[Dovecot] dovecot-1.0.3 & apacheds ldap
I have problem with dovecot-1.0.3 and apacheds ldap server. If I change just uris in dovecot-ldap.conf to point to fedora-ds server, everything works O.K. I've tried with apacheds ldap server versions 1.0.2 and 1.5.0 command line search with parameters taken from dovecot.debug log gives me all needed attributes. Comments and help welcome. Here is my data:
# /opt/dovecot/sbin/dovecot -n # 1.0.3: /opt/dovecot/etc/dovecot.conf log_path: /tmp/dovecot.log info_log_path: /tmp/dovecot.debug protocols: pop3 pop3s imap imaps ssl_cert_file: /etc/ssl/parkheights.cert ssl_key_file: /etc/ssl/parkheights.key login_dir: /opt/dovecot/var/run/dovecot/login login_executable(default): /opt/dovecot/libexec/dovecot/imap-login login_executable(imap): /opt/dovecot/libexec/dovecot/imap-login login_executable(pop3): /opt/dovecot/libexec/dovecot/pop3-login mail_extra_groups: mail mail_location: maildir:/var/spool/imap/%n/.imap mail_debug: yes mail_executable(default): /opt/dovecot/libexec/dovecot/imap mail_executable(imap): /opt/dovecot/libexec/dovecot/imap mail_executable(pop3): /opt/dovecot/libexec/dovecot/pop3 mail_plugin_dir(default): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(imap): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(pop3): /opt/dovecot/lib/dovecot/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /opt/dovecot/etc/dovecot-ldap.conf userdb: driver: ldap args: /opt/dovecot/etc/dovecot-ldap.conf userdb: driver: prefetch socket: type: listen master: path: /opt/dovecot/var/run/dovecot/auth-master mode: 384 user: vmail group: vmail
# grep -v '#' /opt/dovecot/etc/dovecot-ldap.conf |grep -v '^\s*$' hosts = 192.168.10.43:389 dn = uid=admin,ou=system dnpass = Ahma3zoc sasl_bind = no auth_bind = no ldap_version = 3 base = ou=people,dc=parkheights,dc=dyndns,dc=org user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%Ln)) pass_attrs = uid=user,gidNumber=userdb_gid,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid default_pass_scheme = MD5
# tail -5 /tmp/dovecot.debug
dovecot: Aug 03 08:07:10 Info: auth(default): client in: AUTH 1
PLAIN service=IMAP secured lip=127.0.0.1 rip=127.0.0.1
resp=AHNlc(here_also_skipped_something)3N1Pg==
dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1):
pass search: base=ou=people,dc=parkheights,dc=dyndns,dc=org
scope=subtree filter=(&(objectClass=posixAccount)(uid=seriv))
fields=uid,gidNumber,userPassword,homeDirectory,uidNumber
dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1):
result: uid(user)=seriv gidnumber(?unknown?)= userpassword(?unknown?)=
homedirectory(?unknown?)= uidnumber(?unknown?)=
dovecot: Aug 03 08:07:12 Info: auth(default): client out: FAIL 1
user=seriv temp
dovecot: Aug 03 08:10:10 Info: imap-login: Disconnected: Inactivity:
user=<seriv>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
# tail -3 /tmp/dovecot.log
dovecot: Aug 03 08:06:53 Warning: auth(default): Killed with signal 15
dovecot: Aug 03 08:06:53 Warning: Killed with signal 15
dovecot: Aug 03 08:07:10 Error: auth(default): ldap(seriv,127.0.0.1): No
password in reply
--- here is the snippet from apacheds debug log: ---
message Id : 2
Search Request
Base Object : 'ou=people,dc=parkheights,dc=dyndns,dc=org'
Scope : whole subtree
Deref Aliases : never Deref Aliases
Size Limit : no limit
Time Limit : no limit
Types Only : false
Filter : '(&(objectClass=posixAccount)(uid=seriv))'
Attributes : gidNumber, uid, userPassword, homeDirectory, uidNumber
baseDn : 'ou=people,dc=parkheights,dc=dyndns,dc=org'
filter : '(& (objectClass=posixAccount) (uid=seriv) ) '
scope : whole subtree
typesOnly : falseno limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'gidNumber', 'uid', 'userPassword', 'homeDirectory', 'uidNumber'
message Id : 2
Search Result Entry
Object Name : 'uid=seriv,ou=people,dc=parkheights,dc=dyndns,dc=org'
Attributes
Attributes
Attribute id : 'uid', Values : ['seriv']
Attribute id : 'gidnumber', Values : ['1927']
Attribute id : 'userpassword', Values : [0x7B 0x4D ...(skipped some bytes here) ... 0x3D 0x3D ] Attribute id : 'homedirectory', Values : ['/var/spool/imap/seriv'] Attribute id : 'uidnumber', Values : ['1001']
On Fri, 2007-08-03 at 08:22 -0400, sergey ivanov wrote:
dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1): pass search: base=ou=people,dc=parkheights,dc=dyndns,dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=seriv)) fields=uid,gidNumber,userPassword,homeDirectory,uidNumber dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1): result: uid(user)=seriv gidnumber(?unknown?)= userpassword(?unknown?)= homedirectory(?unknown?)= uidnumber(?unknown?)=
Looks like Dovecot found only "uid" field. Perhaps it would be also helpful if it returned if there were any extra fields it didn't recognize..
