_bind = yes | auth_bind = yes | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
If your users are set up under one area in your LDAP directory set the '''auth_bind_userdn''' setting. This will save a LDAP request per login, but isn't strictly necessary. | If your users are set up under one area in your LDAP directory set the '''auth_bind_userdn''' setting. This will save a LDAP request per login, but isn't strictly necessary. | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第47行: | 第33行: | ||
</nowiki></pre> | </nowiki></pre> | ||
In this example all user objects are under the People OU in the directory. | In this example all user objects are under the People OU in the directory. | ||
| − | |||
Depending on how you've configured your LDAP server you'll need to set the '''ldap_version''' setting appropriately: | Depending on how you've configured your LDAP server you'll need to set the '''ldap_version''' setting appropriately: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第53行: | 第38行: | ||
</nowiki></pre> | </nowiki></pre> | ||
LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well. | LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well. | ||
| − | |||
Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the ''auth_bind'' setting. Also related to searching the directory is the '''scope''' setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to ''subtree'' | Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the ''auth_bind'' setting. Also related to searching the directory is the '''scope''' setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to ''subtree'' | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第59行: | 第43行: | ||
scope = subtree | scope = subtree | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the '''user_attrs''' setting: | You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the '''user_attrs''' setting: | ||
<pre><nowiki> | <pre><nowiki> | ||
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid | user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The '''user_filter''' setting will be used when Dovecot searches LDAP for user accounts: | The '''user_filter''' setting will be used when Dovecot searches LDAP for user accounts: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第70行: | 第52行: | ||
</nowiki></pre> | </nowiki></pre> | ||
The '''%u''' will be replaced by the user's username entered into their mail client. | The '''%u''' will be replaced by the user's username entered into their mail client. | ||
| − | |||
Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the ''user_attrs'' setting this is done with the '''pass_attrs''' setting: | Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the ''user_attrs'' setting this is done with the '''pass_attrs''' setting: | ||
<pre><nowiki> | <pre><nowiki> | ||
pass_attrs = uid=user,userPassword=password | pass_attrs = uid=user,userPassword=password | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Like the ''user_filter'' you need to set the '''pass_filter''' setting: | Like the ''user_filter'' you need to set the '''pass_filter''' setting: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第81行: | 第61行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Just as with the user_filter the ''%u'' is replaced with the username. | Just as with the user_filter the ''%u'' is replaced with the username. | ||
| − | |||
| − | |||
=== /etc/dovecot/dovecot.conf === | === /etc/dovecot/dovecot.conf === | ||
| − | |||
Now that Dovecot knows the details of your LDAP server you need to configure Dovecot to use it. This is done by editing the '''/etc/dovecot/dovecot.conf''' file. | Now that Dovecot knows the details of your LDAP server you need to configure Dovecot to use it. This is done by editing the '''/etc/dovecot/dovecot.conf''' file. | ||
| − | |||
The first setting to change is under the ''auth_default'' section '''passwd ldap''': | The first setting to change is under the ''auth_default'' section '''passwd ldap''': | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第96行: | 第72行: | ||
</nowiki></pre> | </nowiki></pre> | ||
This setting tells Dovecot to use LDAP to lookup passwords. | This setting tells Dovecot to use LDAP to lookup passwords. | ||
| − | |||
Next the '''user ldap''' setting, which tells Dovecot to use LDAP to find users, needs to be configured: | Next the '''user ldap''' setting, which tells Dovecot to use LDAP to find users, needs to be configured: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第105行: | 第80行: | ||
} | } | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
| − | |||
== Testing == | == Testing == | ||
| − | |||
Now that Dovecot is configured to use LDAP it'll need to be restarted to use the new settings: | Now that Dovecot is configured to use LDAP it'll need to be restarted to use the new settings: | ||
<pre><nowiki> | <pre><nowiki> | ||
/etc/init.d/dovecot restart | /etc/init.d/dovecot restart | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
To test that Dovecot is indeed using LDAP for user authentication simply configure a mail client to connect to the server using either IMAP or POP3 (whichever you've configured Dovecot to serve). If all goes well you should be able to login and get email. | To test that Dovecot is indeed using LDAP for user authentication simply configure a mail client to connect to the server using either IMAP or POP3 (whichever you've configured Dovecot to serve). If all goes well you should be able to login and get email. | ||
| − | |||
Another way to test is to start '''slapd''' in a console session with debug output: | Another way to test is to start '''slapd''' in a console session with debug output: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第123行: | 第93行: | ||
Whenever a user connects to Dovecot you should see the LDAP debug output in the console window. | Whenever a user connects to Dovecot you should see the LDAP debug output in the console window. | ||
* This is also a great way to make sure you've configured Dovecot to use LDAP correctly. | * This is also a great way to make sure you've configured Dovecot to use LDAP correctly. | ||
| − | |||
| − | |||
'''Note''': This guide has been tested on Ubuntu 6.06 (Dapper), Ubuntu 7.04 (Feitsy), and Ubuntu (Gutsy). | '''Note''': This guide has been tested on Ubuntu 6.06 (Dapper), Ubuntu 7.04 (Feitsy), and Ubuntu (Gutsy). | ||
---- | ---- | ||
2007年11月30日 (五) 16:50的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Introduction
This guide will help you configure the UbuntuHelp:Dovecot IMAP/POP3 server program to use LDAP for user authentication.
