dovecot-ldap.conf.ext.erb 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. # Generated by Chef
  2. # This file is opened as root, so it should be owned by root and mode 0600.
  3. #
  4. # http://wiki2.dovecot.org/AuthDatabase/LDAP
  5. #
  6. # NOTE: If you're not using authentication binds, you'll need to give
  7. # dovecot-auth read access to userPassword field in the LDAP server.
  8. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
  9. # already be something like this:
  10. # access to attribute=userPassword
  11. # by dn="<dovecot's dn>" read # add this
  12. # by anonymous auth
  13. # by self write
  14. # by * none
  15. # Space separated list of LDAP hosts to use. host:port is allowed too.
  16. <%= Dovecot::Conf.attribute(@conf['ldap'], 'hosts') %>
  17. # LDAP URIs to use. You can use this instead of hosts list. Note that this
  18. # setting isn't supported by all LDAP libraries.
  19. <%= Dovecot::Conf.attribute(@conf['ldap'], 'uris') %>
  20. # Distinguished Name - the username used to login to the LDAP server.
  21. # Leave it commented out to bind anonymously (useful with auth_bind=yes).
  22. <%= Dovecot::Conf.attribute(@conf['ldap'], 'dn') %>
  23. # Password for LDAP server, if dn is specified.
  24. <%= Dovecot::Conf.attribute(@conf['ldap'], 'dnpass') %>
  25. # Use SASL binding instead of the simple binding. Note that this changes
  26. # ldap_version automatically to be 3 if it's lower. Also note that SASL binds
  27. # and auth_bind=yes don't work together.
  28. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_bind', false) %>
  29. # SASL mechanism name to use.
  30. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_mech') %>
  31. # SASL realm to use.
  32. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_realm') %>
  33. # SASL authorization ID, ie. the dnpass is for this "master user", but the
  34. # dn is still the logged in user. Normally you want to keep this empty.
  35. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_authz_id') %>
  36. # Use TLS to connect to the LDAP server.
  37. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls', false) %>
  38. # TLS options, currently supported only with OpenLDAP:
  39. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_file') %>
  40. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_file') %>
  41. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_dir') %>
  42. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_cipher_suite') %>
  43. # TLS cert/key is used only if LDAP server requires a client certificate.
  44. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_cert_file') %>
  45. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_key_file') %>
  46. # Valid values: never, hard, demand, allow, try
  47. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_require_cert') %>
  48. # Use the given ldaprc path.
  49. <%= Dovecot::Conf.attribute(@conf['ldap'], 'ldaprc_path') %>
  50. # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
  51. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled
  52. # to get enough output.
  53. <%= Dovecot::Conf.attribute(@conf['ldap'], 'debug_level', 0) %>
  54. # Use authentication binding for verifying password's validity. This works by
  55. # logging into LDAP server using the username and password given by client.
  56. # The pass_filter is used to find the DN for the user. Note that the pass_attrs
  57. # is still used, only the password field is ignored in it. Before doing any
  58. # search, the binding is switched back to the default DN.
  59. <%= Dovecot::Conf.attribute(@conf['ldap'], 'auth_bind', false) %>
  60. # If authentication binding is used, you can save one LDAP request per login
  61. # if users' DN can be specified with a common template. The template can use
  62. # the standard %variables (see user_filter). Note that you can't
  63. # use any pass_attrs if you use this setting.
  64. #
  65. # If you use this setting, it's a good idea to use a different
  66. # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
  67. # the filename is different in userdb's args). That way one connection is used
  68. # only for LDAP binds and another connection is used for user lookups.
  69. # Otherwise the binding is changed to the default DN before each user lookup.
  70. #
  71. # For example:
  72. # auth_bind_userdn = cn=%u,ou=people,o=org
  73. #
  74. <%= Dovecot::Conf.attribute(@conf['ldap'], 'auth_bind_userdn') %>
  75. # LDAP protocol version to use. Likely 2 or 3.
  76. <%= Dovecot::Conf.attribute(@conf['ldap'], 'ldap_version', 3) %>
  77. # LDAP base. %variables can be used here.
  78. # For example: dc=mail, dc=example, dc=org
  79. <%= Dovecot::Conf.attribute(@conf['ldap'], 'base') %>
  80. # Dereference: never, searching, finding, always
  81. <%= Dovecot::Conf.attribute(@conf['ldap'], 'deref', 'never') %>
  82. # Search scope: base, onelevel, subtree
  83. <%= Dovecot::Conf.attribute(@conf['ldap'], 'scope', 'subtree') %>
  84. # User attributes are given in LDAP-name=dovecot-internal-name list. The
  85. # internal names are:
  86. # uid - System UID
  87. # gid - System GID
  88. # home - Home directory
  89. # mail - Mail location
  90. #
  91. # There are also other special fields which can be returned, see
  92. # http://wiki2.dovecot.org/UserDatabase/ExtraFields
  93. <%= Dovecot::Conf.attribute(@conf['ldap'], 'user_attrs', 'homeDirectory=home,uidNumber=uid,gidNumber=gid') %>
  94. # Filter for user lookup. Some variables can be used (see
  95. # http://wiki2.dovecot.org/Variables for full list):
  96. # %u - username
  97. # %n - user part in user@domain, same as %u if there's no domain
  98. # %d - domain part in user@domain, empty if user there's no domain
  99. <%= Dovecot::Conf.attribute(@conf['ldap'], 'user_filter', '(&(objectClass=posixAccount)(uid=%u))') %>
  100. # Password checking attributes:
  101. # user: Virtual user name (user@domain), if you wish to change the
  102. # user-given username to something else
  103. # password: Password, may optionally start with {type}, eg. {crypt}
  104. # There are also other special fields which can be returned, see
  105. # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
  106. <%= Dovecot::Conf.attribute(@conf['ldap'], 'pass_attrs', 'uid=user,userPassword=password') %>
  107. # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
  108. # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
  109. # also have to include user_attrs in pass_attrs field prefixed with "userdb_"
  110. # string. For example:
  111. <%= Dovecot::Conf.attribute(@conf['ldap'], 'pass_attrs', 'uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid') %>
  112. # Filter for password lookups
  113. <%= Dovecot::Conf.attribute(@conf['ldap'], 'pass_filter', '(&(objectClass=posixAccount)(uid=%u))') %>
  114. # Attributes and filter to get a list of all users
  115. <%= Dovecot::Conf.attribute(@conf['ldap'], 'iterate_attrs', 'uid=user') %>
  116. <%= Dovecot::Conf.attribute(@conf['ldap'], 'iterate_filter', '(objectClass=posixAccount)') %>
  117. # Default password scheme. "{scheme}" before password overrides this.
  118. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
  119. <%= Dovecot::Conf.attribute(@conf['ldap'], 'default_pass_scheme', 'CRYPT') %>