[Dovecot] Re: LDAP authentication via PAM
Luis Meléndez escribió:
Oscar A. Valdez wrote:
I've configured dovecot to authenticate against a Fedora Directory Server. The mail server on which dovecot is installed has the nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the following two lines:
auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = pam ... Is it possible to access the user database through PAM (auth_userdb = pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really be an LDAP query for users, and a query in /etc/passwd and /etc/group for dovecot (since it's a local user and group on the mail server).
If you are using nss_ldap and have edited /etc/nsswitch.conf accordingly, you should get it done with:
auth_userdb = passwd
It doesn't mean to use /etc/passwd, but the O.S. nss mechanism.
Before trying to Luis' suggestion, I had the following in /var/log/messages:
dovecot(pam_unix)[4691]: check pass; user unknown dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= dovecot-auth[4691]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
I suppose the first two entries are the lookup for the dovecot user in the DS, where it doesn't exist. And since I want anonymous binds to the DS, I haven't created file /etc/ldap.secret. Users were able to authenticate and get their mail.
After changing to auth_userdb = passwd, all the messages went away, but the users weren't able to get their mail: Evolution gave me the following error: "Unable to get a valid greeting" from the mailserver.
I went back to auth_userdb = ldap /etc/dovecot-ldap.conf, and then back to auth_userdb = passwd. Users can get their mail, but the messages are back in the log file.
I'd appreciate help in understanding this behavior.
Oscar A. Valdez
Oscar A. Valdez wrote:
Before trying to Luis' suggestion, I had the following in /var/log/messages:
dovecot(pam_unix)[4691]: check pass; user unknown dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= dovecot-auth[4691]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
I believe this is because your PAM configuration checks both local files (pam_unix: /etc/passwd) and pam_ldap: LDAP. The pam_unix module can't find the user in the local database, and complains, then LDAP finds the user information, and allows the login/whatever.
The solution is probably to create a /etc/pam.d/system-auth-ldap-only file that doesn't reference pam_unix, and use that pam configuration for network services such as Dovecot.
Or, possible, check pam_ldap first with a "sufficient" setting; perhaps this will stop pam_unix being tried at all?
I keep meaning to try this, since I'm seeing those messages from a number of network services, but have never gotten around to it!
participants (2)
-
Oscar A. Valdez
-
Stephen Warren