Home Explore Help
Sign In
cookbooks
/
dovecot
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
dovecot
/
templates
/
default
/
dovecot-ldap.conf.ext.erb

dovecot-ldap.conf.ext.erb 6.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 
  1. # Generated by Chef
    2. 

  2. 

  3. # This file is opened as root, so it should be owned by root and mode 0600.
    4. 

  4. #
    5. 

  5. # http://wiki2.dovecot.org/AuthDatabase/LDAP
    6. 

  6. #
    7. 

  7. # NOTE: If you're not using authentication binds, you'll need to give
    8. 

  8. # dovecot-auth read access to userPassword field in the LDAP server.
    9. 

  9. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
    10. 

  10. # already be something like this:
    11. 

  11. 

  12. # access to attribute=userPassword
    13. 

  13. #        by dn="<dovecot's dn>" read # add this
    14. 

  14. #        by anonymous auth
    15. 

  15. #        by self write
    16. 

  16. #        by * none
    17. 

  17. 

  18. # Space separated list of LDAP hosts to use. host:port is allowed too.
    19. 

  19. <%= Dovecot::Conf.attribute(@conf['ldap'], 'hosts') %>
    20. 

  20. 

  21. # LDAP URIs to use. You can use this instead of hosts list. Note that this
    22. 

  22. # setting isn't supported by all LDAP libraries.
    23. 

  23. <%= Dovecot::Conf.attribute(@conf['ldap'], 'uris') %>
    24. 

  24. 

  25. # Distinguished Name - the username used to login to the LDAP server.
    26. 

  26. # Leave it commented out to bind anonymously (useful with auth_bind=yes).
    27. 

  27. <%= Dovecot::Conf.attribute(@conf['ldap'], 'dn') %>
    28. 

  28. 

  29. # Password for LDAP server, if dn is specified.
    30. 

  30. <%= Dovecot::Conf.attribute(@conf['ldap'], 'dnpass') %>
    31. 

  31. 

  32. # Use SASL binding instead of the simple binding. Note that this changes
    33. 

  33. # ldap_version automatically to be 3 if it's lower. Also note that SASL binds
    34. 

  34. # and auth_bind=yes don't work together.
    35. 

  35. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_bind', false) %>
    36. 

  36. # SASL mechanism name to use.
    37. 

  37. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_mech') %>
    38. 

  38. # SASL realm to use.
    39. 

  39. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_realm') %>
    40. 

  40. # SASL authorization ID, ie. the dnpass is for this "master user", but the
    41. 

  41. # dn is still the logged in user. Normally you want to keep this empty.
    42. 

  42. <%= Dovecot::Conf.attribute(@conf['ldap'], 'sasl_authz_id') %>
    43. 

  43. 

  44. # Use TLS to connect to the LDAP server.
    45. 

  45. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls', false) %>
    46. 

  46. # TLS options, currently supported only with OpenLDAP:
    47. 

  47. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_file') %>
    48. 

  48. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_file') %>
    49. 

  49. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_ca_cert_dir') %>
    50. 

  50. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_cipher_suite') %>
    51. 

  51. # TLS cert/key is used only if LDAP server requires a client certificate.
    52. 

  52. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_cert_file') %>
    53. 

  53. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_key_file') %>
    54. 

  54. # Valid values: never, hard, demand, allow, try
    55. 

  55. <%= Dovecot::Conf.attribute(@conf['ldap'], 'tls_require_cert') %>
    56. 

  56. 

  57. # Use the given ldaprc path.
    58. 

  58. <%= Dovecot::Conf.attribute(@conf['ldap'], 'ldaprc_path') %>
    59. 

  59. 

  60. # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
    61. 

  61. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled
    62. 

  62. # to get enough output.
    63. 

  63. <%= Dovecot::Conf.attribute(@conf['ldap'], 'debug_level', 0) %>
    64. 

  64. 

  65. # Use authentication binding for verifying password's validity. This works by
    66. 

  66. # logging into LDAP server using the username and password given by client.
    67. 

  67. # The pass_filter is used to find the DN for the user. Note that the pass_attrs
    68. 

  68. # is still used, only the password field is ignored in it. Before doing any
    69. 

  69. # search, the binding is switched back to the default DN.
    70. 

  70. <%= Dovecot::Conf.attribute(@conf['ldap'], 'auth_bind', false) %>
    71. 

  71. 

  72. # If authentication binding is used, you can save one LDAP request per login
    73. 

