The problem was in auth_bind=yes in dovecot-ldap.conf i didnt read thoroughly the http://wiki.dovecot.org/Authentication/MasterUsers?action=show&redirect=MasterPassword
You should also add the pass=yes setting to the master passdb if possible. It means that Dovecot verifies that the login user really exists before allowing the master user to log in. Without the setting if a non-existing login username is given, depending on the configuration, it could either return an internal login error (the userdb lookup failed) or create a whole new user (with eg. static userdb). pass=yes doesn't work with PAM or LDAP with auth_bind=yes, because both of them require knowing the user's password.
Tom Mihalicek wrote:
Greetings to all
I need a masteruser/proxy account for some applications to be implemented and i am having some problems. Normal users are proxyied through ldap queries to the remote machine and this is working like it sopose to, but i can't make the master user to work. Below are both the dovecot.conf and dovecot-ldap.conf and verbose logs on the proxy machine.
If i log directly on the remote machine that should be proxied everything is working normal ...
### dovecot.conf
protocols = pop3 imap managesieve
mail_uid = 10021 mail_gid = 10021 mail_privileged_group = vmail mail_access_groups = vmail
log_path = info_log_path = log_timestamp = "%b %d %H:%M:%S " login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c login_log_format = %$: %s mail_log_prefix = "%Us(%u): "
disable_plaintext_auth = no login_process_per_connection=yes auth_default_realm = example.com login_processes_count = 8 login_max_processes_count = 128 login_max_connections = 256 verbose_proctitle = yes max_mail_processes = 512
mail_debug = yes auth_verbose = yes auth_debug = yes auth_debug_passwords = yes
auth_master_user_separator = * login_chroot = yes
ssl = no protocol imap { imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep listen = xx.xx.xx.xx:143 imap_max_line_length = 65536 imap_logout_format = bytes=%i/%o mail_max_userip_connections = 10 }
protocol pop3 { pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_enable_last = yes pop3_uidl_format = %08Xu%08Xv listen = xx.xx.xx.xx:110 mail_max_userip_connections = 10 }
protocol managesieve { listen = xx.xx.xx.xx:2000 login_executable = /usr/local/dovecot/libexec/dovecot/managesieve-login mail_executable = /usr/local/dovecot/libexec/dovecot/managesieve managesieve_max_line_length = 65536 managesieve_implementation_string = dovecot managesieve_logout_format = bytes ( in=%i : out=%o ) }
auth default { mechanisms = plain login user = vmail
passdb passwd-file { args = /etc/dovecot/passwd.masterusers master = yes pass = yes }
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = vmail } client { path = /var/spool/postfix/dovecot-auth mode = 0660 user = postfix group = postfix } } }
### dovecot-ldap.conf
hosts = ldap.example.com ldap_version = 3 auth_bind = yes dn = cn=vmail,dc=example,dc=com dnpass = secret_pass base = ou=Users,domainName=%d,o=domains,dc=example,dc=com scope = subtree deref = never user_filter = (&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls)) user_attrs = storageBaseDirectory=home,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes pass_filter = (&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls)) pass_attrs = userPassword=password,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes default_pass_scheme = CRYPT
### /var/log/mail/dovecot.info
Nov 30 14:26:59 dougie dovecot: auth(default): new auth connection: pid=5873 Nov 30 14:27:28 dougie dovecot: auth(default): client in: AUTH 1 PLAIN service=pop3 lip=xx.xx.xx.xx rip=192.168.22.222 lport=110 rport=36639 resp=AHRtaWhhbGljZWtAeG5ldC5sYW4qbWlncmF0aW9uQHhuZXQuaHIAbTFncjR0MTBu Nov 30 14:27:28 dougie dovecot: auth(default): passwd-file(migration@example.com,192.168.22.222,master): lookup: user=master_user@example.com file=/etc/dovecot/passwd.masterusers Nov 30 14:27:28 dougie dovecot: auth(default): passdb(master_user@example.com,192.168.22.222,master): Master user logging in as some_user@example.com Nov 30 14:27:28 dougie dovecot: auth(default): ldap(some_user@example.com,192.168.22.222): bind search: base=ou=Users,domainName=example.com,o=domains,dc=example,dc=com filter=(&(mail=some_user@example.com)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=pop3)) Nov 30 14:27:28 dougie dovecot: auth(default): ldap(some_user@example.com,192.168.22.222): result: mailHost(host)=xx.xx.xx.xx Nov 30 14:27:28 dougie dovecot: auth(default): ldap(some_user@example.com,192.168.22.222): invalid credentials (given password: master_password) Nov 30 14:27:28 dougie dovecot: auth(default): client out: FAIL 1 user=some_user@example.com authz nodelay host=xx.xx.xx.xx proxynologin pass=master_password master=master_user@example.com Nov 30 14:27:28 dougie dovecot: pop3-login: Ignoring unknown passdb extra field: authz
-- View this message in context: http://old.nabble.com/Dovecot-1.2.x-masteruser-proxy-problem-tp26574804p2657... Sent from the Dovecot mailing list archive at Nabble.com.