Dovecot-LMTP and LDAP: passdb doesn't support credential lookups

Wed Mar 30 19:45:24 UTC 2016

Hello,

Sorry, this might be a newbish question, but I really can't get the
answer by myself.

I'm trying to setup a mail server using LDAP to authenticate users, and
I keep receiving the errors:

    passdb doesn't support credential lookups
    passdb doesn't support lookups, can't verify user's existence

when I send test mails to (existing) users.

I'm already using the LDAP server for other purposes, and it's working
fine. I can't (or I don't want to) give read access to the userPassword
attribute, so I want to use a authentication bind:

    http://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds

I've already managed to have postfix working with this LDAP server, the
users (and their aliases) are correctly recognized. Postfix then sends
the mails to Dovecot (2.2.13, Debian Jessie's version) with dovecot-lmtp.

Here is my /etc/dovecot/conf.d/auth-ldap.conf.ext. I use the static
driver for userdb, and the LDAP driver for passdb.

    passdb {
      driver = ldap
      args = /etc/dovecot/dovecot-ldap.conf.ext
    }

    userdb {
      driver = static
      args = uid=mail gid=mail home=/var/mail/%u
    }

Here is my /etc/dovecot/dovecot-ldap.conf.ext file.

    hosts = localhost
    ldap_version = 3
    dn = cn=dovecot,ou=services,dc=niols,dc=fr
    dnpass = a-random-password

    auth_bind = yes
    base = ou=people,dc=niols,dc=fr

    pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))

I haven't set the user_filter and user_attrs values, since I thought
these would only be usefull for userdb. I haven't set the pass_attrs
value, since I don't see why it would be needed (I just need to be able
to bind my user, right?). I can't auth_bind_userdn since the e-mail
address aren't necessarily related in any way to the user dn. I assumed
%u was going to be replaced by the user's full e-mail address.

I tried to play a bit with these values to find a working configuration,
without success. I tried to search myself on the LDAP server, using the
provided dn and dnpass, and I succeeded. I tried to activate debug logs,
but that didn't give me much more information (full debug log at the end
of this e-mail).

I think the problem is that passdb cannot find the user on the LDAP
server, but I don't know why. I believe the problem is lying in my
non-comprehension of what userdb and passdb actually do. I tried to find
out by myself, and I'm here because I didn't manage to do so.

I'm sorry if this post looks stupid. Any help and any comments of any
kind would be greatly appreciated.

Regards,
Niols

PS: Here is the full debug log that I get after sending a test message
to test at niols.net (.net vs. .fr: this is not a mistake, I use my .net
domain for testing purposes while I use my .fr domain for eveyday life)
with swaks:

    lmtp(3208): Connect from local
    auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
    auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
    auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
    auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
    auth: Debug: LDAP initialization took 0 msecs
    auth: Debug: master in: USER        1        test at niols.net
service=lmtp
    auth: Debug: ldap(test at niols.net): passdb doesn't support credential
lookups
    auth: Error: static(test at niols.net): passdb doesn't support lookups,
can't verify user's existence
    auth: Debug: userdb out: FAIL        1
    lmtp(3208): Error: user test at niols.net: Auth USER lookup failed
    lmtp(3208): Disconnect from local: Successful quit