  73. # if users' DN can be specified with a common template. The template can use
    74. 

  74. # the standard %variables (see user_filter). Note that you can't
    75. 

  75. # use any pass_attrs if you use this setting.
    76. 

  76. #
    77. 

  77. # If you use this setting, it's a good idea to use a different
    78. 

  78. # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
    79. 

  79. # the filename is different in userdb's args). That way one connection is used
    80. 

  80. # only for LDAP binds and another connection is used for user lookups.
    81. 

  81. # Otherwise the binding is changed to the default DN before each user lookup.
    82. 

  82. #
    83. 

  83. # For example:
    84. 

  84. #   auth_bind_userdn = cn=%u,ou=people,o=org
    85. 

  85. #
    86. 

  86. <%= Dovecot::Conf.attribute(@conf['ldap'], 'auth_bind_userdn') %>
    87. 

  87. 

  88. # LDAP protocol version to use. Likely 2 or 3.
    89. 

  89. <%= Dovecot::Conf.attribute(@conf['ldap'], 'ldap_version', 3) %>
    90. 

  90. 

  91. # LDAP base. %variables can be used here.
    92. 

  92. # For example: dc=mail, dc=example, dc=org
    93. 

  93. <%= Dovecot::Conf.attribute(@conf['ldap'], 'base') %>
    94. 

  94. 

  95. # Dereference: never, searching, finding, always
    96. 

  96. <%= Dovecot::Conf.attribute(@conf['ldap'], 'deref', 'never') %>
    97. 

  97. 

  98. # Search scope: base, onelevel, subtree
    99. 

  99. <%= Dovecot::Conf.attribute(@conf['ldap'], 'scope', 'subtree') %>
    100. 

  100. 

  101. # User attributes are given in LDAP-name=dovecot-internal-name list. The
    102. 

  102. # internal names are:
    103. 

  103. #   uid - System UID
    104. 

  104. #   gid - System GID
    105. 

  105. #   home - Home directory
    106. 

  106. #   mail - Mail location
    107. 

  107. #
    108. 

  108. # There are also other special fields which can be returned, see
    109. 

  109. # http://wiki2.dovecot.org/UserDatabase/ExtraFields
    110. 

  110. <%= Dovecot::Conf.attribute(@conf['ldap'], 'user_attrs', 'homeDirectory=home,uidNumber=uid,gidNumber=gid') %>
    111. 

  111. 

  112. # Filter for user lookup. Some variables can be used (see
    113. 

  113. # http://wiki2.dovecot.org/Variables for full list):
    114. 

  114. #   %u - username
    115. 

  115. #   %n - user part in user@domain, same as %u if there's no domain
    116. 

  116. #   %d - domain part in user@domain, empty if user there's no domain
    117. 

  117. <%= Dovecot::Conf.attribute(@conf['ldap'], 'user_filter', '(&(objectClass=posixAccount)(uid=%u))') %>
    118. 

  118. 

  119. # Password checking attributes:
    120. 

  120. #  user: Virtual user name (user@domain), if you wish to change the
    121. 

  121. #        user-given username to something else
    122. 

  122. #  password: Password, may optionally start with {type}, eg. {crypt}
    123. 

  123. # There are also other special fields which can be returned, see
    124. 

  124. # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
    125. 

  125. <%= Dovecot::Conf.attribute(@conf['ldap'], 'pass_attrs', 'uid=user,userPassword=password') %>
    126. 

  126. 

  127. # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
    128. 

  128. # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
    129. 

  129. # also have to include user_attrs in pass_attrs field prefixed with "userdb_"
    130. 

  130. # string. For example:
    131. 

  131. #pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
    132. 

  132. 

  133. # Filter for password lookups
    134. 

  134. <%= Dovecot::Conf.attribute(@conf['ldap'], 'pass_filter', '(&(objectClass=posixAccount)(uid=%u))') %>
    135. 

  135. 

  136. # Attributes and filter to get a list of all users
    137. 

  137. <%= Dovecot::Conf.attribute(@conf['ldap'], 'iterate_attrs', 'uid=user') %>
    138. 

  138. <%= Dovecot::Conf.attribute(@conf['ldap'], 'iterate_filter', '(objectClass=posixAccount)') %>
    139. 

  139. 

  140. # Default password scheme. "{scheme}" before password overrides this.
    141. 

  141. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
    142. 

  142. <%= Dovecot::Conf.attribute(@conf['ldap'], 'default_pass_scheme', 'CRYPT') %>
    143.