[Dovecot] LDAP

older
Re: [Dovecot] A little assistance...

Wojtek Bogusz

15 Mar 2008 15 Mar '08

6:32 p.m.

hi. i am trying to setup dovecot imap server with users in LDAP. but i get "Internal login failure". can you help please? it is probably something obvious. thank you. Wojtek

i am using version 1.0.rc17

# /etc/dovecot/dovecot.conf base_dir: /var/run/dovecot/ log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps imap ssl_cert_file: /etc/apache2/ssl/server.pem ssl_key_file: /etc/apache2/ssl/server.key disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/lib/dovecot/imap-login login_greeting_capability: yes mail_extra_groups: mail mail_location: maildir:/home/MAIL/%u imap_client_workarounds: tb-extra-mailbox-sep auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf

# /etc/dovecot/dovecot-ldap.conf hosts = localhost dn = uid=root,ou=Users,dc=frontline dnpass = [user root plain text password here] auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=frontline ldap_version = 3 base = ou=Users,dc=frontline scope = subtree user_attrs = homeDirectory=home,uidNumber=uid user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = MD5 user_global_uid = dovecot user_global_gid = dovecot

in logfile i got this when i try to login: # /var/log/mail.info Mar 15 16:13:25 base dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Ilip=192.168.0.202^Irip=192.168.0.200 Mar 15 16:13:25 base dovecot: auth(default): client out: CONT^I1^I Mar 15 16:13:25 base dovecot: auth(default): client in: CONT^I1^IAHdvanRlawBiZWR6aWUgZG9icnpl Mar 15 16:13:25 base dovecot: auth(default): ldap(wojtek,192.168.0.200): bind: dn=uid=wojtek,ou=Users,dc=frontline Mar 15 16:13:25 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Mar 15 16:13:25 base dovecot: auth(default): master in: REQUEST^I1^I24908^I1 Mar 15 16:13:25 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter=(&(objectClass=*)(u id=wojtek)) fields=homeDirectory,uidNumber Mar 15 16:13:25 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found Mar 15 16:13:25 base dovecot: auth(default): userdb(wojtek,192.168.0.200): user not found from userdb Mar 15 16:13:25 base dovecot: auth(default): master out: NOTFOUND^I1 Mar 15 16:13:25 base dovecot: imap-login: Internal login failure: user=<wojtek>, method=PLAIN, rip=192.168.0.200, lip=192.168.0.202

Show replies by date

Charles Marcus

15 Mar 15 Mar

9:46 p.m.

On 3/15/2008, Wojtek Bogusz (Wojtek@FrontLineDefenders.org) wrote:

...

i am using version 1.0.rc17

upgrade...very old...

Best regards,

Charles

Wojtek Bogusz

17 Mar 17 Mar

8:27 p.m.

Charles Marcus wrote:

...

On 3/15/2008, Wojtek Bogusz (Wojtek@FrontLineDefenders.org) wrote:

...
i am using version 1.0.rc17

upgrade...very old...

hi. thanks. i upgraded to version 1.0.13 and it changes nothing in the problem. let me quote the /var/log/mail.info and config files below. i would be really grateful for help as i am a bit stacked with this problem. cheers, Wojtek

# /var/log/mail.info: Mar 17 18:21:08 base dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Ilip=192.168.0.202^Irip=192.168.0.200 Mar 17 18:21:08 base dovecot: auth(default): client out: CONT^I1^I Mar 17 18:21:09 base dovecot: auth(default): client in: CONT^I1^IAHdvanRlawBiZWR6aWUgZG9icnpl Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): bind: dn=uid=wojtek,ou=Users,dc=frontline Mar 17 18:21:09 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Mar 17 18:21:09 base dovecot: auth(default): master in: REQUEST^I2^I19185^I1 Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter= (&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found Mar 17 18:21:09 base dovecot: auth(default): userdb(wojtek,192.168.0.200): user not found from userdb Mar 17 18:21:09 base dovecot: auth(default): master out: NOTFOUND^I2 Mar 17 18:21:09 base dovecot: imap-login: Internal login failure: user=<wojtek>, method=PLAIN, rip=192.168.0.200, lip=192.168.0.202

# 1.0.13: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps imap ssl_cert_file: /etc/apache2/ssl/server.pem ssl_key_file: /etc/apache2/ssl/server.key disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes mail_privileged_group: mail mail_location: maildir:/home/MAIL/%u imap_client_workarounds: tb-extra-mailbox-sep auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf

Steffen Kaiser

18 Mar 18 Mar

4:48 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Mon, 17 Mar 2008, Wojtek Bogusz wrote:

...

bind: dn=uid=wojtek,ou=Users,dc=frontline Mar 17 18:21:09 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Mar 17 18:21:09 base dovecot: auth(default): master in: REQUEST^I2^I19185^I1 Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter= (&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found

Dovecot differs between userdb and passdb.

