[Dovecot] prefetch userdb on 1.0.alpha4
Hi all,
I've a problem with prefetch userdb function on 1.0.alpha4 ?
I get this :
Error: auth(default): ldap(mylogin,10.3.245.xxx): Multiple password
replies
Info: auth(default): ldap(mylogin,10.3.245.xxx):
base=dc=boursorama,dc=fr scope=subtree filter=(&(objectClass=
boursoramaMailAccount)(mailInternalAllowedProtocol=imap))
fields=uid,userPassword
An ldapsearch with the same filter give to me only one reply ...
Have you an idea ?
Thanks,
Cyril Feraudet
parts of my dovecot.conf :
protocol imap { }
protocol pop3 { pop3_uidl_format = %v.%u }
auth_debug = yes auth default { mechanisms = plain
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb prefetch { }
user = root }
parts of my dovecot-ldap.conf :
user_attrs = uid,,,,, user_filter = (&(objectClass=boursoramaMailAccount)(uid=%u) (mailInternalAllowedProtocol=imap)) pass_attrs = uid,userPassword pass_filter = (&(objectClass=boursoramaMailAccount) (mailInternalAllowedProtocol=imap)) default_pass_scheme = CRYPT
Hum sorry ...
I thought that prefetch function kept all password for all user, not
only for one ...
but with "user_filter = (&(objectClass=boursoramaMailAccount)(uid=%u) (mailInternalAllowedProtocol=imap))" instead of "user_filter = (& (objectClass=boursoramaMailAccount)(mailInternalAllowedProtocol=imap))"
I got :
==> /var/log/dovecot/dovecot.log <== dovecot: Dec 08 15:53:21 Error: auth(default): prefetch(mylogin, 10.3.245.xxx): passdb didn't return userdb entries dovecot: Dec 08 15:53:21 Error: auth(default): userdb(mylogin, 10.3.245.xxx): user not found from userdb
==> /var/log/dovecot/info.log <==
dovecot: Dec 08 15:53:21 Info: auth(default): client in: AUTH
1 PLAIN service=IMAP secured lip=10.2.xxx.xxx
rip=10.3.245.xxx resp=AGNmZXxxxxxlAEZQU2xza2Vy
dovecot: Dec 08 15:53:21 Info: auth(default): ldap(mylogin,
10.3.245.xxx): base=dc=boursorama,dc=fr scope=subtree filter=(&
(objectClass=boursoramaMailAccount)(uid= mylogin)
(mailInternalAllowedProtocol=imap)) fields=uid,userPassword
dovecot: Dec 08 15:53:21 Info: auth(default): ldap(mylogin,
10.3.245.xxx): uid(user)= mylogin userPassword(password)={CRYPT}
NnSwcxxxxxxxx
dovecot: Dec 08 15:53:21 Info: auth(default): client out: OK
1 user= mylogin
dovecot: Dec 08 15:53:21 Info: auth(default): master in:
REQUEST 4 22977 1
dovecot: Dec 08 15:53:21 Info: auth(default): master out:
NOTFOUND 4
dovecot: Dec 08 15:53:21 Info: imap-login: Internal login failure:
user=< mylogin >, method=PLAIN, rip=10.3.245.xxx, lip=10.2.xxx.xxx, TLS
A idea ?
Thanks,
Cyril Feraudet
Le 8 déc. 05 à 14:54, Feraudet Cyril a écrit :
Hi all,
I've a problem with prefetch userdb function on 1.0.alpha4 ?
I get this :
Error: auth(default): ldap(mylogin,10.3.245.xxx): Multiple password
replies Info: auth(default): ldap(mylogin,10.3.245.xxx):
base=dc=boursorama,dc=fr scope=subtree filter=(&(objectClass=
boursoramaMailAccount)(mailInternalAllowedProtocol=imap))
fields=uid,userPasswordAn ldapsearch with the same filter give to me only one reply ...
Have you an idea ?
Thanks,
Cyril Feraudet
parts of my dovecot.conf :
protocol imap { }
protocol pop3 { pop3_uidl_format = %v.%u }
auth_debug = yes auth default { mechanisms = plain
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb prefetch { }
user = root }
parts of my dovecot-ldap.conf :
user_attrs = uid,,,,, user_filter = (&(objectClass=boursoramaMailAccount)(uid=%u) (mailInternalAllowedProtocol=imap)) pass_attrs = uid,userPassword pass_filter = (&(objectClass=boursoramaMailAccount) (mailInternalAllowedProtocol=imap)) default_pass_scheme = CRYPT
On Thu, Dec 08, 2005 at 04:00:00PM +0100, Feraudet Cyril wrote:
I got :
==> /var/log/dovecot/dovecot.log <== dovecot: Dec 08 15:53:21 Error: auth(default): prefetch(mylogin, 10.3.245.xxx): passdb didn't return userdb entries
A idea ?
It seems you don't make passdb return user attributes.
