Dovecot with UCS LDAP


I am trying to use an external dovecot server to authenticate against UCS LDAP and I am trying to follow this regarding the auth method

the initial auth works if I use the Administrator account but I would like to use a separate/dfiferent UCS account which has readonly access to the user’s userPassword ldap attrib.

Is there a way to create such a UCS account via udm/UCM? I would like to avoid creating custom ACL in UCS if possible …


Does this help?


unfortunately not, I have verified via ldapsearch that such account (which I already created before for other resons) can’t read the ldap attrib userPassword … is there a way to (minimally) modify that account to allow that?


well, this is written in the link you posted:

# there should already be something like this in the file:
access to attribute=userPassword
        by dn="<dovecot's dn>" read  # just add this line
        by anonymous auth
        by self write
        by * none

But be aware such local LDAP-ACLs can be overwritten is written in the default configuration files. Usually, UCS has some sort of *local* files where you can configure such customized options. Just check, I haven’t done currently.


well, yes, I have seen that but I had hoped to have a different way (maybe via some UCS / UMC frontend tool) which does not involve editing ACL manually directly …

Anyway, here is what I did

# cat /etc/univention/templates/files/etc/ldap/slapd.conf.d/69univention-custom-ldap-acls
# . /usr/share/univention-lib/ 
# ucs_registerLDAPExtension --packagename=myacl --packageversion=1 --acl 69univention-custom-ldap-acls 
Waiting for activation of the extension object 69univention-custom-ldap-acls: .........OK

where the custom ACL file looks like this (ignore first ACL used for other stuff here …):

access to attrs=gecos,secretary
    by self write                          
    by * none

access to attrs=userPassword
    by dn="uid=queryimap,cn=users,dc=my,dc=company,dc=com" read
    by anonymous auth
    by self write
    by * none break

would you say that it is correct? I am in referring in particular to the fact that in slapd.conf there are already ACLs concerning that attribute (userPassword) and my worry is that my ACL would interfere/break the default / already existing one as distributed in UCS.


knowing this is a long time since the last post, but did that work?