[Dovecot] [BUG?] LDAP authentication with aliases issues

Paweł Lęcznar maillistpld at gmail.com
Sun Jul 31 23:48:16 EEST 2011 

Hello,

I am trying to configure Dovecot with LDAP authentication. My LDAP tree 
structure is as following:
     dc=root,dc=pl
      \_ ou=Users
         \_ uid=test
      \_ ou=Mail
         \_ ou=domain.pl
            \_ uid=alias_to_test

I cannot authenticate using 
'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to 
authenticate using 
'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following entry 
appears in the Dovecot's log file:

#v+
auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured 
lip=127.0.0.1   rip=127.0.0.1   lport=993       rport=59818     
resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA==
auth: Debug: ldap(alias_to_test at domain.pl,127.0.0.1): pass search: 
base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base 
filter=(&(objectClass=posixAccount)) fields=uid,userPassword
auth: Debug: auth(alias_to_test at domain.pl,127.0.0.1): username changed 
alias_to_test at domain.pl -> test
auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test 
userPassword(password)={CRYPT}ACnZvF4.K46UI
auth: Debug: client out: OK     1       user=test
auth: Debug: ldap(test,127.0.0.1): user search: 
base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base 
filter=(&(objectClass=posixAccount)(uid=test)) 
fields=homeDirectory,uidNumber,gidNumber
auth: Debug: master out: FAIL   2551840769
#v-


In the LDAP server log file, following entries appear during 
authentication attempt

#v+
ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
method=128
ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
mech=SIMPLE ssf=0
ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text=
ldap slapd[11729]: conn=1125 op=1 SRCH 
base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 
deref=3 filter="(&(objectClass=posixAccount))"
ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 nentries=1 
text=
ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: 
"uid=test,ou=,ou=Mail,dc=root,dc=pl"
ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 
nentries=0 text=invalid DN
#v-

It seems that LDAP AuthDatabase doesn't change the context when looking 
up for the target object, to which the alias points. Futhermore, the 
filter for the target object '(&(objectClass=posixAccount)(uid=test))' 
was not defined by me anywhere in the configuration file 'dovecot-ldap.ext'.
I have tried both authentication ways: 'password lookups' and 
'authentication binding' with the same result. However, There is no 
problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of cource 
after modifying the configuration file listed at the end).

I suppose that it can be a bug in LDAP AuthDatabase, so I am writing 
this post as a potential bug report.


Below are my configuration data:
***************
# dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.38.8-1 x86_64
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_verbose_passwords = plain
listen = *
mail_debug = yes
mail_gid = 2000
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date
passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
plugin {
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
}
postmaster_address = postmaster at domain.pl
protocols = imap pop3 sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     mode = 0666
   }
   unix_listener auth-userdb {
     group = vmail
     mode = 0600
     user = vmail
   }
}
service imap-login {
   inet_listener imap {
     port = 143
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service pop3-login {
   inet_listener pop3 {
     port = 110
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
}
ssl = required
ssl_cert = </etc/openssl/certs/vmail.pem
ssl_key = </etc/openssl/private/vmail.key
userdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
verbose_ssl = yes

***************
# cat /etc/dovecot/dovecot-ldap.ext
uris = ldap://X.Y.Z.V/
dn = cn=Manager,dc=root,dc=pl
dnpass = password
auth_bind = no
ldap_version = 3
base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
deref = always
scope = base
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount))
default_pass_scheme = CRYPT

More information about the dovecot mailing list