Prerequisites
It's probably a good idea to install and configure Dovecot first without using LDAP that way you'll be sure to have a working installation to go back to. To install and configure Dovecot to use the Linux system users follow the UbuntuHelp:Dovecot guide. The next thing you'll need is a working LDAP server. This guide is written using OpenLDAP, but Dovecot can be configured to use other LDAP servers. For instructions on installing and configuring OpenLDAP see the UbuntuHelp:OpenLDAPServer page.
Configuration
/etc/dovecot/dovecot-ldap.conf
To configure Dovecot to use LDAP first edit /etc/dovecot/dovecot-ldap.conf this file contains details about your LDAP server. The first setting you'll need to set is host this is the hostname or IP Address of the machine running your LDAP server:
host = ldap.example.org
The next setting needed is dn and dnpass this is the DN of the user used to connect to and search through the LDAP directory.
dn = cn=Manager,dc=example,dc=org dnpass = secret
If you've configured you're LDAP server to use TLS set the tls setting to yes:
tls = yes
This will encrypt traffic between Dovecot and your LDAP server. This option is highly recommended if your Dovecot server is on a different machine than your LDAP server. Note: This option is not available with the version of Dovecot shipped with Ubuntu 6.06 (Dapper), Ubuntu 6.10 (Edgy), or Ubuntu 7.04 (Feisty). To verify the user's password set the auth_bind setting. Dovecot will bind to the LDAP directory using the mail client user's credentials.
auth_bind = yes
If your users are set up under one area in your LDAP directory set the auth_bind_userdn setting. This will save a LDAP request per login, but isn't strictly necessary.
auth_bind_userdn = cn=%u,ou=People,dc=example,dc=org
In this example all user objects are under the People OU in the directory. Depending on how you've configured your LDAP server you'll need to set the ldap_version setting appropriately:
ldap_version = 3
LDAP version 3 is the latest version of the protocol, but depending on if you have legacy applications you may be using LDAP version 2 as well. Next set the LDAP search base. This setting configures where to start searching through your LDAP directory. This could be the same as the auth_bind setting. Also related to searching the directory is the scope setting. Set this if you want to search through sub objects of your directory. For example if you have an OU named Executives inside the People OU you'd set scope setting to subtree
base = ou=People, dc=example, dc=org scope = subtree
You need to tell Dovecot wich LDAP attributes map to Dovecot settings uid, gid, home, and mail. This is done with the user_attrs setting:
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
The user_filter setting will be used when Dovecot searches LDAP for user accounts:
user_filter = (&(objectClass=posixAccount)(uid=%u))
The %u will be replaced by the user's username entered into their mail client. Dovecot also needs to know which LDAP attributes are associated with the user's password. Similar to the user_attrs setting this is done with the pass_attrs setting:
pass_attrs = uid=user,userPassword=password
Like the user_filter you need to set the pass_filter setting:
pass_filter = (&(objectClass=posixAccount)(uid=%u))
Just as with the user_filter the %u is replaced with the username.
/etc/dovecot/dovecot.conf
Now that Dovecot knows the details of your LDAP server you need to configure Dovecot to use it. This is done by editing the /etc/dovecot/dovecot.conf file. The first setting to change is under the auth_default section passwd ldap:
# LDAP database
passdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
args = /etc/dovecot/dovecot-ldap.conf
}
This setting tells Dovecot to use LDAP to lookup passwords. Next the user ldap setting, which tells Dovecot to use LDAP to find users, needs to be configured:
# LDAP database
userdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
args = /etc/dovecot/dovecot-ldap.conf
}
Testing
Now that Dovecot is configured to use LDAP it'll need to be restarted to use the new settings:
/etc/init.d/dovecot restart
To test that Dovecot is indeed using LDAP for user authentication simply configure a mail client to connect to the server using either IMAP or POP3 (whichever you've configured Dovecot to serve). If all goes well you should be able to login and get email. Another way to test is to start slapd in a console session with debug output:
/etc/init.d/slapd stop (this will stop slapd in case it's already running) slapd -f /etc/ldap/slapd.conf -d -1
Whenever a user connects to Dovecot you should see the LDAP debug output in the console window.
- This is also a great way to make sure you've configured Dovecot to use LDAP correctly.
Note: This guide has been tested on Ubuntu 6.06 (Dapper), Ubuntu 7.04 (Feitsy), and Ubuntu (Gutsy).
