Hello, i'm test system dovecot (proxy with director) and backend storage, auth LDAP server (user plain passwords)
If i use plain auth, work fine.
If connect DIGEST-MD5 or CRAM-MD5 proxy not redirect connection (Requested DIGEST-MD5 scheme, but we have a NULL password)
### Frontend proxy+director
# dovecot -n # 2.2.19: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE amd64 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login digest-md5 cram-md5 auth_username_format = %Ln auth_verbose = yes base_dir = /var/run/dovecot-proxy/ director_doveadm_port = 12347 director_mail_servers = 192.168.1.3 director_servers = 192.168.1.2 disable_plaintext_auth = no doveadm_port = 12347 first_valid_gid = 0 first_valid_uid = 1000 instance_name = proxy last_valid_gid = 6000 last_valid_uid = 6000 listen = 192.168.1.2 lmtp_proxy = yes mail_location = mbox:~/:INBOX=/var/mail/%u passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { args = scheme=SSHA /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { driver = pam } protocols = imap lmtp service director { fifo_listener login/proxy-notify { mode = 0600 } inet_listener { port = 9090 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service doveadm { inet_listener { port = 12347 } } service imap-login { executable = imap-login director } service ipc { unix_listener ipc { user = dovecot } } service lmtp { client_limit = 5 executable = lmtp idle_kill = 0 inet_listener lmtp { address = 192.168.1.2 port = 2003 } process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 } ssl_cert = </etc/ssl/certs/cyrus_imapd.pem ssl_key = </etc/ssl/certs/cyrus_imapd.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { driver = passwd } userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { auth_socket_path = director-userdb } protocol doveadm { auth_socket_path = director-userdb } local 192.168.1.2/24 { doveadm_password = # hidden, use -P to show it }
# cat /usr/local/etc/dovecot/dovecot-ldap.conf uris = ldaps://192.168.1.2:636 # allow self-sign sert (not skip connect if sert not valid) tls_ca_cert_dir = /home/user/openldap/ tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt tls_require_cert = allow dn = cn=dovecot,ou=accounts,dc=host,dc=ru dnpass = CycsonfeavaidOr ldap_version = 3 #auth_bind = no base = ou=accounts,dc=host,dc=ru deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,=password=,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert pass_filter = (&(objectClass=posixAccount)(uid=%u)) # need for work chap-MD5 default_pass_scheme = CLEARTEXT
#### Backend
# dovecot -n # 2.2.19: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.3-RELEASE-p24 amd64 auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_mechanisms = plain login digest-md5 cram-md5 auth_username_format = %Ln auth_verbose = yes base_dir = /var/run/dovecot/ director_servers = 1192.168.1.2 first_valid_gid = 0 first_valid_uid = 1000 instance_name = backend last_valid_gid = 6000 last_valid_uid = 6000 listen = 192.168.1.3 mail_location = mbox:~/:INBOX=/var/mail/%u passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { args = scheme=SSHA /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { driver = pam } protocols = imap lmtp service doveadm { inet_listener { port = 12347 } } service lmtp { client_limit = 1 executable = lmtp -L idle_kill = 0 inet_listener lmtp { address = 192.168.1.3 port = 2003 } process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 } ssl_cert = </etc/ssl/certs/cyrus_imapd.pem ssl_key = </etc/ssl/certs/cyrus_imapd.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { driver = passwd } userdb { driver = passwd } valid_chroot_dirs = /var/dovecot verbose_proctitle = yes local 192.168.1.2/24 { doveadm_password = # hidden, use -P to show it }
# cat /usr/local/etc/dovecot/dovecot-ldap.conf uris = ldaps://192.168.1.2:636 # allow self-sign sert (not skip connect if sert not valid) tls_ca_cert_dir = /home/user/openldap/ tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt tls_require_cert = allow ldaprc_path = /usr/local/etc/openldap/ldap.conf dn = cn=dovecot,ou=accounts,dc=host,dc=ru dnpass = CycsonfeavaidOr ldap_version = 3 base = ou=accounts,dc=host,dc=ru deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,clearPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = CLEARTEXT
###
Oct 27 18:15:40 imtest -v -u usertest -a usertest 192.168.1.2 (success) Oct 27 18:16:30 imtest -m DIGEST-MD5 -v -u usertest -a usertest 192.168.1.2 (fail)
### Logs
Oct 27 18:15:26 fbsd10 dovecot: master: Warning: Killed with signal 15 (by pid=67306 uid=0 code=kill) Oct 27 18:15:27 fbsd10 dovecot: master: Dovecot v2.2.19 starting up for imap, lmtp Oct 27 18:15:40 fbsd10 dovecot: imap-login: proxy(usertest): started proxying to 192.168.1.3:143: user=<usertest>, method=PLAIN, rip=192.168.1.3, lip=192.168.1.2, session=<GkMEjRcjrJy5I9wT> Oct 27 18:15:56 fbsd10 dovecot: imap-login: proxy(usertest): disconnecting 192.168.1.3 (Disconnected by server): user=<usertest>, method=PLAIN, rip=192.168.1.3, lip=192.168.1.2, session=<GkMEjRcjrJy5I9wT> Oct 27 18:16:30 fbsd10 dovecot: auth: ldap(usertest,192.168.1.3,<q+lLjxcjfvG5I9wT>): Requested DIGEST-MD5 scheme, but we have a NULL password Oct 27 18:16:36 fbsd10 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<usertest>, method=DIGEST-MD5, rip=192.168.1.3, lip=192.168.1.2, session=<q+lLjxcjfvG5I9wT>
Oct 27 18:15:40 fbsd9 dovecot: imap-login: Login: user=<usertest>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.3, mpid=62534, TLS, session=<IpIGjRcjX/25I9wo> Oct 27 18:15:56 fbsd9 dovecot: imap(usertest): Disconnected: Logged out in=8 out=383