Re: Dovecot & LDAP Take #2: Authentication failed and logging
This is the user DN:
cn=Klara Fall,ou=People,dc=[domainname],dc=de
According to your Dovecot configuration
auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
if you login with "klarafall" it will be expanded into
cn=klarafall,ou=People,dc=[domainname],dc=de
which is not the correct DN for Mrs Klara.
So if you login with "Klara Fall" it should work, but that will probably mess up the things on Dovecot filesystem.
I am strongly against setting a static DN when dealing with LDAP authentication. LDAP servers are optimized to serve search requests, so let yours do the job. Allow Dovecot to lookup the correct DN based on the attribute you supply (uid) and then authenticate.
This should be achieved if you comment out the auth_bind_userdn line.
Paolo Cravero
Ok I played around a bit and activated debugging correctly (Thanks to Steffen)
Now I try to log in with the user johndoe (that is his cn and his uid) and i get the following message in syslog: Mar 2 11:03:32 mailserver dovecot: auth: Debug: master in: REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89 Mar 2 11:03:32 mailserver dovecot: auth: Debug: ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search: base=ou=People,dc=[domainname],dc=de scope=subtree filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber Mar 2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn) not indexed Mar 2 11:03:32 mailserver dovecot: auth: Debug: ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result: uidNumber missing Mar 2 11:03:32 mailserver dovecot: auth: Debug: master out: USER#0111283457025#011johndoe Mar 2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured, session=<EYmiVEsQSgB/AAAB> Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is missing UID (see mail_uid setting) Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error occurred. Refer to server log for more information.
I am confused what the line Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is missing UID (see mail_uid setting) is trying to tell me.
doveconf -n:
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_login_user = vmail disable_plaintext_auth = no first_valid_gid = 2222 first_valid_uid = 2222 listen = * mail_access_groups = vmail mail_debug = yes mail_location = maildir:/var/vmail/%n passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } service imap-login { process_min_avail = 1 user = vmail } ssl = no userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
hosts = mailserver.[domainname].de debug_level = 0 auth_bind = yes auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de base = ou=People,dc=[domainname],dc=de user_attrs = uidNumber=uid user_filter = (&(objectClass=inetOrgPerson)(cn=%u)) pass_attrs = userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)) iterate_attrs = uid=user iterate_filter = (objectClass=inetOrgPerson)
2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero@csi.it>:
This is the user DN:
cn=Klara Fall,ou=People,dc=[domainname],dc=de
According to your Dovecot configuration
auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
if you login with "klarafall" it will be expanded into
cn=klarafall,ou=People,dc=[domainname],dc=de
which is not the correct DN for Mrs Klara.
So if you login with "Klara Fall" it should work, but that will probably mess up the things on Dovecot filesystem.
I am strongly against setting a static DN when dealing with LDAP authentication. LDAP servers are optimized to serve search requests, so let yours do the job. Allow Dovecot to lookup the correct DN based on the attribute you supply (uid) and then authenticate.
This should be achieved if you comment out the auth_bind_userdn line.
Paolo Cravero
On Monday 02 March 2015 11:14:03 David Scheele wrote:
Ok I played around a bit and activated debugging correctly (Thanks to Steffen)
Now I try to log in with the user johndoe (that is his cn and his uid) and i get the following message in syslog: Mar 2 11:03:32 mailserver dovecot: auth: Debug: master in: REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89 Mar 2 11:03:32 mailserver dovecot: auth: Debug: ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search: base=ou=People,dc=[domainname],dc=de scope=subtree filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber Mar 2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn) not indexed Mar 2 11:03:32 mailserver dovecot: auth: Debug: ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result: uidNumber missing
There are two strategies: put the uid of each user in ldap or use the same uid for all accounts. for the second choice, you need to put something like mail_uid = 10000 mail_gid = 10000
in 10-mail.conf This user need some rights on dovecot storage folder.
When using the first choice, you will need a mechanism to generate those uid's ( this should be implemented in the ldap management tool)
Mar 2 11:03:32 mailserver dovecot: auth: Debug: master out: USER#0111283457025#011johndoe Mar 2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured, session=<EYmiVEsQSgB/AAAB> Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is missing UID (see mail_uid setting) Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error occurred. Refer to server log for more information.
I am confused what the line Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is missing UID (see mail_uid setting) is trying to tell me.
doveconf -n:
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_login_user = vmail disable_plaintext_auth = no first_valid_gid = 2222 first_valid_uid = 2222 listen = * mail_access_groups = vmail mail_debug = yes mail_location = maildir:/var/vmail/%n passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } service imap-login { process_min_avail = 1 user = vmail } ssl = no userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
hosts = mailserver.[domainname].de debug_level = 0 auth_bind = yes auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de base = ou=People,dc=[domainname],dc=de user_attrs = uidNumber=uid user_filter = (&(objectClass=inetOrgPerson)(cn=%u)) pass_attrs = userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)) iterate_attrs = uid=user iterate_filter = (objectClass=inetOrgPerson)
2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero@csi.it>:
This is the user DN:
cn=Klara Fall,ou=People,dc=[domainname],dc=de
According to your Dovecot configuration
auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
if you login with "klarafall" it will be expanded into
cn=klarafall,ou=People,dc=[domainname],dc=de
which is not the correct DN for Mrs Klara.
So if you login with "Klara Fall" it should work, but that will probably mess up the things on Dovecot filesystem.
I am strongly against setting a static DN when dealing with LDAP authentication. LDAP servers are optimized to serve search requests, so let yours do the job. Allow Dovecot to lookup the correct DN based on the attribute you supply (uid) and then authenticate.
This should be achieved if you comment out the auth_bind_userdn line.
Paolo Cravero
Mihai Bădici http://mihai.badici.ro
participants (3)
-
David Scheele
-
Mihai Badici
-
Paolo Cravero