summaryrefslogtreecommitdiffstats
path: root/doc/wiki/AuthDatabase.LDAP.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wiki/AuthDatabase.LDAP.txt')
-rw-r--r--doc/wiki/AuthDatabase.LDAP.txt79
1 files changed, 79 insertions, 0 deletions
diff --git a/doc/wiki/AuthDatabase.LDAP.txt b/doc/wiki/AuthDatabase.LDAP.txt
new file mode 100644
index 0000000..3ad2348
--- /dev/null
+++ b/doc/wiki/AuthDatabase.LDAP.txt
@@ -0,0 +1,79 @@
+LDAP
+====
+
+There are two ways to do LDAP authentication:
+
+ * <Password lookups> [AuthDatabase.LDAP.PasswordLookups.txt]
+ * <Authentication binds> [AuthDatabase.LDAP.AuthBinds.txt]
+
+Both of these have their own advantages and disadvantages.
+
+ * <LDAP as userdb> [AuthDatabase.LDAP.Userdb.txt] and other common LDAP query
+ settings.
+
+Configuration common to LDAP passdb and userdb
+----------------------------------------------
+
+Connecting
+----------
+
+There are two alternative ways to specify what LDAP server(s) to connect to:
+
+ * 'hosts': A space separated list of LDAP hosts to connect to. You can also
+ use host:port syntax to use different ports.
+ * 'uris': A space separated list of LDAP URIs to connect to. This isn't
+ supported by all LDAP libraries. The URIs are in syntax
+ 'protocol://host:port'. For example 'ldap://localhost' or
+ 'ldaps://secure.domain.org'
+
+If multiple LDAP servers are specified, it's decided by the LDAP library how
+the server connections are handled. Typically the first working server is used,
+and it's never disconnected from. So there is no load balancing or automatic
+reconnecting to the "primary" server.
+
+SSL/TLS
+-------
+
+You can enable TLS in two alternative ways:
+
+ * Connect to ldaps port (636) by using "ldaps" protocol, e.g. 'uris =
+ ldaps://secure.domain.org'
+ * Connect to ldap port (389) and use STARTTLS command. Use 'tls=yes' to enable
+ this.
+
+See the tls_* settings in 'dovecot-ldap-example.conf' for how to configure TLS.
+(I think they apply to ldaps too?)
+
+Getting Dovecot to talk to a LDAPS signed against a custom certificate of
+authority
+-----------------------------------------------------------------------------------
+
+If you need to connect to ldaps secured against a custom certificate of
+authority (CA), you will need to install the custom CA on your system.On Red
+Hat Enterprise Linux 6, Dovecot uses the OpenLDAP library. By default, the CA
+must be installed under the directory specified in the TLS_CACERTDIR option
+found under /etc/openldap/ldap.conf (default value is /etc/openldap/certs).
+After copying the CA, you'll need to run "c_rehash ." inside the directory,
+this will create a symlink pointing to the CA.
+
+You can test the CA installation with this: openssl s_client -connect
+yourldap.example.org:636 -CApath /etc/openldap/certs -showcerts
+
+This should report "Verify return code: 0 (ok)".
+
+SASL binds
+----------
+
+It's possible to use SASL binds instead of the regular plaintext binds if your
+LDAP library supports them. See the sasl_* settings in
+'dovecot-ldap-example.conf'. Note that SASL binds are currently incompatible
+with authentication binds.
+
+Active Directory
+----------------
+
+When connecting to AD, you may need to use port 3268. Then again, not all LDAP
+fields are available in port 3268. Use whatever
+works.http://technet.microsoft.com/en-us/library/cc978012.aspx
+
+(This file was created from the wiki on 2019-06-19 12:42)
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-03 07:31:30 +0000