Dovecot-LMTP and LDAP: passdb doesn't support credential lookups
Niols
niols at niols.fr
Wed Mar 30 19:45:24 UTC 2016
Hello,
Sorry, this might be a newbish question, but I really can't get the
answer by myself.
I'm trying to setup a mail server using LDAP to authenticate users, and
I keep receiving the errors:
passdb doesn't support credential lookups
passdb doesn't support lookups, can't verify user's existence
when I send test mails to (existing) users.
I'm already using the LDAP server for other purposes, and it's working
fine. I can't (or I don't want to) give read access to the userPassword
attribute, so I want to use a authentication bind:
http://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
I've already managed to have postfix working with this LDAP server, the
users (and their aliases) are correctly recognized. Postfix then sends
the mails to Dovecot (2.2.13, Debian Jessie's version) with dovecot-lmtp.
Here is my /etc/dovecot/conf.d/auth-ldap.conf.ext. I use the static
driver for userdb, and the LDAP driver for passdb.
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=mail gid=mail home=/var/mail/%u
}
Here is my /etc/dovecot/dovecot-ldap.conf.ext file.
hosts = localhost
ldap_version = 3
dn = cn=dovecot,ou=services,dc=niols,dc=fr
dnpass = a-random-password
auth_bind = yes
base = ou=people,dc=niols,dc=fr
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
I haven't set the user_filter and user_attrs values, since I thought
these would only be usefull for userdb. I haven't set the pass_attrs
value, since I don't see why it would be needed (I just need to be able
to bind my user, right?). I can't auth_bind_userdn since the e-mail
address aren't necessarily related in any way to the user dn. I assumed
%u was going to be replaced by the user's full e-mail address.
I tried to play a bit with these values to find a working configuration,
without success. I tried to search myself on the LDAP server, using the
provided dn and dnpass, and I succeeded. I tried to activate debug logs,
but that didn't give me much more information (full debug log at the end
of this e-mail).
I think the problem is that passdb cannot find the user on the LDAP
server, but I don't know why. I believe the problem is lying in my
non-comprehension of what userdb and passdb actually do. I tried to find
out by myself, and I'm here because I didn't manage to do so.
I'm sorry if this post looks stupid. Any help and any comments of any
kind would be greatly appreciated.
Regards,
Niols
PS: Here is the full debug log that I get after sending a test message
to test at niols.net (.net vs. .fr: this is not a mistake, I use my .net
domain for testing purposes while I use my .fr domain for eveyday life)
with swaks:
lmtp(3208): Connect from local
auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
auth: Debug: LDAP initialization took 0 msecs
auth: Debug: master in: USER 1 test at niols.net
service=lmtp
auth: Debug: ldap(test at niols.net): passdb doesn't support credential
lookups
auth: Error: static(test at niols.net): passdb doesn't support lookups,
can't verify user's existence
auth: Debug: userdb out: FAIL 1
lmtp(3208): Error: user test at niols.net: Auth USER lookup failed
lmtp(3208): Disconnect from local: Successful quit
More information about the dovecot
mailing list