On 23/06/15 13:10, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, lejeczek wrote:
On 23/06/15 09:32, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote: > > to=me@my.domain,orig_to=root@localhost, > relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, > dsn=4.3.0, status=deferred (temporary failure) > > and dovecot logs no error, despite having debug to > yes in couple of places, > it shows: > > auth: Debug: master in: USER 1 me@my.domain > service=lda > auth-worker(25343): Debug: passwd(me@my.domain): lookup > auth-worker(25343): passwd(me@my.domain): unknown user > auth: Debug: ldap(me@my.domain): user search: > base=ou=People,dc=my,dc=domain scope=subtree > filter=(&(objectClass=person)(uid=me)) fields= > auth: Debug: ldap(me@my.domain): result: > objectClass=top,top,top,top, > > ... here goes the whole lot of ldap atrribs, and at > the end: > > unused. > > For passdb & userdb in the configs I only configure > ldap backed, nothing else. Ldap works, I can query > it without failling. > I believe it's very simple set up but I must be > wrong somewhere. > > pass_filter = (&(objectClass=posixAccount)(uid=%n)) > pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
> user_attrs = > =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n > user_filter = (&(objectClass=person)(uid=%n)) > even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases. it's weird I know, I do:
# doveadm auth test -x service=smtp -x rip=172.25.12.214 me@my.domain Password: passdb: me@my.domain auth succeeded extra fields: user=me@my.domain
and in the logs:
auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@my.domain rhost=172.25.12.214 auth-worker(32531): pam(me@my.domain,172.25.12.214): unknown user auth: Debug: ldap(me@my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me@my.domain
so it seems fine, right? only I do simple test on that dovecot locally
echo repli_test | mail -s "repl test" my@my.domain
to get:
auth-worker(365): Debug: passwd(me@my.domain): lookup auth-worker(365): passwd(me@my.domain): unknown user auth: Debug: password(me@my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me@my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped)
the same error with: doveadm user me@my.domain
so it's must be userdb, right?
No, you've authentificated before and some data are now in the auth cache, which are used by the userdb, too.
You do not have no system users, right? Then remove the passwd userdb and pam passdb.
Did you removed the "uid=user=%n" from pass_attr?
this is freaking weird, and wrong! If I do no configure pam nor passwd and no userdb+static then! ...ldap works.
I do use, well I'm trying, pam for system users which are not in passwd. PAM gets those system users from LDAP, uid > 1000. I wonder if its possible to have pam auth+lookup for users constructed this way: systemuser@local.domain ?
There might be fixes since 2.2.10:
changeset: 18538:d3332ee1d26a user: Timo Sirainen tss@iki.fi date: Thu May 07 17:18:44 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Added assert to make sure previous change is correct.
changeset: 18537:8a3da4ef590f user: Timo Sirainen tss@iki.fi date: Thu May 07 11:27:55 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Fixed credentials lookups via auth-workers when no actual password was returned. For example LDAP lookup with auth_bind=yes should still return any extra fields.
changeset: 18536:5dc00179dd60 user: Timo Sirainen tss@iki.fi date: Thu May 07 11:21:33 2015 +0300 files: src/auth/passdb-ldap.c description: ldap auth: If password is already verified (e.g. master user login), skip LDAP auth binding. This happens only if auth_bind_userdn isn't set, i.e. it only makes sense if the LDAP DN lookup also returns some extra fields.
changeset: 18402:635f9c7d5991 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:38:10 2015 +0300 files: src/auth/auth-request.c description: auth: If passdb/userdb changes the username, add the changed username also to the cache.
changeset: 18401:08b2f79e8212 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:37:48 2015 +0300 files: src/auth/auth-request.c description: auth: Setting userdb fields from cache didn't set handle any special fields. The special fields were relatively rarely used though.
changeset: 18364:3546457ae3fb user: Timo Sirainen tss@iki.fi date: Tue Mar 17 17:30:33 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Crashfixes for earlier changes. Hopefully works correctly now
changeset: 18363:a4acf88b0c91 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 10:49:20 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Fixed crash when handling invalid SSL option.
changeset: 18362:870cb73e5960 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 09:58:03 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h description: auth ldap: Fixed assert-crash when both passdb ldap and userdb ldap was used
changeset: 18361:0a17875f0ece user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:25:34 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h src/auth/passdb-ldap.c src/auth/userdb-ldap.c description: auth ldap: Start LDAP connection only after auth process initialization is finished. This way even if connecting to LDAP takes a while it won't cause the master process to kill the auth process due to it not sending the startup "I'm ok" notification early enough.
changeset: 18360:d9a0d4f4f4b6 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:21:05 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Make sure config file path is included in all fatal error messages.
changeset: 18359:ec2e7ae958c5 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:17:39 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: If any tls_* settings are given when they're not supported, fail with fatal instead of just warning. These may be important for intended security, especially tls_cipher_suite. We shouldn't allow setting them and then somewhat silently just ignore them.
....
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu
bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+
ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon
ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky
tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN
pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug== =wlvQ -----END PGP SIGNATURE-----