Master user without pass=yes error
Hello Timo,
I just tried the master user feature with a very simple setup (Dovecot v2.2.15) :
!include auth-master.conf.ext -> passwd-file passdb !include auth-ldap.conf.ext -> ldap passdb (userdb prefetched) without auth_bind=yes
without pass=yes I get this userdb lookup error :
dovecot: auth: passwd-file(masteruser,157.99.64.42,master,<4Pgesh0OygCdY0Aq>): Master user logging in as normaluser dovecot: auth: Error: prefetch(normaluser,157.99.64.42,<4Pgesh0OygCdY0Aq>): userdb lookup not possible with only userdb prefetch dovecot: imap: Error: Internal auth failure (client-pid=10449 client-id=1) dovecot: imap-login: Internal login failure (pid=10449 id=1) (internal failure, 1 successful auths): user=<normaluser>, method=PLAIN, rip=157.99.64.42, lip=157.99.64.81, mpid=10570, TLS, session=<4Pgesh0OygCdY0Aq>
with pass=yes, it works.
Feb 2 17:51:24 langres dovecot: auth: passwd-file(masteruser,157.99.64.42,master,<YmjAwx0O0gCdY0Aq>): Master user logging in as normaluser Feb 2 17:51:24 langres dovecot: imap-login: Login: user=<normaluser>, method=PLAIN, rip=157.99.64.42, lip=157.99.64.81, mpid=11647, TLS, session=<YmjAwx0O0gCdY0Aq>
I dont quite understand why because the documentation states that 'pass=yes'
"means that Dovecot verifies that the login user really exists before allowing the master user to log in. Without the setting if a nonexistent login username is given,[...]"
Here, 'normaluser' exists in the ldap passdb so, even with pass=no, I'm not supposed to be in the 'nonesxistent login username' case.
Can you help ?
thanks.
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Groupe Exploitation et Infrastructure
On Mon, Feb 02, 2015 at 05:55:26PM +0100, Thomas HUMMEL wrote:
I just tried the master user feature with a very simple setup (Dovecot v2.2.15) :
Also, the documentation states that :
"pass=yes" doesn't work with "LDAP with auth_bind=yes, because both of them require knowing the user's password."
This sound strange to me since I thought "auth_bind=yes" purpose was only to verify the user password. So, although I understand the need to have the user password to bind to LDAP as the user himself, I thought userdb attributes (and thus the existence or not of the user, i.e. the purpose of "pass=yes") weren't retrieved with a username/password LDAP bind, even with auth_bind=yes.
Thanks.
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Groupe Exploitation et Infrastructure
On Mon, Feb 02, 2015 at 05:55:26PM +0100, Thomas HUMMEL wrote:
Hello Timo,
Hello again. I'll try to answer my own question myself ;-)
I think my problem was that "pass=yes" just becomes _mandatory_ when using _only one_ and _prefetched_ userdb because retrieving the normal user userdb attributes then becomes a "side effect" of the "pass=yes" behavior :
My understanding now is that, even with master user :
. a userdb still has to be done for the normal user and . since my (ldap) userdb is (ldap) passdb-prefetched (and the only userdb), it can only be searched if somehow an (ldap) passdb search is performed
-> with pass=no, dovecot does not try to check the existence of the normal user in the normal (ldap) passdb : so the normal user userdb attributes are never retrieved (because of the prefetch nature of this userdb)
-> with pass=yes, dovecot performs an (ldap) passdb lookup to check the existence of the user and prefetches the normal user userdb attributes (side effect), allowing the master user to retrieve the normal user mailbox.
Am I correct ?
Thanks
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Groupe Exploitation et Infrastructure
participants (1)
-
Thomas HUMMEL