Raw backtrace multiple passwords not allowed

Leon Kyneur leon at f-m.fm
Sun Jul 10 10:32:56 UTC 2016 

This turned into quite a large problem for me but think I have resolved it.

After toying this a few settings I ended up (out of sheer desperation)
setting "blocking = yes" in my LDAP configuration.

Is this a logical thing to do? I couldn't find much on it other than i'm 
guessing queries are no long async.

I don't really see the downside given the upside is auth is not crashing 
and causing password prompts for all my customers...

On 09/07/16 15:26, Leon Kyneur wrote:
> Hi
>
> Recently enabled support for encrypted passwords on my proxies - 
> CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most 
> users are working perfectly though every so often I see this happening 
> in the logs:
>
> Jul 09 06:32:51 auth: Error: 
> ldap(user at domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple 
> password values not supported
> Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 
> (ldap_lookup_finish): assertion failed: (password == NULL || scheme != 
> NULL)
> Jul 09 06:32:51 auth: Error: Raw backtrace: 
> /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> 
> /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> 
> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> 
> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> 
> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> 
> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) 
> [0x7ff4db0a338c] -> 
> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) 
> [0x7ff4db0a47ef] -> 
> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) 
> [0x7ff4db0a3415] -> 
> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] 
> -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) 
> [0x7ff4db03a033] -> dovecot/auth [13 wait, 1 passdb, 0 
> userdb](main+0x39c) [0x7ff4db5454ac] -> 
> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> 
> dovecot/auth [13 wait, 1 passdb, 0 userdb](+0xf6a1) [0x7ff4db5456a1]
> Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 
> pending requests (max 0 secs, pid=8759, EOF)
> Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 
> pending requests (max 1 secs, pid=8764, EOF)
>
> Password debug shows:
> Jul 09 06:38:25 auth: Debug: 
> ldap(user at domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: 
> 4b616e6761733138
> Jul 09 06:38:27 auth: Debug: client passdb out: FAIL    2541 
> user=user at domain.com    pass=NotPassword    original_user=user
> Jul 09 06:38:37 auth: Debug: 
> passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username 
> changed user -> user at domain.com
> Jul 09 06:38:37 auth: Debug: 
> passwd-file(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): 
> Allowing any password
> Jul 09 06:38:37 auth: Debug: 
> ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: 
> base=o=domains,dc=mail,dc=com scope=subtree 
> filter=(&(objectClass=mail)(status=active)(|(|(mail=user at domain.com)(&(uid=user at domain.com)))(&(enabledService=shadowaddress)(shadowAddress 
> user at domain.com)))) 
> fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost
> Jul 09 06:38:37 auth: Debug: 
> ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: 
> mail=user at domain.com userPlaintextPassword=NotPassword; 
> mail,userPlaintextPassword unused
> Jul 09 06:38:37 auth: Debug: 
> ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: 
> mail=user at domain.com userPlaintextPassword=NotPassword; mailstoreHost 
> missing
> Jul 09 06:38:37 auth: Debug: 
> ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) 
> != 'NotPassword'
> Jul 09 06:38:39 auth: Debug: client passdb out: FAIL    2826 
> user=user at domain.com        original_user=user
>
>
> This particular user has a space in their password.. some other users 
> do not when seeing this error.
>
> I run multiple passdb and config is:
> passdb {
>   args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext
>   default_fields = nopassword=y password=
>   driver = ldap
>   result_failure = continue-fail
>   result_internalfail = continue-fail
>   result_success = continue-ok
> }
> passdb {
>   args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains
>   default_fields = nopassword=y password=
>   driver = passwd-file
>   result_success = continue-fail
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap-proxy.conf.ext
>   driver = ldap
> }
>
>  LDAP passdb specifies 'PLAIN' as default_pass_scheme.
>
> [root at S605 dovecot]# dovecot --version
> 2.2.24 (a82c823)
>
> Any ideas what's going on here?

More information about the dovecot mailing list