It seems that passdb is running, but userdb is not.

How does your LDAP entry looks like? Should the user data be read from LDAP, BTW?

Does the LDAP filter mentioned in the logs return the results for the currently bound user, aka:

ldapsearch -D uid=wojtek,ou=Users,dc=frontline -W \

-b ou=Users,dc=frontline
'(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory uidNumber

displays home and uid?

Bye,

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH39ZDVJMDrex4hCIRAjPDAJ4vOFH75Gyu7Z637vI5JBsUbYk7oQCePrKd zcoK1oSNlS6tV5cd3z+KiTE= =kuut -----END PGP SIGNATURE-----

Wojtek Bogusz

7:39 p.m.

hi Steffen, i have to modify ldapsearch command you wrote and add '-x' switch for simple authentication instead of SASL. but otherwise the command display good results:

# extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=posixAccount)(uid=wojtek)) # requesting: homeDirectory uidNumber #

# wojtek, Users, frontline dn: uid=wojtek,ou=Users,dc=frontline uidNumber: 30000 homeDirectory: /home/samba/wojtek

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

i am not sure how to show you the structure of the LDAP entry otherwise than just run a search without requesting specific field. here is the result:

# wojtek, Users, frontline dn: uid=wojtek,ou=Users,dc=frontline objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: wojtek sn: wojtek givenName: wojtek uid: wojtek uidNumber: 30000 gidNumber: 513 homeDirectory: /home/samba/wojtek loginShell: /bin/false gecos: Wojtek Bogusz userPassword:: [password here]

cheers, Wojtek

Steffen Kaiser wrote:

...

On Mon, 17 Mar 2008, Wojtek Bogusz wrote:

...
bind: dn=uid=wojtek,ou=Users,dc=frontline Mar 17 18:21:09 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Mar 17 18:21:09 base dovecot: auth(default): master in: REQUEST^I2^I19185^I1 Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter= (&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found

Dovecot differs between userdb and passdb.

It seems that passdb is running, but userdb is not.

How does your LDAP entry looks like? Should the user data be read from LDAP, BTW?

Does the LDAP filter mentioned in the logs return the results for the currently bound user, aka:

ldapsearch -D uid=wojtek,ou=Users,dc=frontline -W
-b ou=Users,dc=frontline
'(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory uidNumber

displays home and uid?

Bye,

-- Steffen Kaiser

Wojtek Bogusz

12 Apr 12 Apr

6:36 p.m.

hi all, i cannot figure out how to solve my problem with dovecot+ldap configuration. please help...

i was reading through the emails from the list related to ldap. i added this debugging line 372: "i_info("LDAP: Received reply %d", msgid);" to src/auth/db-ldap.c. you can see part of my mail.info log file below.

most interesting is that actually if you give a wrong password to the email client program dovecot report it back. so it can verify this on LDAP. also you can see that one of the lines below say "client out: OK^I1^Iuser=wojtek". what looks to me as a successful authentication. and than it cannot find the user! what is strange, as when i execute a command line: "ldapsearch -h localhost -b 'ou=Users,dc=frontline' -D 'uid=wojtek,ou=Users,dc=frontline' -x -W" it works ok (see the result below in the quoted emails).

Steffen wrote that "userdb is not running" - i do not understand this. how do i make it run? i thought that both userdb and passdb are in LDAP. please see the structure of my LDAP record below in quoted email.

