Hello, i'm test system dovecot (proxy with director) and backend storage, auth LDAP server (user plain passwords)
If i use plain auth, work fine.
If connect DIGEST-MD5 or CRAM-MD5 proxy not redirect connection (Requested DIGEST-MD5 scheme, but we have a NULL password)
### Frontend proxy+director
# dovecot -n # 2.2.19: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE amd64 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login digest-md5 cram-md5 auth_username_format = %Ln auth_verbose = yes base_dir = /var/run/dovecot-proxy/ director_doveadm_port = 12347 director_mail_servers = 192.168.1.3 director_servers = 192.168.1.2 disable_plaintext_auth = no doveadm_port = 12347 first_valid_gid = 0 first_valid_uid = 1000 instance_name = proxy last_valid_gid = 6000 last_valid_uid = 6000 listen = 192.168.1.2 lmtp_proxy = yes mail_location = mbox:~/:INBOX=/var/mail/%u passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { args = scheme=SSHA /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { driver = pam } protocols = imap lmtp service director { fifo_listener login/proxy-notify { mode = 0600 } inet_listener { port = 9090 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service doveadm { inet_listener { port = 12347 } } service imap-login { executable = imap-login director } service ipc { unix_listener ipc { user = dovecot } } service lmtp { client_limit = 5 executable = lmtp idle_kill = 0 inet_listener lmtp { address = 192.168.1.2 port = 2003 } process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 } ssl_cert = </etc/ssl/certs/cyrus_imapd.pem ssl_key = </etc/ssl/certs/cyrus_imapd.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { driver = passwd } userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { auth_socket_path = director-userdb } protocol doveadm { auth_socket_path = director-userdb } local 192.168.1.2/24 { doveadm_password = # hidden, use -P to show it }
# cat /usr/local/etc/dovecot/dovecot-ldap.conf uris = ldaps://192.168.1.2:636 # allow self-sign sert (not skip connect if sert not valid) tls_ca_cert_dir = /home/user/openldap/ tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt tls_require_cert = allow dn = cn=dovecot,ou=accounts,dc=host,dc=ru dnpass = CycsonfeavaidOr ldap_version = 3 #auth_bind = no base = ou=accounts,dc=host,dc=ru deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,=password=,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert pass_filter = (&(objectClass=posixAccount)(uid=%u)) # need for work chap-MD5 default_pass_scheme = CLEARTEXT
#### Backend
# dovecot -n # 2.2.19: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.3-RELEASE-p24 amd64 auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_mechanisms = plain login digest-md5 cram-md5 auth_username_format = %Ln auth_verbose = yes base_dir = /var/run/dovecot/ director_servers = 1192.168.1.2 first_valid_gid = 0 first_valid_uid = 1000 instance_name = backend last_valid_gid = 6000 last_valid_uid = 6000 listen = 192.168.1.3 mail_location = mbox:~/:INBOX=/var/mail/%u passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { args = scheme=SSHA /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { driver = pam } protocols = imap lmtp service doveadm { inet_listener { port = 12347 } } service lmtp { client_limit = 1 executable = lmtp -L idle_kill = 0 inet_listener lmtp { address = 192.168.1.3 port = 2003 } process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 } ssl_cert = </etc/ssl/certs/cyrus_imapd.pem ssl_key = </etc/ssl/certs/cyrus_imapd.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { driver = passwd } userdb { driver = passwd } valid_chroot_dirs = /var/dovecot verbose_proctitle = yes local 192.168.1.2/24 { doveadm_password = # hidden, use -P to show it }
# cat /usr/local/etc/dovecot/dovecot-ldap.conf uris = ldaps://192.168.1.2:636 # allow self-sign sert (not skip connect if sert not valid) tls_ca_cert_dir = /home/user/openldap/ tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt tls_require_cert = allow ldaprc_path = /usr/local/etc/openldap/ldap.conf dn = cn=dovecot,ou=accounts,dc=host,dc=ru dnpass = CycsonfeavaidOr ldap_version = 3 base = ou=accounts,dc=host,dc=ru deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail user_filter = (&(objectClass=posixAccount)(uid=%u)) pass_attrs = uid=user,clearPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u)) default_pass_scheme = CLEARTEXT
###
Oct 27 18:15:40 imtest -v -u usertest -a usertest 192.168.1.2 (success) Oct 27 18:16:30 imtest -m DIGEST-MD5 -v -u usertest -a usertest 192.168.1.2 (fail)
### Logs
Oct 27 18:15:26 fbsd10 dovecot: master: Warning: Killed with signal 15 (by pid=67306 uid=0 code=kill) Oct 27 18:15:27 fbsd10 dovecot: master: Dovecot v2.2.19 starting up for imap, lmtp Oct 27 18:15:40 fbsd10 dovecot: imap-login: proxy(usertest): started proxying to 192.168.1.3:143: user=<usertest>, method=PLAIN, rip=192.168.1.3, lip=192.168.1.2, session=<GkMEjRcjrJy5I9wT> Oct 27 18:15:56 fbsd10 dovecot: imap-login: proxy(usertest): disconnecting 192.168.1.3 (Disconnected by server): user=<usertest>, method=PLAIN, rip=192.168.1.3, lip=192.168.1.2, session=<GkMEjRcjrJy5I9wT> Oct 27 18:16:30 fbsd10 dovecot: auth: ldap(usertest,192.168.1.3,<q+lLjxcjfvG5I9wT>): Requested DIGEST-MD5 scheme, but we have a NULL password Oct 27 18:16:36 fbsd10 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 18 secs): user=<usertest>, method=DIGEST-MD5, rip=192.168.1.3, lip=192.168.1.2, session=<q+lLjxcjfvG5I9wT>
Oct 27 18:15:40 fbsd9 dovecot: imap-login: Login: user=<usertest>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.3, mpid=62534, TLS, session=<IpIGjRcjX/25I9wo> Oct 27 18:15:56 fbsd9 dovecot: imap(usertest): Disconnected: Logged out in=8 out=383
On 27 Oct 2015, at 17:43, Andrey Fesenko <f0andrey@gmail.com> wrote:
Hello, i'm test system dovecot (proxy with director) and backend storage, auth LDAP server (user plain passwords)
If i use plain auth, work fine.
If connect DIGEST-MD5 or CRAM-MD5 proxy not redirect connection (Requested DIGEST-MD5 scheme, but we have a NULL password)
### Frontend proxy+director
..
passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf driver = ldap }
So LDAP is the primary way of authenticating.
pass_attrs = uid=user,=password=,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert
But you set password to empty and nopassword=yes. CRAM-MD5 and DIGEST-MD5 authentication requires that the server already knows the password. The only way to make it work is to have proxy actually fully authenticate the user and then login to Dovecot backend with a master password.
participants (2)
-
Andrey Fesenko
-
Timo Sirainen