On Wed, Aug 13, 2003 at 05:42:09PM +0300, Timo Sirainen wrote:
On Wednesday, Aug 13, 2003, at 10:03 Europe/Helsinki, Bob Hall wrote:
There should be another error message before that line?
No. The complete log entries related to my last attempt to log in are
Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob [192.168.0.2] Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11
OK, so the problem is that dovecot-auth process crashes. Maybe it's because you didn't give homeDirectory? It's not really needed, but there was a bug when it wasn't given. Here's a patch to fix it: http://dovecot.procontrol.fi/patches/auth-no-homedir.patch
I've never done a patch before, and I looked at the FBSD documentation on it, and couldn't figure out how it was done. So I modified my test entry in the LDAP directory and added posixAccount with homeDirectory and uidNumber and gidNumber. Restart OpenLDAP, retest, and same error message.
LOGIN dovecot secret
All IMAP commands starts with a "tag", which can be pretty much any text. Add "x" or whatever before the LOGIN command.
x login dovecot secret x NO Authentication failed.
The dovecot Unix account and the dovecot LDAP entry have been assigned the same password.
I'd guess it's because localhost resolves to IPv6 localhost ::1, and Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it requires two sockets.
No, localhost resolves to 127.0.0.1. However, compiling Dovecot with the --disable-ipv6 flag fixed that problem. Now I can connect via localhost, but I can't LOGIN. Error is identical to above.
Well, that's a bit strange..
something to do with user ids. What uids have you given to users in LDAP? Are they smaller than 500, which is the default minimum accepted uid? You could change first_valid_uid in config file.
I'm confused. In the documentation and schemas that come with OpenLDAP, a uid is a login. E.g. my account uid is 'bob'. Unix uses numeric uids, but if I'm using LDAP, I'm not accessing anything with numeric uids. posixAccount uses uidNumber, but I'm not using that class.
Dovecot still needs to map usernames to system UID numbers. If you want to use only one system UID, you can set user_global_uid and user_global_gid in dovecot-ldap.conf. Otherwise you'll need to set uidNumber and gidNumber for all users.
OK. I've added uidNumber and gidNumber for my LDAP test entry, and user_global_uid = 2000 user_global_gid = 6 6 is the mail group. 2000 is no one in particular. I added dovecot to the mail group, but since Dovecot runs as root, I don't think that's necessary.
login_user = dovecot auth_user = dovecot
It's better not to use the same user for auth and login. Maybe I should add a check to disallow this entirely..
I don't know enough about it to know why that's a bad idea, but I got it from a sample config file online. I've changed auth_user to dovecot-auth and I'm still getting the same error.
It's mostly just that login process is designed to be "safe" even if it contains some security holes. If other processes are running with same userid, the login process may be able to do some evil things to them.
OK. Dovecot (the app) runs under root. dovecot-auth (the process) runs under dovecot-auth (the user), imap-login runs under dovecot (the user), and nor the twain shall meet. Does that seem right?
Sorry if I seem slow, but I'm really unfamiliar with mail servers and authentication. It takes me hours to think through your replies and apply them to what I've done.
Bob Hall