Apr 12 16:05:27 base dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Ilip=192.168.0.202^Irip=192.168.0.200 Apr 12 16:05:27 base dovecot: auth(default): client out: CONT^I1^I Apr 12 16:05:27 base dovecot: auth(default): client in: CONT^I1^IAHdvanRlawBiZWR6aWUgZG9icnpl Apr 12 16:05:27 base dovecot: auth(default): ldap(wojtek,192.168.0.200): bind: dn=uid=wojtek,ou=Users,dc=frontline Apr 12 16:05:27 base dovecot: auth(default): LDAP: Received reply 2 Apr 12 16:05:27 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Apr 12 16:05:27 base dovecot: auth(default): master in: REQUEST^I1^I14825^I1 Apr 12 16:05:27 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter=(&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber Apr 12 16:05:27 base dovecot: auth(default): LDAP: Received reply 3 Apr 12 16:05:27 base dovecot: auth(default): LDAP: Received reply 4 Apr 12 16:05:27 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found Apr 12 16:05:27 base dovecot: auth(default): userdb(wojtek,192.168.0.200): user not found from userdb Apr 12 16:05:27 base dovecot: auth(default): master out: NOTFOUND^I1 Apr 12 16:05:27 base dovecot: imap-login: Internal login failure: user=<wojtek>, method=PLAIN, rip=192.168.0.200, lip=192.168.0.202

see my configuration:

$ sudo dovecot -n # 1.0.13: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps imap ssl_cert_file: /etc/apache2/ssl/server.pem ssl_key_file: /etc/apache2/ssl/server.key disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes mail_privileged_group: mail mail_location: maildir:/home/MAIL/%u imap_client_workarounds: tb-extra-mailbox-sep auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf

$ sudo grep -v '^[[:space:]]*#' /etc/dovecot/dovecot-ldap.conf | grep -v '^$' hosts = localhost dn = uid=root,ou=Users,dc=frontline dnpass = ...password... auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=frontline ldap_version = 3 base = ou=Users,dc=frontline scope = subtree user_attrs = homeDirectory=home,uidNumber=uid user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = MD5 user_global_uid = dovecot user_global_gid = dovecot

Wojtek Bogusz wrote:

...

hi Steffen, i have to modify ldapsearch command you wrote and add '-x' switch for simple authentication instead of SASL. but otherwise the command display good results:

# extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=posixAccount)(uid=wojtek)) # requesting: homeDirectory uidNumber #

# wojtek, Users, frontline dn: uid=wojtek,ou=Users,dc=frontline uidNumber: 30000 homeDirectory: /home/samba/wojtek

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

i am not sure how to show you the structure of the LDAP entry otherwise than just run a search without requesting specific field. here is the result:

# wojtek, Users, frontline dn: uid=wojtek,ou=Users,dc=frontline objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: wojtek sn: wojtek givenName: wojtek uid: wojtek uidNumber: 30000 gidNumber: 513 homeDirectory: /home/samba/wojtek loginShell: /bin/false gecos: Wojtek Bogusz userPassword:: [password here]

cheers, Wojtek

Steffen Kaiser wrote:

...
On Mon, 17 Mar 2008, Wojtek Bogusz wrote:

...
bind: dn=uid=wojtek,ou=Users,dc=frontline Mar 17 18:21:09 base dovecot: auth(default): client out: OK^I1^Iuser=wojtek Mar 17 18:21:09 base dovecot: auth(default): master in: REQUEST^I2^I19185^I1 Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter= (&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber Mar 17 18:21:09 base dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found

Dovecot differs between userdb and passdb.

It seems that passdb is running, but userdb is not.

How does your LDAP entry looks like? Should the user data be read from LDAP, BTW?

Does the LDAP filter mentioned in the logs return the results for the currently bound user, aka:

ldapsearch -D uid=wojtek,ou=Users,dc=frontline -W
-b ou=Users,dc=frontline
'(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory uidNumber

displays home and uid?

Bye,

-- Steffen Kaiser

Steffen Kaiser

15 Apr 15 Apr

5:01 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Sat, 12 Apr 2008, Wojtek Bogusz wrote:

...

$ sudo grep -v '^[[:space:]]*#' /etc/dovecot/dovecot-ldap.conf | grep -v '^$' hosts = localhost dn = uid=root,ou=Users,dc=frontline dnpass = ...password... auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=frontline

When you use auth_bind no dn/dnpass is required.

Did you sniffed the LDAP connection already?

Steffen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIBLUrVJMDrex4hCIRAirQAJ9ah/SNJIf/agZR+Rc2d/bGtwhs9wCfSFfd +2a6WxjxkvYc4Xg0rpgMYMU= =R3E0 -----END PGP SIGNATURE-----

6064

Age (days ago)

6095

Last active (days ago)

List overview

6 comments

3 participants

participants (3)

Charles Marcus
Steffen Kaiser
Wojtek Bogusz

[Dovecot] LDAP

Wojtek Bogusz

Charles Marcus

Wojtek Bogusz

Steffen Kaiser

Wojtek Bogusz

Wojtek Bogusz

Steffen Kaiser

tags

participants (3)