Centos

針對 Active Directory 的 Postfix/Dovecot 多重身份驗證

  • June 28, 2017

所以我有工作郵件伺服器,它針對活動目錄進行身份驗證。一切正常,直到我嘗試添加輔助身份驗證後端..

伺服器資訊:

Server OS: CentOS 7.1.1503
Postfix version: 2.10.1
Dovecot version: 2.2.10

目前我的配置如下:

後綴配置文件:

/etc/postfix/main.cf

virtual_mailbox_base = /homes/vmail/homes 
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf 
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf
virtual_uid_maps = static:989 
virtual_gid_maps = static:987

ldap-users-primary.cf

server_host = 192.168.250.200
search_base = cn=Users, dc=domain, dc=local
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/
bind = yes
bind_dn = user@domain.local
bind_pw = password

ldap-groups-primary.cf

server_host = 192.168.250.200
search_base = ou=Email_Groups, dc=domain,dc=local
version = 3
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
bind = yes
bind_dn = user@domain.local
bind_pw = password
start_tls = no

Dovecot 配置文件:

/etc/dovecot/conf.d/10-auth.conf

passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}

userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}

dovecot-ldap-primary.conf

hosts = 192.168.250.200
base = cn=Users, dc=domain, dc=local
ldap_version = 3
auth_bind = yes
auth_bind_userdn = domain\%u

以上所有設置工作正常,不會導致任何問題。直到我嘗試添加輔助域控制器..

為此,我創建了新的配置文件:ldap-users-secondary.cf、ldap-groups-secondary.cf、dovecot-ldap-secondary.conf。

這些文件中唯一不同的是伺服器的 IP 地址(它只是指向輔助域控制器)。如果我單獨使用這些文件,一切正常。但是如果我像這樣修改 /etc/postfix/main.cf :

virtual_mailbox_base = /homes/vmail/homes 
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf, ldap:/etc/postfix/ldap-users-secondary.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf, ldap:/etc/postfix/ldap-groups-secondary.cf
virtual_uid_maps = static:989 
virtual_gid_maps = static:987

和 /etc/dovecot/conf.d/10-auth.conf

passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}

passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-secondary.conf
}

userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}

它只是停止工作並開始發出這些錯誤:

NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <user@domain.local>: Temporary lookup failure;

任何人都可以幫助我嗎?

解決方案非常簡單.. 正如@sam_pan_mariusz 所建議的,而不是 IP 地址,我輸入了 DNS 名稱。執行了一些測試,一切正常。

事實證明,Postfix 和 Dovecot 都允許在 ldap 配置中使用多個 ldap 主機進行故障轉移。不過,據我所知,所有 LDAP 伺服器上的配置必須相同。至少對於後綴。

在 Postfix 上,這不能可靠地工作:

virtual_mailbox_maps = ldap:/etc/postfix/ad-users-dc-1.cf, ldap:/etc/postfix/ad-users-dc-2.cf

這確實有效。在 main.cf 中:

virtual_mailbox_maps = ldap:/etc/postfix/ad-users.cf

…並在 ad-users.cf 文件中:

server_host     = 192.168.44.75,192.168.44.76
server_port     = 389
version         = ...
bind            = ...
start_tls       = ...
bind_dn         = CN=...
bind_pw         = ...
... etc

在 Dovecot,這是可行的。在您的 ldap 目標配置文件中:

hosts   = 192.168.44.75:389, 192.168.44.76:389

引用自:https://serverfault.com/questions/736745