Hi,

I first posted this problem a day or two ago and have not seen any responses yet.

 

To clarify my problem, I am authenticating virtual users against Active Directory on Win2k3, where their login id is their email address. I am using an almost identical setup to Suranga's below, however my initial bind user doesn’t have access to the userPassword attribute, so I am using:

auth_bind = yes

 

This is working fine when users enter their correct email address & password, or if the email address is not found, however if a valid email address is given but the password is incorrect, it seems to kill something in the ldap_auth code as all further connections get a temporary authentication error at the client, and the following in /var/log/maillog:

 

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client in: AUTH    1   PLAIN   service=IMAP secured lip=::ffff:127.0.0.1    rip=::ffff:127.0.0.1    resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): ldap(0999@stores.game.co.uk,::ffff:127.0.0.1): bind search: base=OU=Stores,OU=UK,DC=group,DC=game,DC=net filter=(&(objectClass=user)(mail=0999@stores.game.co.uk))

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): ldap(0999@stores.game.co.uk,::ffff:127.0.0.1): ldap_search() failed: Operations error

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client out: FAIL   1       user=0999@stores.game.co.uk     temp

Aug 18 13:04:31 gm-ho-lin-06 dovecot: imap-login: Aborted login: user=<0999@stores.game.co.uk>, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured

 

Is the auth_ldap code not resetting the ldap connection bind details to the dn/dnpass values for each login ?

 

You help would be greatly appreciated as I hope to make this a production server within the next week.

 

Regards,

 

Rob Coward

 

Unix Developer

GAME STORES GROUP LTD

 

Tel: 01256 784476

Email: Rob.Coward@game.net

 

 

-----Original Message-----
From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of suranga de silva
Sent: 18 August 2006 19:14
To: dovecot@dovecot.org
Subject: Re: [Dovecot] dovecot Digest, Vol 40, Issue 65

 

Dear Tim Schafer,

 

Take a look at my sample dovecot-ldap.conf

 

 

hosts = localhost

dn = cn=root,dc=ceylonlinux,dc=com

dnpass = secret

ldap_version = 3

base = dc=ceylonlinux,dc=com

deref = never

scope = subtree

user_attrs =

mail,homeDirectory=mailMessageStore,uidNumber=1003,gidNumber=1003

user_filter = (&(objectClass=user)(mail=%u))

pass_attrs = mail=user,userPassword=password

pass_filter = (&(objectClass=user)(mail=%u))

default_pass_scheme = CRYPT

user_global_uid = 1003

user_global_gid = 1003

 

 

Here I am using my own schema called "user", but in your case change it

to inetOrgPerson or the schema name you are using.

 

I think the most common problem in this process is the ldap filter.

Above in my configuration user_filter and pass_filter are used as ldap

filters for querying user name and password. There I am using mail

attribute.

 

 

gid and uid are belong to the user vmail.

 

May be this explanation will help you to figure out your problem

 

You can refer my article in the following link for further reference

 

http://www.ceylonlinux.com/pdf/openldap_backsql_postfix_maildir_cl.pdf

 

 

Cheers!!!

 

Suranga De Silva.

CTO

CEYLON LINUX