[Dovecot] Dovecot 1.2.x masteruser proxy problem

[Tom Mihalicek]

The problem was in auth_bind=yes in dovecot-ldap.conf i didnt read thoroughly
the
http://wiki.dovecot.org/Authentication/MasterUsers?action=show&redirect=MasterPassword

You should also add the pass=yes setting to the master passdb if possible.
It means that Dovecot verifies that the login user really exists before
allowing the master user to log in. Without the setting if a non-existing
login username is given, depending on the configuration, it could either
return an internal login error (the userdb lookup failed) or create a whole
new user (with eg. static userdb). pass=yes doesn't work with PAM or LDAP
with auth_bind=yes, because both of them require knowing the user's
password. 


Tom Mihalicek wrote:
> 
> Greetings to all
> 
> I need a masteruser/proxy account for some applications to be implemented
> and i am having some problems. Normal users are proxyied through 
> ldap queries to the remote machine and this is working like it sopose to,
> but i can't make the master user to work. Below are both the dovecot.conf 
> and dovecot-ldap.conf and verbose logs on the proxy machine.
> 
> If i log directly on the remote machine that should be proxied everything
> is working normal ...
> 
> ### dovecot.conf
> 
> protocols =  pop3 imap managesieve
> 
> mail_uid = 10021
> mail_gid = 10021
> mail_privileged_group = vmail
> mail_access_groups = vmail
> 
> log_path =
> info_log_path =
> log_timestamp = "%b %d %H:%M:%S "
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
> login_log_format = %$: %s
> mail_log_prefix = "%Us(%u): "
> 
> disable_plaintext_auth = no
> login_process_per_connection=yes
> auth_default_realm = example.com
> login_processes_count = 8
> login_max_processes_count = 128
> login_max_connections = 256
> verbose_proctitle = yes
> max_mail_processes = 512
> 
> mail_debug = yes
> auth_verbose = yes
> auth_debug = yes
> auth_debug_passwords = yes
> 
> auth_master_user_separator = *
> login_chroot = yes
> 
> ssl = no
> protocol imap {
> 	imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
> tb-extra-mailbox-sep
> 	listen = xx.xx.xx.xx:143
> 	imap_max_line_length = 65536
> 	imap_logout_format = bytes=%i/%o
> 	mail_max_userip_connections = 10
> }
> 
> protocol pop3 {
> 	pop3_uidl_format = %08Xu%08Xv
> 	pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> 	pop3_enable_last = yes
> 	pop3_uidl_format = %08Xu%08Xv
> 	listen = xx.xx.xx.xx:110
> 	mail_max_userip_connections = 10
> }
> 
> protocol managesieve {
>         listen = xx.xx.xx.xx:2000
>         login_executable =
> /usr/local/dovecot/libexec/dovecot/managesieve-login
>         mail_executable = /usr/local/dovecot/libexec/dovecot/managesieve
>         managesieve_max_line_length = 65536
>         managesieve_implementation_string = dovecot
>         managesieve_logout_format = bytes ( in=%i : out=%o )
> }
> 
> auth default {
> mechanisms = plain login
> user = vmail
> 
> passdb passwd-file {
>         args = /etc/dovecot/passwd.masterusers
>         master = yes
>         pass = yes
> }
> 
> passdb ldap {
> 	args = /etc/dovecot/dovecot-ldap.conf
> }
> 
> userdb ldap {
>         args = /etc/dovecot/dovecot-ldap.conf
> }
> 
> socket listen {
> 	master { 
> 		path = /var/run/dovecot/auth-master
> 		mode = 0600
> 		user = vmail
> 		group = vmail
> 		}
> 	client {
> 		path = /var/spool/postfix/dovecot-auth
> 		mode = 0660
> 		user = postfix
> 		group = postfix
> 		}
>     }
> }
> 
> ### dovecot-ldap.conf
> 
> hosts           = ldap.example.com
> ldap_version    = 3
> auth_bind       = yes
> dn              = cn=vmail,dc=example,dc=com
> dnpass          = secret_pass
> base            = ou=Users,domainName=%d,o=domains,dc=example,dc=com
> scope           = subtree
> deref           = never
> user_filter     =
> (&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls))
> user_attrs      =
> storageBaseDirectory=home,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes
> pass_filter     =
> (&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls))
> pass_attrs      =
> userPassword=password,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes
> default_pass_scheme = CRYPT
> 
> ### /var/log/mail/dovecot.info
> 
> Nov 30 14:26:59 dougie dovecot: auth(default): new auth connection:
> pid=5873
> Nov 30 14:27:28 dougie dovecot: auth(default): client in: AUTH	1	PLAIN
> service=pop3	lip=xx.xx.xx.xx	rip=192.168.22.222	
> lport=110	rport=36639
> resp=AHRtaWhhbGljZWtAeG5ldC5sYW4qbWlncmF0aW9uQHhuZXQuaHIAbTFncjR0MTBu
> Nov 30 14:27:28 dougie dovecot: auth(default):
> passwd-file(migration at example.com,192.168.22.222,master): lookup:
> user=master_user at example.com 
> file=/etc/dovecot/passwd.masterusers
> Nov 30 14:27:28 dougie dovecot: auth(default):
> passdb(master_user at example.com,192.168.22.222,master): Master user logging
> in as some_user at example.com
> Nov 30 14:27:28 dougie dovecot: auth(default):
> ldap(some_user at example.com,192.168.22.222): bind search: 
> base=ou=Users,domainName=example.com,o=domains,dc=example,dc=com
> filter=(&(mail=some_user at example.com)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=pop3))
> Nov 30 14:27:28 dougie dovecot: auth(default):
> ldap(some_user at example.com,192.168.22.222): result:
> mailHost(host)=xx.xx.xx.xx
> Nov 30 14:27:28 dougie dovecot: auth(default):
> ldap(some_user at example.com,192.168.22.222): invalid credentials (given
> password: master_password)
> Nov 30 14:27:28 dougie dovecot: auth(default): client out: FAIL	1
> user=some_user at example.com	authz	nodelay	host=xx.xx.xx.xx	
> proxynologin	pass=master_password	master=master_user at example.com
> Nov 30 14:27:28 dougie dovecot: pop3-login: Ignoring unknown passdb extra
> field: authz
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Dovecot-1.2.x-masteruser-proxy-problem-tp26574804p26576084.html
Sent from the Dovecot mailing list archive at Nabble.com.