[Dovecot] dovecot-ldap : can't find user in OU subtree
Hi all,
Well, I've compiled and installed dovecot 2.2.6 with following options:
./configure --prefix=/usr/ --sysconfdir=/etc/ --with-mysql --libexecdir=/usr/lib/ --localstatedir=/var --with-moduledir=/usr/lib/dovecot/modules --disable-rpath --disable-static --with-zlib --with-bzlib --with-solr --with-ldap --with-gssapi --with-nss
doveconf -n:
# 2.2.6: /etc/dovecot/dovecot.conf # OS: Linux 3.8.0-32-generic x86_64 Ubuntu 12.04.3 LTS ext4 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes first_valid_gid = 20001 first_valid_uid = 20001 log_timestamp = %Y-%m-%d %H:%M:%S mail_debug = yes mail_gid = 20001 mail_home = /media/data/email/%n mail_location = maildir:/media/data/email/%n/mail mail_plugins = fts fts_solr acl zlib mail_log notify mail_uid = 20001 managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date spamtest spamtestplus virustest namespace { list = no location = maildir:/media/data/email/%%n/mail:INDEX=/media/data/email/%n/mail/shared/%%n prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = maildir:/media/data/email/%n/mail mailbox Sent { auto = subscribe } mailbox Spam { auto = subscribe } mailbox SpamFalse { auto = subscribe } mailbox SpamToLearn { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } plugin { acl = vfile mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename save mailbox_create mail_log_fields = uid box msgid size sieve = /media/data/email/%n/dovecot.sieve sieve_after = /media/data/email/sieve/global.sieve sieve_dir = /media/data/email/%n/sieve zlib_save = bz2 zlib_save_level = 9 } protocols = imap pop3 sieve lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { group = vmail mode = 0660 user = vmail } unix_listener auth-userdb { group = vmail mode = 0640 user = vmail } } service imap-login { inet_listener imap { address = * port = 143 } inet_listener imaps { address = * port = 993 ssl = yes } process_limit = 256 } service lmtp { inet_listener lmtp { address = * port = 24 } user = vmail } service managesieve-login { inet_listener sieve { address = * port = 4190 } process_limit = 256 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { address = * port = 110 } inet_listener pop3s { address = * port = 995 ssl = yes } } ssl = required ssl_ca = </etc/postfix/tls/cacert.pem ssl_cert = </etc/postfix/tls/radiodjiido-cert.pem ssl_key = </etc/postfix/tls/radiodjiido-key.pem ssl_verify_client_cert = yes userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } protocol imap { imap_client_workarounds = delay-newmail imap_max_line_length = 64 k mail_max_userip_connections = 20 mail_plugins = acl imap_acl mail_log notify zlib } protocol pop3 { mail_plugins = zlib mail_log notify pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv } protocol sieve { managesieve_logout_format = bytes ( in=%i : out=%o ) } protocol lda { info_log_path = log_path = mail_plugins = sieve zlib mail_log notify quota_full_tempfail = yes syslog_facility = mail } protocol lmtp { info_log_path = log_path = mail_plugins = sieve fts zlib mail_log notify quota_full_tempfail = yes }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
/etc/dovecot/dovecot-ldap-userdb.conf.ext:
hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, mail=/media/data/email/%n/mail user_filter = (&(objectClass=person)(cn=%n)(mail=*)) iterate_attrs = cn=user iterate_filter = (objectClass=person)
All seems to work as expected up-to-now, but : If I move a user from OU 'users' to a sub-OU 'administrative' on Active Directory : -> The user can't login anymore to Dovecot I have added the "scope = subtree" to the userdb and passdb files but it doesn't change anything.
Here is the debug part when user test3 (located in ou=users, ou=administrative) tries to login:
Oct 30 18:49:12 serveur dovecot: auth: Debug: auth client connected (pid=4292) Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=L6uskfDpKwAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54827 Oct 30 18:49:12 serveur dovecot: auth: Debug: client passdb out: CONT#0111#011 Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: CONT<hidden> Oct 30 18:49:12 serveur dovecot: auth: ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: FAIL#0111#011user=test3
As soon as I move user 'test3' back to ou=users, it can login ...