Attribute id : 'gidnumber', Values : ['1927'] Attribute id : 'userpassword', Values : [0x7B 0x4D ...(skipped some bytes here) ... 0x3D 0x3D ] Attribute id : 'homedirectory', Values : ['/var/spool/imap/seriv'] Attribute id : 'uidnumber', Values : ['1001']
Could it be that you need to use all lowercase letters, like gidnumber instead of gidNumber? I didn't think LDAP attributes were case-insensitive.
Timo Sirainen wrote:
On Fri, 2007-08-03 at 08:22 -0400, sergey ivanov wrote:
dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1): pass search: base=ou=people,dc=parkheights,dc=dyndns,dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=seriv)) fields=uid,gidNumber,userPassword,homeDirectory,uidNumber dovecot: Aug 03 08:07:10 Info: auth(default): ldap(seriv,127.0.0.1): result: uid(user)=seriv gidnumber(?unknown?)= userpassword(?unknown?)= homedirectory(?unknown?)= uidnumber(?unknown?)=
Looks like Dovecot found only "uid" field. Perhaps it would be also helpful if it returned if there were any extra fields it didn't recognize..
Attribute id : 'gidnumber', Values : ['1927'] Attribute id : 'userpassword', Values : [0x7B 0x4D ...(skipped some bytes here) ... 0x3D 0x3D ] Attribute id : 'homedirectory', Values : ['/var/spool/imap/seriv'] Attribute id : 'uidnumber', Values : ['1001']
Could it be that you need to use all lowercase letters, like gidnumber instead of gidNumber? I didn't think LDAP attributes were case-insensitive.
You are rights. It's very strange, but when I changed gidNumber, uidNumber, userPassword and homeDirectory to all lowercase, dovecot successfully authorize against apacheds ldap server. Thanks.
Sergey.Tere.
I'm running 1.0.3 in RedHat for some time, few days ago also upgraded 1.0.0 to 1.0.3 on Debian Sarge, 64 machine.
But now message log runs like crazy (about 10 GB since yesterday evening) with such errors:
Aug 30 05:57:09 stan dovecot: auth(default): pam(user1,172.18.1.25): PAM child process 1266 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user2,172.18.18.44): PAM child process 15323 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.33): PAM child process 29381 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.107): PAM child process 15325 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user4,172.18.18.97): PAM child process 1269 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user5,192.168.190.53): PAM child process 15326 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user6,172.18.18.33): PAM child process 29383 timed out, killing it
Whats wrong? Compiled from source, with the same options, as always?
-- Mart
Tere.
Second time - does anybody have any idea what is wrong, btw I downgraded to 1.0.2, and getting from time to time same errors:
I'm running 1.0.3 in RedHat for some time, few days ago also upgraded 1.0.0 to 1.0.3 on Debian Sarge, 64 machine.
But now message log runs like crazy (about 10 GB since yesterday evening) with such errors:
Aug 30 05:57:09 stan dovecot: auth(default): pam(user1,172.18.1.25): PAM child process 1266 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user2,172.18.18.44): PAM child process 15323 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.33): PAM child process 29381 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.107): PAM child process 15325 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user4,172.18.18.97): PAM child process 1269 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user5,192.168.190.53): PAM child process 15326 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user6,172.18.18.33): PAM child process 29383 timed out, killing it
Whats wrong? Compiled from source, with the same options, as always?
