infra/ansible-role-dovecot
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-role-dovecot/templates/dovecot-ldap.conf.ext.j2
Julian Rother 5267a3d716 Use DN lookup instead of DN template for LDAP auth 
In our setup users require a specific LDAP group to login. We enforce this
with an LDAP filter (user_filter). With DN template, authentication always
succeeds for these users, as Dovecot only performs an LDAP BIND request.
Successful auth followed by failed userdb lookup seems to trigger a bug in
Dovecot that causes the handler processes to stay around indefinitely and fill
up the process_limit. Using DN lookup with the LDAP filter set for both
user_filter and pass_filter should cause the authentication to fail for these
users and work around the bug.
2022-07-18 00:36:18 +02:00

50 lines
1.3 KiB
Django/Jinja
Raw Blame History

{% if dovecot.ldap.enable %}
## Debug everything
# debug_level = -1
uris = {{ dovecot.ldap.uris }}
# Use TLS to connect to the LDAP server.
# Set to no because we use LDAPS and dovecot tells you this is not possible together
tls = no
dn = {{ dovecot.ldap.bind_dn }}
dnpass = {{ dovecot.ldap.bind_pw }}
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = {{ dovecot.ldap.tls.ca }}
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key. This must be set only if LDAP server requires a client certificate.
# If you set it in other cases, the LDAP connection will fail.
# tls_cert_file =
# tls_key_file =
# Valid values: never, hard, demand, allow, try
tls_require_cert = hard
auth_bind = yes
pass_filter = {{ dovecot.ldap.filter }}
ldap_version = 3
base = {{ dovecot.ldap.base }}
deref = never
scope = subtree
user_attrs = \
{% for attr in dovecot.ldap.user_attrs %}
={{ attr.attr }}={{ attr.value }}{% if not loop.last %}, \
{% endif %}
{% endfor %}
user_filter = {{ dovecot.ldap.filter }}
default_pass_scheme = {{ dovecot.ldap.default_pass_scheme }}
# iterate_attrs = mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden
# iterate_filter = (objectClass=person)
{% else %}
# LDAP is not configured for this instance.
{% endif %}
Reference in a new issue View git blame Copy permalink