On 2005-02-03 23:59, Alan Tam wrote:
Hi dovecot,

I am using the debian dovecot packages on a system running LDAP.

My /etc/pam.d/common-* looks like this, which simply means try /etc/passwd first, and try LDAP using the same password if it is failed. 

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so use_first_pass
account required pam_permit.so
auth    [success=1 default=ignore] pam_unix.so
auth    required pam_ldap.so use_first_pass
auth    required pam_permit.so
session [success=1 default=ignore] pam_unix.so
session required pam_ldap.so use_first_pass
session required pam_mkhomedir.so skel=/etc/skel umask=0002
session required pam_permit.so

When many LDAP users login, /var/log/auth.log shows many (expected) error like: (note "pam_unix")
Feb  3 18:16:15 eta dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1
Feb  3 18:16:19 eta dovecot-auth: (pam_unix) check pass; user unknown

After recent upgrades from probably 0.99.10 to 0.99.13, these lines begin to appear in /var/log/mail.log:

Feb  3 16:31:00 eta dovecot-auth: Login process has too old (123s) requests, killing it.
Feb  3 16:31:00 eta dovecot-auth: Login process has too old (124s) requests, killing it.

And some more like this, which shows the problem:
Feb  3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (13)
Feb  3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (14)
Feb  3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (15)

The problem can be solved by changing /etc/pam.d/dovecot to:
auth    required pam_ldap.so
account required pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0002
session required pam_ldap.so
This change means PAM not fail auth for /etc/passwd again.

I think dovecot has some problem dealing with the pam_unix + pam_ldap configuration. Do you have any idea?

I am Cc-ing this message to the corresponding bug in Debian BTS.
  
Solved by configuring dovecot to directly authenticate from LDAP. I still think it is your bug though.

It is not a good solution anyway, since your LDAP authenticator doesn't support auth-bind. So I've to convert all userPassword into {CRYPT} format for it to work.

-- 
Regards,
Alan

Answer: Because we read from top to bottom, from left to right.
Question: Why should we put replies after the original text?