Hello,
just want to report a slightly confusing log entry on auth-debug level I have encountered while setting up Kerberos auth. Users are stored in ldap, Kerberos makes use of the same ldap as its backend, goal was to enable users to use their principals in addition to simple login with mailAddress/userPassword combination.
Sample entry relevant attrs:
mailAddress: sn.gn@example.com mailDeliveryAddress: 123456@example.com uid: u123456 krbPrincipalName: u123456@REALM krbPrincipalName: user123456@REALM krbPrincipalName: alias@REALM
with pass_attrs = =user=%{ldap:mailDeliveryAddress},=password=%{ldap:userPassword},=k5principals=%{ldap:krbPrincipalName}
I can see incorrectly logged ldap search result for krbPrincipalName attr as it is written 3 times with the same value -- number is correct, values should differ. All is working ok as expected, but was a bit confusing while tuning /etc/krb5.conf on non-working remote client whilst local client had no issues (mutt). Anyway, to eventually save someone's time, this seems to be easy enough to be fixed.
Thanks for this great software, Tomas
dovecot[13337]: auth: Debug: ldap(sn.gn@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): result: mailDeliveryAddress=123456@example.com krbPrincipalName=u123456@REALM,u123456@REALM,u123456@REALM; krbPrincipalName,mailDeliveryAddress unused dovecot[13337]: auth: Debug: ldap(sn.gn@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): username changed sn.gn@example.com -> 123456@example.com dovecot[13337]: auth: Warning: ldap(123456@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Multiple values found for 'krbPrincipalName', using value 'u123456@REALM' dovecot[13337]: auth: Debug: ldap(123456@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Finished passdb lookup dovecot[13337]: auth: Debug: gssapi(123456@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): authorized by k5principals field: u123456@REALM dovecot[13337]: auth: Debug: auth(123456@example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Auth request finished dovecot[13337]: auth: Debug: client passdb out: OK 1 user=123456@example.com k5principals=u123456@REALM original_user=u123456@REALM dovecot[13337]: auth: Debug: master in: REQUEST 3251372033 13340 1 3bbd5f6931fe4e949e7822657da9e33b session_pid=13343 request_auth_token
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.8 (b7b03ba2) # OS: Linux 4.18.0-193.14.2.el8_2.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core)