Hi,
I first posted this problem a day or two ago and have not seen any responses yet.
To clarify my problem, I am authenticating virtual users against Active Directory on Win2k3, where their login id is their email address. I am using an almost identical setup to Suranga's below, however my initial bind user doesn't have access to the userPassword attribute, so I am using:
auth_bind = yes
This is working fine when users enter their correct email address & password, or if the email address is not found, however if a valid email address is given but the password is incorrect, it seems to kill something in the ldap_auth code as all further connections get a temporary authentication error at the client, and the following in /var/log/maillog:
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=::ffff:127.0.0.1 rip=::ffff:127.0.0.1 resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): ldap(0999@stores.game.co.uk,::ffff:127.0.0.1): bind search: base=OU=Stores,OU=UK,DC=group,DC=game,DC=net filter=(&(objectClass=user)(mail=0999@stores.game.co.uk))
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): ldap(0999@stores.game.co.uk,::ffff:127.0.0.1): ldap_search() failed: Operations error
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client out: FAIL 1 user=0999@stores.game.co.uk temp
Aug 18 13:04:31 gm-ho-lin-06 dovecot: imap-login: Aborted login: user=0999@stores.game.co.uk, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
Is the auth_ldap code not resetting the ldap connection bind details to the dn/dnpass values for each login ?
You help would be greatly appreciated as I hope to make this a production server within the next week.
Regards,
Rob Coward
Unix Developer
GAME STORES GROUP LTD
Tel: 01256 784476
Email: Rob.Coward@game.net
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of suranga de silva Sent: 18 August 2006 19:14 To: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot Digest, Vol 40, Issue 65
Dear Tim Schafer,
Take a look at my sample dovecot-ldap.conf
hosts = localhost
dn = cn=root,dc=ceylonlinux,dc=com
dnpass = secret
ldap_version = 3
base = dc=ceylonlinux,dc=com
deref = never
scope = subtree
user_attrs =
mail,homeDirectory=mailMessageStore,uidNumber=1003,gidNumber=1003
user_filter = (&(objectClass=user)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=user)(mail=%u))
default_pass_scheme = CRYPT
user_global_uid = 1003
user_global_gid = 1003
Here I am using my own schema called "user", but in your case change it
to inetOrgPerson or the schema name you are using.
I think the most common problem in this process is the ldap filter.
Above in my configuration user_filter and pass_filter are used as ldap
filters for querying user name and password. There I am using mail
attribute.
gid and uid are belong to the user vmail.
May be this explanation will help you to figure out your problem
You can refer my article in the following link for further reference
http://www.ceylonlinux.com/pdf/openldap_backsql_postfix_maildir_cl.pdf
Cheers!!!
Suranga De Silva.
CTO
CEYLON LINUX
This e-mail and any files transmitted with it are confidential and intended solely
for the use of the individual or entity to whom they are addressed. If you have
received this e-mail in error please notify the system manager at:
mailto:postmaster@game.net
The recipient acknowledges that the transmissions made via the Internet
can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries
do not give any warranty as to the quality or accuracy of any information
contained in the message or assume any liability for it or for its transmission,
reception or storage.
This footnote also confirms that this e-mail message has been swept by
anti-virus software for the presence of computer viruses.