[Dovecot] Configuration of dovecot 2.0.19 to authenticate users via LDAP
I am trying to get dovecot 2.0.19 authenticate users via LDAP (OpenLDAP 2.4.28) and using Wireshark to debug the process. It looks like the basic configuration of dovecot is fine, but it doesn't pull it off to send the right request to the LDAP server. First of all, this is how my LDAP-entries look:
# ht
dn: dc=ht
objectClass: top
objectClass: dcObject
objectClass: organization
o: ip
dc: ht
# admin, ht
dn: cn=admin,dc=ht
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9cFY1b0ZZVUhack1aRTVvaUg1T3c2cytVWHV4aUNvaHI=
# people, ht
dn: ou=people,dc=ht
objectClass: organizationalUnit
objectClass: top
ou: people
# groups, ht
dn: ou=groups,dc=ht
objectClass: organizationalUnit
objectClass: top
ou: groups
# ipusers, groups, ht
dn: cn=ipusers,ou=groups,dc=ht
gidNumber: 500
cn: ipusers
objectClass: posixGroup
objectClass: top
# Max Mustermann, people, ht
dn: cn=Max Mustermann,ou=people,dc=ht
cn: Max Mustermann
givenName: Max
gidNumber: 500
homeDirectory: /home/users/mmustormann
sn: Mustermann
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: mmustermann
userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0=
loginShell: /bin/bash
mail: mustorm@test.comNow, I use the following configuration for dovecot (/etc/dovecot/dovecot-ldap.conf.ext)
hosts = 10.1.2.1
dn = cn=admin,dc=ht
dnpass = a
auth_bind = yes
auth_bind_userdn = uid=%u,ou=people,dc=ht
ldap_version = 3
scope = subtree
base = ou=people,dc=ht
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png
Dovecot cannot authenticate itself for some reason...
If i change the configuration as follows:
auth_bind = no
#auth_bind_userdn = uid=%u,ou=people,dc=htThen I get following picture: http://i.stack.imgur.com/tb5vo.png
It doesn't pick up the setting base = ou=people,dc=ht. But what is more crucial is that even looking at the whole tree "<ROOT>" wholeSubTree it can't find the required entry.
I am really desperate and don't know how to make it work. Can somebody please give me a clue how to solve this problem?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 18 May 2014, Danylo Esterman wrote:
# Max Mustermann, people, ht dn: cn=Max Mustermann,ou=people,dc=ht cn: Max Mustermann givenName: Max gidNumber: 500 homeDirectory: /home/users/mmustormann sn: Mustermann objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 uid: mmustermann userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0= loginShell: /bin/bash mail: mustorm@test.com
Now, I use the following configuration for dovecot (/etc/dovecot/dovecot-ldap.conf.ext)
hosts = 10.1.2.1 dn = cn=admin,dc=ht dnpass = a auth_bind = yes auth_bind_userdn = uid=%u,ou=people,dc=ht ldap_version = 3 scope = subtree base = ou=people,dc=ht user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u))
This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png
Dovecot cannot authenticate itself for some reason...
The Wireshark trace shows that you've tried to authentificate an user "uid=mmustermann,ou=people,dc=ht", but no such LDAP item exists. It is named "cn=Max Mustermann,ou=people,dc=ht".
If i change the configuration as follows:
auth_bind = no #auth_bind_userdn = uid=%u,ou=people,dc=ht
Then I get following picture: http://i.stack.imgur.com/tb5vo.png
Well, why auth_bind = no? If you read the comment for that setting:
# Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. #auth_bind = no auth_bind = yes
I am really desperate and don't know how to make it work. Can somebody please give me a clue how to solve this problem?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU3mrOHz1H7kL/d9rAQJP3Qf/S4FMF1R1ZSvs1vpul3S2pN1stNlEKvjU 9O5hemGYbjfXJjZzY0Htp1rfDHz35GkYkfIxNOmf9pH7WVS9BXK+3wx0jNXVOMVh 3OPnbe7UNZmj5MMx/xtCs6MrC010aOvZ0semBEaoyosUaZA11nyi+Ju2rYtxmZqG 4GNWxMjlXl98qzt8LPqSdnYzLJ+uzkmdh8CNQLOS5e86bwcxV5Fd5V3CbuT40/A0 odEtyvoe8czpnfOBM1CImwwoOnyK0lBi4Pk5SGwLA3qyDlac7bsNnNahUx22Nozd VYQ3ixZODp3f3/VIloqdVmTFHly8S2vLFDZOmWo4Tc0FEYsLHqR+iA== =fy/V -----END PGP SIGNATURE-----
participants (2)
-
Danylo Esterman
-
Steffen Kaiser