--- /dev/null
+#%PAM-1.0
+
+# We have a common auth and account section, since we don't need to check the
+# "host" attribute, but the "mailHost" attribute. It would be sufficient to
+# use a custom account section, but pam_ldap only loads its config once, so we
+# can't use a different config for just the accoun section.
+
+# These are just taken from common-{auth,account}, but with the config=
+# parameter added.
+auth required pam_ldap.so config=/etc/pam_ldap_dovecot.conf
+
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account required pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+# We point the module to an alternative configuration file.
+account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+ pam_ldap.so config=/etc/pam_ldap_dovecot.conf
+
+@include common-session
--- /dev/null
+#
+# See /usr/share/libpam-ldap/ldap.conf for example configuration and more
+# options.
+#
+#
+# Dovecot-specific version of pam_ldap.conf that checks the mailHost attribute
+# instead of the "host" attribute, so people without SSH access can still use
+# IMAP, and only people whose mail is delivered on this host can use IMAP.
+
+# The distinguished name of the search base.
+base dc=drsnuggles,dc=stderr,dc=nl
+
+# The LDAP server. ldaps:// is secure, ldapi:// is local socket
+uri ldap://ldap.drsnuggles.stderr.nl
+
+# The LDAP version to use
+ldap_version 3
+
+# Only allow people to login to dovecot when their email is delivered here.
+# Too bad this uses a hardcoded hostname, though...
+pam_filter mailHost=mail.drsnuggles.stderr.nl
projects / matthijs / servers / drsnuggles.git / commitdiff