-- Mart
On 2007-09-03 11:21:43 +0300, Mart Pirita wrote:
Second time - does anybody have any idea what is wrong, btw I downgraded to 1.0.2, and getting from time to time same errors:
I'm running 1.0.3 in RedHat for some time, few days ago also upgraded 1.0.0 to 1.0.3 on Debian Sarge, 64 machine.
But now message log runs like crazy (about 10 GB since yesterday evening) with such errors:
Aug 30 05:57:09 stan dovecot: auth(default): pam(user1,172.18.1.25): PAM child process 1266 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user2,172.18.18.44): PAM child process 15323 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.33): PAM child process 29381 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user3,172.18.18.107): PAM child process 15325 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user4,172.18.18.97): PAM child process 1269 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user5,192.168.190.53): PAM child process 15326 timed out, killing it Aug 30 05:57:09 stan dovecot: auth(default): pam(user6,172.18.18.33): PAM child process 29383 timed out, killing it
Whats wrong? Compiled from source, with the same options, as always?
can you tell us more about your config? what backends are you using?
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Tere.
can you tell us more about your config? what backends are you using?
Debian Sarge, 64, reiser, dovecot -a:
# 1.0.2: /etc/dovecot.conf base_dir: /var/run/dovecot/ log_path: info_log_path: log_timestamp: %b %d %H:%M:%S syslog_facility: mail protocols: imap imaps pop3 pop3s listen: * ssl_listen: ssl_disable: no ssl_ca_file: ssl_cert_file: /etc/ssl/certs/dovecot.pem ssl_key_file: /etc/ssl/private/dovecot.pem ssl_key_password: ssl_parameters_regenerate: 168 ssl_cipher_list: ssl_verify_client_cert: no disable_plaintext_auth: no verbose_ssl: no shutdown_clients: no nfs_check: yes version_ignore: no login_dir: /var/run/dovecot//login login_executable(default): /usr/local/dovecot/libexec/dovecot/imap-login login_executable(imap): /usr/local/dovecot/libexec/dovecot/imap-login login_executable(pop3): /usr/local/dovecot/libexec/dovecot/pop3-login login_user: dovecot login_greeting: Dovecot ready. login_log_format_elements: %u %r %m %c login_log_format: %$: %s login_process_per_connection: yes login_chroot: yes login_greeting_capability: no login_process_size: 64 login_processes_count: 15 login_max_processes_count: 384 login_max_connections: 256 valid_chroot_dirs: mail_chroot: max_mail_processes: 3072 verbose_proctitle: yes first_valid_uid: 500 last_valid_uid: 0 first_valid_gid: 1 last_valid_gid: 0 mail_extra_groups: mail default_mail_env: maildir:%h/Maildir:INDEX=/var/spool/dovecot/index/%u:CONTROL=/var/spool/dovecot/co mail_location: maildir:%h/Maildir:INDEX=/var/spool/dovecot/index/%u:CONTROL=/var/spool/dovecot/contr mail_cache_fields: flags mail_never_cache_fields: imap.envelope mail_cache_min_mail_count: 0 mailbox_idle_check_interval: 30 mail_debug: no mail_full_filesystem_access: no mail_max_keyword_length: 50 mail_save_crlf: no mail_read_mmaped: no mmap_disable: no mmap_no_write: no dotlock_use_excl: no fsync_disable: no lock_method: fcntl maildir_stat_dirs: no maildir_copy_with_hardlinks: yes maildir_copy_preserve_filename: no mbox_read_locks: fcntl mbox_write_locks: dotlock fcntl mbox_lock_timeout: 180 mbox_dotlock_change_timeout: 180 mbox_min_index_size: 0 mbox_dirty_syncs: yes mbox_very_dirty_syncs: no mbox_lazy_writes: yes dbox_rotate_size: 2048 dbox_rotate_min_size: 16 dbox_rotate_days: 1 umask: 63 mail_drop_priv_before_exec: no mail_executable(default): /usr/local/dovecot/libexec/dovecot/imap mail_executable(imap): /usr/local/dovecot/libexec/dovecot/imap mail_executable(pop3): /usr/local/dovecot/libexec/dovecot/pop3 mail_process_size: 256 mail_plugins: mail_plugin_dir(default): /usr/local/dovecot/modules/imap mail_plugin_dir(imap): /usr/local/dovecot/modules/imap mail_plugin_dir(pop3): /usr/local/dovecot/modules/pop3 