On 2005-02-03 23:59, Alan Tam wrote:
Hi dovecot,
I am using the debian dovecot packages on a system running LDAP.
My /etc/pam.d/common-* looks like this, which simply means try /etc/passwd first, and try LDAP using the same password if it is failed.
account [success=1 default=ignore] pam_unix.so account required pam_ldap.so use_first_pass account required pam_permit.so auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass auth required pam_permit.so session [success=1 default=ignore] pam_unix.so session required pam_ldap.so use_first_pass session required pam_mkhomedir.so skel=/etc/skel umask=0002 session required pam_permit.so
When many LDAP users login, /var/log/auth.log shows many (expected) error like: (note "pam_unix") Feb 3 18:16:15 eta dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 Feb 3 18:16:19 eta dovecot-auth: (pam_unix) check pass; user unknown
After recent upgrades from probably 0.99.10 to 0.99.13, these lines begin to appear in /var/log/mail.log:
Feb 3 16:31:00 eta dovecot-auth: Login process has too old (123s) requests, killing it. Feb 3 16:31:00 eta dovecot-auth: Login process has too old (124s) requests, killing it.
And some more like this, which shows the problem: Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (13) Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (14) Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (15)
The problem can be solved by changing /etc/pam.d/dovecot to: auth required pam_ldap.so account required pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel umask=0002 session required pam_ldap.so This change means PAM not fail auth for /etc/passwd again.
I think dovecot has some problem dealing with the pam_unix + pam_ldap configuration. Do you have any idea?
I am Cc-ing this message to the corresponding bug in Debian BTS.
Solved by configuring dovecot to directly authenticate from LDAP. I still think it is your bug though.
It is not a good solution anyway, since your LDAP authenticator doesn't support auth-bind. So I've to convert all userPassword into {CRYPT} format for it to work.
-- Regards, Alan
Answer: Because we read from top to bottom, from left to right. Question: Why should we put replies after the original text?