Problem with multiple ldap passdb

Martin Wheldon martin.wheldon at greenhills-it.co.uk
Tue Nov 22 16:39:47 UTC 2016 

Hi mailing list,

I'm currently running dovecot 2.2.13 from Debian Jessie, all is running 
fine. However I am attempting to merge 2 LDAP authentication sources.

I would like to attempt to authenticate against the first authentication 
source, if that fails either by password fail or user not found,
then attempt the next LDAP server.

I've added the a passdb and userdb entry for the new ldap server. As you 
can see from the log below the user isn't found in the first LDAP query, 
but
is in the second one. However the authentication fails:

Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=WTLjLuRB9QBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=56821#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw== 
(previous base64 data may contain sensitive data)
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search: 
base=dc=greenhills-it,dc=co,dc=uk 
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon 
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Error: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): 
ldap_search(base=dc=greenhills-it,dc=co,dc=uk 
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon 
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))) 
failed: No such object
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search: 
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at 
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: 
uid=00000001; uid unused
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): username 
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: 
ldap(00000001,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: uid=00000001
Nov 22 13:59:40 he01-imap-01 dovecot: auth: Debug: client passdb out: 
FAIL#0111#011user=00000001#011temp#011original_user=martin.wheldon at 
greenhills-it.co.uk


I know that the password was entered correctly because if I disable the 
new ldap config and login I get authenticated properly.


Nov 22 14:00:38 he01-imap-01 dovecot: auth: Debug: auth client connected 
(pid=2626)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=ipKBMuRBBQBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=38149#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw== 
(previous base64 data may contain sensitive data)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): bind search: 
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at 
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: 
uid=00000001; uid unused
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon 
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): username 
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: 
ldap(00000001,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: uid=00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client passdb out: 
OK#0111#011user=00000001#011original_user=martin.wheldon at 
greenhills-it.co.uk


I've done loads of googling and I believe that this is possible so I 
must either have misread the documentation or am triggering a bug.
Neither of which I seem to be able to confirm.

Any help would be much appreciated.

My broken configuration is below:

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
default_vsz_limit = 512 M
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = /etc/dovecot/dovecot-ldap-new.conf.ext
   driver = ldap
}
passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
   skip = authenticated
}
plugin {
   antispam_backend = pipe
   antispam_pipe_program = /usr/sbin/sendmail
   antispam_pipe_program_args = -f;%{auth_user};-r;%{auth_user}
   antispam_pipe_program_notspam_arg = retrain-as-ham at greenhills-it.co.uk
   antispam_pipe_program_spam_arg = retrain-as-spam at greenhills-it.co.uk
   antispam_spam = Spam
   antispam_trash = Trash
   quota = maildir:User quota
   quota_rule = *:storage=1G
   quota_rule2 = Trash:ignore
   quota_rule3 = Spam:ignore
   sieve = ~/.dovecot.sieve
   sieve_before = /var/lib/dovecot/sieve/move-spam.sieve
   sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve pop3"
service imap-login {
   process_min_avail = 20
   service_count = 1
}
service imap {
   process_min_avail = 20
}
service lmtp {
   inet_listener lmtp {
     address = he01-imap-01.greenhills-it.co.uk 127.0.0.1
     port = 2003
   }
}
service pop3 {
   process_min_avail = 20
}
ssl = required
ssl_cert = </etc/ssl/certs/combined_2015_greenhills-it.co.uk.cert
ssl_cipher_list = 
ALL:HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:!PSK:!DES:!3DES:!MD5:!DES+MD5:!RC4:!SEED+SHA:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!eNULL:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/stripped.2015.greenhills-it.co.uk.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
   args = /etc/dovecot/dovecot-ldap-new.conf.ext
   driver = ldap
}
userdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
protocol lmtp {
   mail_plugins = " quota sieve"
}
protocol imap {
   mail_plugins = " quota imap_quota"
}


# Working LDAP configuration
# /etc/dovecot/dovecot-ldap.conf.ext
uris = ldap://he01-auth-01.greenhills-it.co.uk
dn = uid=dovecot,ou=people,ou=SRV_Accounts,dc=greenhills-it,dc=co,dc=uk
dnpass = VerySecret
sasl_bind = no
auth_bind = yes
ldap_version = 3
base = dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs = 
homeDirectory=home,uidNumber=uid,gidNumber=gid,gosaMailQuota=quota_rule=*:storage=%$M
user_filter = (|(uid=%u)(mail=%u)(gosaMailAlternateAddress=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (|(uid=%u)(mail=%u))
default_pass_scheme = CRYPT


# Non working LDAP configuration
# /etc/dovecot/dovecot-ldap-new.conf.ext
uris = ldap://dir.greenhills-it.co.uk
dn = "cn=dovecot,ou=search 
accounts,ou=services,dc=greenhills-it,dc=co,dc=uk"
dnpass = VerySecret
sasl_bind = no
tls = yes
tls_ca_cert_file = /etc/ssl/certs/GreenhillsCACert.pem
tls_require_cert = demand
debug_level = -1
auth_bind = yes
ldap_version = 3
base = ou=customers,dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs = 
homeDirectory=home,uidNumber=uid,gidNumber=gid,ukFirmGhITAccMailQuota=quota_rule=*:storage=%$M
user_filter = 
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
pass_attrs = uidNumber=user
pass_filter = 
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))
default_pass_scheme = SSHA


Best Regards
-- 
Martin Wheldon
Greenhills IT Ltd.
Telephone: 01904 238 454
Website: www.greenhills-it.co.uk

Greenhills IT Ltd. is a limited company registered in England and Wales.
Company Registration No: 06387214
Registered Offices: 2 Greenhills, Claxton, YORK, North Yorkshire, YO60 
7SA

More information about the dovecot mailing list