On Thu, Sep 08, 2011 at 04:03:58PM +0300, Timo Sirainen wrote:
It shouldn't be behaving like that.. Are you saying that all "unknown user" failures are logged as those errors?
Seems so yes.
I get without auth_bind_userdn:
Sep 08 15:56:08 auth: Info: ldap(foo,127.0.0.1): unknown user
With auth_bind_userdn:
Sep 08 16:00:12 auth: Info: ldap(foo,127.0.0.1): invalid credentials
So the "No such object" isn't expected.. Maybe different LDAP servers work in different ways?..
We're using centos directory server - aka - red hat directory server - aka - 389ds. With: auth_verbose = yes auth_verbose_passwords = sha1 (which doesn't work) userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } hosts = ldapm1.example.net:389 ldapm2.example.net:389 auth_bind = yes auth_bind_userdn = uid=%n,ou=people,o=%d,o=ISP,o=example,c=NO base = ou=people,o=%d,o=ISP,o=example,c=NO deref = never scope = onelevel user_attrs = mailMessageStore=home, mailLocation=mail, mailQuota=mailQuota=quota_rule=*:storage=%$ user_filter = (&(objectClass=examplePerson)(uid=%n)) Could maybe also be the user_filter or auth_bind_userdn that's turning it into an error ?
Yours appears to give out the difference between "user doesn't exist" and "wrong password"? Does the attached patch change these to "unknown user" messages?
diff -r 8de8752b2e94 src/auth/passdb-ldap.c --- a/src/auth/passdb-ldap.c Thu Sep 08 13:41:20 2011 +0300 +++ b/src/auth/passdb-ldap.c Thu Sep 08 16:03:21 2011 +0300 @@ -157,6 +157,10 @@ } auth_request_log_info(auth_request, "ldap", "%s", str); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; + } else if (ret == LDAP_NO_SUCH_OBJECT) { + passdb_result = PASSDB_RESULT_USER_UNKNOWN; + auth_request_log_info(auth_request, "ldap", + "unknown user"); } else { auth_request_log_error(auth_request, "ldap", "ldap_bind() failed: %s",
I've done a bit too many unscheduled changes today... will see if I can sneak this in tomorrow :-) -jf