Background:
I'm using Dovecot on Debian 10 and switching the userdb/passdb backend from NIS to LDAP, mainly because I want to learn about LDAP.
For NIS I had this in dovecot.conf:
userdb {
driver = passwd
}
passdb {
driver = pam
args = dovecot
}
# mail_uid and mail_gid are NOT set
#mail_uid = dovecot
#mail_gid = mail
and this (extract) in nsswitch.conf:
passwd: files nis
group: files nis
shadow: files nis
When I switched to LDAP I have this (extract) in dovecot.conf:
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf
}
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf
}
# mail_uid and mail_gid are still NOT set
#mail_uid = dovecot
#mail_gid = mail
and this (and only this) in dovecot-ldap.conf:
base = ou=Users,dc=pasta,dc=net
uris = ldap://192.168.1.21/
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=pasta,dc=net
Both the NIS and the LDAP version work, meaning I can start mutt and read my (alexis's) mail.
However, I want Dovecot to look up other attributes from LDAP, e.g. mail quota or home directory - but don't get fixated on those specific attributes: I'm trying to learn how to transfer attributes from LDAP to Dovecot and I'm just going to use the home directory as an example in the config below.
The problem:
So I tell Dovecot in which LDAP entries' attribute the home directory by adding this to dovecot-ldap.conf:
user_attrs = homeDirectory=home
However, as soon as I do this then dovecot starts complaining:
dovecot: imap(alexis)<26179><hHrHde6XHLjAqAEQ>: Error: Couldn't
drop privileges: User is missing UID (see mail_uid setting)
What I tried:
Now, I think that the mail_uid text is a misleading: I didn't need it with NIS, so why do I suddenly need it with LDAP?
And indeed, if I add to dovecot.conf this:
mail_uid = dovecot
mail_gid = mail
then the complaint just changes to:
dovecot: imap(alexis): Error: Mail access for users with UID 111
not permitted (see first_valid_uid in config file, uid
from mail_uid setting).
But the dovecot UID is just the Debian 10 default: I don't think I should be messing with that. And, anyway, I'm not trying to read dovecot's mail, I'm trying to read my own (alexis's), so I really think this error message is misleading.
I tried just putting a high numeric UID of a non-existent user in mail_uid, with predicatable results:
dovecot: imap(alexis)<28748><7lb3y+6XmLjAqAEQ>: Error:
stat(/var/mail/maildir/alexis/tmp) failed: Permission denied
(euid=5000(<unknown>) egid=5000(<unknown>) missing +x perm:
/var/mail/maildir/alexis, dir owned by 1000:1000 mode=0700)
I could change the ownership of everything in /var/mail to suit, but this really feels like the the wrong thing to do.
So I commented out mail_uid and mail_gid again.
I wondered if somehow Dovecot thought it needed to switch from anonymous LDAP access (for retrieving user attributes, not for reading mail) to authenticated LDAP access, but adding a dovecot user to LDAP and setting dn and dnpass in dovecot-ldap.conf made no difference, the error remained:
dovecot: imap(alexis)<26179><hHrHde6XHLjAqAEQ>: Error: Couldn't
drop privileges: User is missing UID (see mail_uid setting)
But it should be able to read the attributes without authenticating:
ziti# ldapsearch -Y EXTERNAL -H ldapi:/// -W -b 'cn=config' -LLL "(objectClass=olcDatabaseConfig)"
...
dn: olcDatabase={1}mdb,cn=config
...
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
...
ziti#
I've seen Couldn't drop privileges: User is missing UID (see mail_uid setting) but I really want to learn what's going on here and why it's not working rather than switching to another userdb/passdb driver.
I've done a lot of googling and found many similar problem (with solutions) but none that matched my situation (though that didn't stop me from trying half of them anyway).
Can anybody advise please? Thanks!
