We are using now dovecot 2.0.21 with open-ldap, but this situations has already taken a quite long time. When user changes the password, we have to reload dovecot every time, otherwise the change is ignored and dovecot sees only the old password. Any ideas where the problem might exist?
Conf:
# 2.0.21: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-308.24.1.el5 i686 CentOS release 5.9 (Final) auth_cache_size = 100 M auth_mechanisms = plain login auth_verbose = yes default_process_limit = 5000 disable_plaintext_auth = no info_log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir:INDEX=/var/spool/indexes/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { quota = maildir:User Quota sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@artio.net service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { service_count = 0 } service imap-postlogin { executable = script-login /usr/local/sbin/dovecot-postscript-imap user = root } service imap { executable = imap imap-postlogin } service pop3-postlogin { executable = script-login /usr/local/sbin/dovecot-postscript-pop3 user = root } service pop3 { executable = pop3 pop3-postlogin } ssl_ca =
Dovecot-ldap.conf:
# NOTE: We don't support "authentication binds", so you'll have to give # dovecot-auth read access to userPassword field in LDAP server. With OpenLDAP # this is done by modifying /etc/ldap/slapd.conf. There should already be # something like this:
# access to attribute=userPassword
# by dn="
# Space separated list of LDAP hosts to use. host:port is allowed too. #hosts = hosts = 123.123.123.123 123.123.123.124
# Distinguished Name - the username used to login to the LDAP server #dn =
# Password for LDAP server #dnpass =
# LDAP protocol version to use. Likely 2 or 3. ldap_version = 3
# LDAP base #base = uid=someone, dc=foo, dc=bar, dc=org base = dc=artio,dc=net
# Dereference: never, searching, finding, always deref = never
# Search scope: base, onelevel, subtree scope = subtree
# User attributes in order: # Virtual user name (user@domain) # Home directory # MAIL environment # System user name (for getting user's groups from /etc/group) # - For virtual users you don't want to use this, so this defaults to none. # System UID # System GID #user_attrs = uid,homeDirectory,,,uidNumber,gidNumber # user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid # user_attrs = cn,homeDirectory,,uid,uidNumber,gidNumber #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,artioMailQuotaSize=quota_rule=*:storage=%$M
# Filter for user lookup. Some variables can be used: # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if user there's no domain #user_filter = (&(objectClass=posixAccount)(uid=%u)) user_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))
# Password checking attributes in order: # Virtual user name (user@domain) # Password, may optionally start with {type}, eg. {crypt} #pass_attrs = uid,userPassword # pass_attrs = cn,userPassword pass_attrs = uid=user, userPassword=password
# Filter for password lookups #pass_filter = (&(objectClass=posixAccount)(uid=%u)) pass_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))
# Default password scheme. "{scheme}" before password overrides this. # Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT #default_pass_scheme = CRYPT default_pass_scheme = CRYPT
# You can use same UID and GID for all user accounts if you really want to. # If the UID/GID is still found from LDAP reply, it overrides these values. #user_global_uid = #user_global_gid =
Pam: /etc/pam.d/dovecot #%PAM-1.0 auth required pam_nologin.so auth include system-auth account include system-auth session include system-auth