Let's suppose your user and pass LDAP attributes are on the same LDAP tree leave, you'd do it by setting pass_attrs like below in dovecot-ldap.conf:
pass_attrs = uid,userPassword,homeDirectory=userdb_home,,,uidNumber=userdb_uid,gidNumber=userdb_gid
Note :
userdb_xxx are keys in the hash table where your user attributes will be recorded and then passed to imap-login as extra_fields of the auth_request
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
Le 8 déc. 05 à 17:55, Thomas Hummel a écrit :
On Thu, Dec 08, 2005 at 04:00:00PM +0100, Feraudet Cyril wrote:
I got :
==> /var/log/dovecot/dovecot.log <== dovecot: Dec 08 15:53:21 Error: auth(default): prefetch(mylogin, 10.3.245.xxx): passdb didn't return userdb entries
A idea ?
It seems you don't make passdb return user attributes. This filter with ldapsearch command return my uid and pas crypt
password ...
I've used an other method : userdb static{} and passdb pam {} and pam
with libpam-ldap (ldaps, etc ...)
Merci Thomas pour ton aide.
Cyril Feraudet
Let's suppose your user and pass LDAP attributes are on the same LDAP tree leave, you'd do it by setting pass_attrs like below in dovecot-ldap.conf:
pass_attrs =
uid,userPassword,homeDirectory=userdb_home,,,uidNumber=userdb_uid,gidN umber=userdb_gidNote :
userdb_xxx are keys in the hash table where your user attributes will be recorded and then passed to imap-login as extra_fields of the auth_request
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On Thu, Dec 08, 2005 at 06:19:33PM +0100, Feraudet Cyril wrote:
It seems you don't make passdb return user attributes. This filter with ldapsearch command return my uid and pas crypt
password ...
Which filter ? I'm not sure we're talking about the same thing.
The prefetch feature is just a mean to do 1 (instead of 2) LDAP request in the case you can get the user attributes from the same database (and the same entry ?) as the passwd attributes.
The search filter leads you to the entry.
The pass_attrs=... gives you the attributes you want. In the case of prefetch, it gives you the passwd attributes AND the user attributes. The only thing is to tell dovecot the correct hash key name to store them, which is why we use "uidNumber=userdb_uid", ...instead of just uidNumber, ...
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
Le 8 déc. 05 à 18:38, Thomas Hummel a écrit :
On Thu, Dec 08, 2005 at 06:19:33PM +0100, Feraudet Cyril wrote:
It seems you don't make passdb return user attributes. This filter with ldapsearch command return my uid and pas crypt password ...
Which filter ? I'm not sure we're talking about the same thing.
The prefetch feature is just a mean to do 1 (instead of 2) LDAP request in the case you can get the user attributes from the same database (and the same entry ?) as the passwd attributes.
The search filter leads you to the entry.
The pass_attrs=... gives you the attributes you want. In the case of prefetch, it gives you the passwd attributes AND the user attributes. The only thing is to tell dovecot the correct hash key name to store them, which is why we use "uidNumber=userdb_uid", ...instead of just uidNumber, ...
I understands well, I wanted to say that an ldapsearch with the same
filter as "pass_filter" in dovecot and the same requested field as
"pass_attrs"
return to me both uid ans password.
pass_filter = (&(objectClass=boursoramaMailAccount)(uid=%u) (mailInternalAllowedProtocol=imap)) and pass_attrs = uid,userPassword
would be the same thing than
$ ldapsearch '(&(objectClass=boursoramaMailAccount)(uid=mylogin)
(mailInternalAllowedProtocol=imap))' 'uid' 'userPassword'
(in fact only dovecot's login is able to request userpassword in my
slapd
configuration until dovecot is able to logon as a virtuser to the ldap)
If it's correct it doesn't work for me, I've got Error: auth
(default): prefetch(mylogin,10.3.245.xxx): passdb didn't return
userdb entries
Agree you?
Cyril Feraudet
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On Thu, Dec 08, 2005 at 07:01:20PM +0100, Feraudet Cyril wrote:
I understands well, I wanted to say that an ldapsearch with the same filter as "pass_filter" in dovecot and the same requested field as
"pass_attrs" return to me both uid ans password.
But it should return homeDirectory,uidNumber and gidNumber as well.
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
Le 9 déc. 05 à 11:03, Thomas Hummel a écrit :
On Thu, Dec 08, 2005 at 07:01:20PM +0100, Feraudet Cyril wrote:
I understands well, I wanted to say that an ldapsearch with the same filter as "pass_filter" in dovecot and the same requested field as "pass_attrs" return to me both uid ans password.
But it should return homeDirectory,uidNumber and gidNumber as well.
Are you sure that's needed ?
In the previews configuration (ldap authentication without prefetch
userdb
enabled) I'd use "user_attrs = uid,,,,," cause homeDirectory, uidNumber
and gidNumber are fixed in my implementation.
If it's needed do you know a workaround in my case ?
Thanks,
Cyril Feraudet
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
participants (2)
-
Feraudet Cyril
-
Thomas Hummel