Oct 30 18:53:57 serveur dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Oct 30 18:53:57 serveur dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Oct 30 18:53:57 serveur dovecot: auth: Debug: auth client connected (pid=4303) Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=h+ypovDpUAAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54864 Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: CONT#0111#011 Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: CONT<hidden> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: OK#0111#011user=test3
Thanks in advance for your time and lights. Nicolas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, mail=/media/data/email/%n/mail user_filter = (&(objectClass=person)(cn=%n)(mail=*))
pass_filter and user_filter differ in %u vs. %n.
Here is the debug part when user test3 (located in ou=users, ou=administrative) tries to login:
The auth_bind_userdn does not match the ou=administrative location. Drop the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter to search for the DN of the user.
Oct 30 18:49:12 serveur dovecot: auth: ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: FAIL#0111#011user=test3
As soon as I move user 'test3' back to ou=users, it can login ...
Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: OK#0111#011user=test3
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM 2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH 9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+ kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw== =mGae -----END PGP SIGNATURE-----
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, mail=/media/data/email/%n/mail user_filter = (&(objectClass=person)(cn=%n)(mail=*))
pass_filter and user_filter differ in %u vs. %n. I doesn't really matters in this situation as users are connected to an unique AD domain and their credentials are setup with user/password, so in this case %u and %n are identical.
Here is the debug part when user test3 (located in ou=users, ou=administrative) tries to login:
The auth_bind_userdn does not match the ou=administrative location. Drop the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter to search for the DN of the user.
I have tried a lot of ways to use DN or OU in pass_filter, like : pass_filter = (&(objectClass=person)(cn=%u)(ou=users)(mail=*)) pass_filter = (&(objectClass=person)(cn=%u)(ou:dn:=rdk_users)(mail=*)) but it seems Active Directory doesn't support OU or DN in filters :-(
Thanks anyway for your help, this is definitively not a Dovecot issue. Nicolas
Oct 30 18:49:12 serveur dovecot: auth: ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: FAIL#0111#011user=test3
As soon as I move user 'test3' back to ou=users, it can login ...
Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: OK#0111#011user=test3
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM 2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH 9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+ kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw== =mGae -----END PGP SIGNATURE-----
Am 30.10.2013 21:17, schrieb me@electronico.nc:
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
You should use
/etc/dovecot/dovecot-ldap-passdb.conf.ext
hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template.
Le 31/10/2013 10:42, Achim Gottinger a écrit :
Am 30.10.2013 21:17, schrieb me@electronico.nc:
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
You should use
/etc/dovecot/dovecot-ldap-passdb.conf.ext
hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template.
Hello Achim, Thanks for your answer :-) Sure it works OK, as soon as I specify dn & dnpass (that I omitted in passdb... :-[ ) Many thanks again ! Nicolas
Le 31/10/2013 10:42, Achim Gottinger a écrit :
Am 30.10.2013 21:17, schrieb me@electronico.nc:
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 30 Oct 2013, me@electronico.nc wrote:
passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap }
/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
You should use
/etc/dovecot/dovecot-ldap-passdb.conf.ext
hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template.
Hello Achim, Thanks for your answer :-) Sure it works OK, as soon as I specify dn & dnpass (that I omitted in passdb... :-[ ) Many thanks again ! Nicolas The problem was auth_bind_userdn which only matched users in OU=users. If you use that type of passwort check pass_filter is not used. Now dovecot binds as user dn first, does an lookup of the users dn via
Am 31.10.2013 01:11, schrieb me@electronico.nc: pass_filter and uses the result as the dn for the password verification via an second bind to ldap. If you use the LDAP Server from an Active Directory i'd recommen you use. pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)). Because if you use Windows Remote Admin Tools to create users the users dn is usually someting like dn=cn=[Full Name],ou=Users,dc=domain,dc=lan and cn=[Full Name]. sAMAccountName however holds the users login name.
participants (3)
-
Achim Gottinger
-
me@electronico.nc
-
Steffen Kaiser