mail_log_prefix: %Us(%u): mail_log_max_lines_per_sec: 10 imap_max_line_length: 65536 imap_capability: imap_client_workarounds(default): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(imap): outlook-idle netscape-eoh tb-extra-mailbox-sep delay-newmail imap_client_workarounds(pop3): outlook-idle pop3_no_flag_updates: no pop3_enable_last: no pop3_reuse_xuidl: no pop3_lock_session: no pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(pop3): retr=%r/%R, del=%d/%m, size=%s auth default: mechanisms: plain realms: default_realm: cache_size: 0 cache_ttl: 3600 executable: /usr/local/dovecot/libexec/dovecot/dovecot-auth user: root chroot: username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: verbose: yes debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no count: 1 worker_max_count: 90 process_size: 512 passdb: driver: pam args: deny: no pass: no master: no userdb: driver: passwd args:
-- Mart
On Mon, 2007-09-03 at 11:21 +0300, Mart Pirita wrote:
Aug 30 05:57:09 stan dovecot: auth(default): pam(user1,172.18.1.25): PAM child process 1266 timed out, killing it
Your PAM modules are getting stuck. Probably has nothing to do with Dovecot itself.
What userdb do you use? You could try adding blocking=yes to passdb pam's args or if you're using userdb passwd add blocking=yes to its args.
Tere.
Your PAM modules are getting stuck. Probably has nothing to do with Dovecot itself.
But I haven't change/install/upgrade anything, but the Dovecot. And version 1.0.3 gives errors like crazy, 1.0.2 from time to time and older versions none? Seems something in new Dovecot versions drives PAM crazy.
What userdb do you use? Hmm, passwd, dovecot -n:
auth default: verbose: yes worker_max_count: 90 process_size: 512 passdb: driver: pam userdb: driver: passwd
You could try adding blocking=yes to passdb pam's args or if you're using userdb passwd add blocking=yes to its args.
So either passdb or userdb, but not to both?
-- Mart
On 9.9.2007, at 11.00, Mart Pirita wrote:
Your PAM modules are getting stuck. Probably has nothing to do with Dovecot itself.
But I haven't change/install/upgrade anything, but the Dovecot. And
version 1.0.3 gives errors like crazy, 1.0.2 from time to time and
older versions none? Seems something in new Dovecot versions drives
PAM crazy.
The only changes to dovecot-auth between 1.0.2 and 1.0.3 were for
LDAP code, which you aren't using. So I think the problem has more to
do with the binary getting compiled a bit differently, causing random
problems in a buggy PAM module.
What userdb do you use? Hmm, passwd, dovecot -n:
auth default: verbose: yes worker_max_count: 90 process_size: 512 passdb: driver: pam userdb: driver: passwd
So where do PAM and passwd do the lookups from? If you're using
pam_ldap+nss_ldap you really need the blocking=yes for them to work
right.
You could try adding blocking=yes to passdb pam's args or if you're using userdb passwd add blocking=yes to its args.
So either passdb or userdb, but not to both?
Or both. If you're doing LDAP or other remote lookups it's a good
idea to set it to both.
Tere.
The only changes to dovecot-auth between 1.0.2 and 1.0.3 were for LDAP code, which you aren't using. So I think the problem has more to do with the binary getting compiled a bit differently, causing random problems in a buggy PAM module.
Ok.
So where do PAM and passwd do the lookups from?
Lookups, hmm, do You mean where passwords are defined and stored. I'm using system accounts, /etc/passwd, /etc/shadow etc..
If you're using pam_ldap+nss_ldap you really need the blocking=yes for them to work right. I'm not using LDAP.
Or both. If you're doing LDAP or other remote lookups it's a good idea to set it to both. Ok, I'll try tomorrow version 1.0.4 and blocking=yes in passdb: and userdb:
-- Mart
Tere.
Tried search, no luck, does the Dovecot include push imap/imap notify support?
-- Mart
participants (4)
-
Marcus Rueckert
-
Mart Pirita
-
sergey ivanov
-
Timo Sirainen