Re: [Dovecot] login fails when username has apostrophe
Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.
Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.
Karl.
Hi
I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:
dovecot version 1.1.7 openldap client library 2.4.11
With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!
----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----
Users without apostrophes can authenticate successfully. If I've missed anything please let me know.
# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
# grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN
-- Karl Latiss <klatiss@nextdigital.com> Next Digital
Karl Latiss schrieb:
Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.
Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.
Karl.
Hi
I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:
dovecot version 1.1.7 openldap client library 2.4.11
With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!
----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----
Users without apostrophes can authenticate successfully. If I've missed anything please let me know.
# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
# grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN
just for quick testing try set auth_username_chars empty i.e auth_username_chars = in dovecot.conf
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
On Wed, 2009-01-07 at 00:26 +0100, Robert Schetterer wrote:
Karl Latiss schrieb:
Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.
Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.
Karl.
Hi
I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:
dovecot version 1.1.7 openldap client library 2.4.11
With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!
----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----
Users without apostrophes can authenticate successfully. If I've missed anything please let me know.
# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
# grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN
just for quick testing try set auth_username_chars empty i.e auth_username_chars = in dovecot.conf
Sorry - should have mentioned that I tried that as well with no success.
Karl.
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword
I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN,
But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword
I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN,
But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
Karl.
Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.
~Seth
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.
~Seth
I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.
At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.
Karl.
Karl Latiss wrote:
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.
~Seth
I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.
At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.
Try a different auth method.
~Seth
On Tue, 2009-01-06 at 16:47 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.
~Seth
I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.
At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.
Try a different auth method.
Do you mean try MySQL or PAM etc? I may be able to do that on another install however this project requires user accounts to be stored in LDAP so will need LDAP auth working one way or another.
Karl.
Karl Latiss wrote:
On Tue, 2009-01-06 at 16:47 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:
Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote: > Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o > \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com > scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) > field > s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.
> Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL > 1 user=julie.o\'reilly@example.com > failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.
~Seth I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.
At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.
Try a different auth method.
Do you mean try MySQL or PAM etc? I may be able to do that on another install however this project requires user accounts to be stored in LDAP so will need LDAP auth working one way or another.
Start with PAM or some other "simple" auth method. If it works and LDAP won't, then you know it's not Doevcot and to focus on LDAP - either Dovecot's LDAP module or LDAP itself.
~Seth
On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPasswordI think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>,
method=PLAIN,But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.
On Wed, 2009-01-07 at 00:08 -0500, Timo Sirainen wrote:
On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPasswordI think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>,
method=PLAIN,But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.
Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
dovecot: Jan 07 12:10:29 Info: auth(default): new auth connection: pid=12264 dovecot: Jan 07 12:10:31 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34122 resp=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): pass search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=uid,userPassword dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uid(user)=a'b userPassword(password)=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): client out: OK 1 user=a'b dovecot: Jan 07 12:10:31 Info: auth(default): master in: REQUEST 3 12257 1 dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): user search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=homeDirectory,uidNumber,gidNumber dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uidNumber(uid)=1000 gidNumber(gid)=1000 homeDirectory(home)=/home/tss dovecot: Jan 07 12:10:31 Info: auth(default): master out: USER 3 a'b uid=1000 gid=1000 home=/home/tss dovecot: Jan 07 12:10:31 Info: imap-login: Login: user=<a'b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:
imap-login: Login: user=<a\(*),.b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
on 1-7-2009 9:26 AM Timo Sirainen spake the following:
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:
imap-login: Login: user=<a\(*),.b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
I wonder if the OP has a character set or encoding issue?
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:
on 1-7-2009 9:26 AM Timo Sirainen spake the following:
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:
imap-login: Login: user=<a\(*),.b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
I wonder if the OP has a character set or encoding issue?
My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?
Karl.
On Thu, 2009-01-08 at 08:27 +1100, Karl Latiss wrote:
On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:
on 1-7-2009 9:26 AM Timo Sirainen spake the following:
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:
imap-login: Login: user=<a\(*),.b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
I wonder if the OP has a character set or encoding issue?
My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)
On Wed, 2009-01-07 at 16:31 -0500, Timo Sirainen wrote:
On Thu, 2009-01-08 at 08:27 +1100, Karl Latiss wrote:
On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:
on 1-7-2009 9:26 AM Timo Sirainen spake the following:
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
> The previous log output is with me telnetting in manually, however the > webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:
imap-login: Login: user=<a\(*),.b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
I wonder if the OP has a character set or encoding issue?
My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)
That doesn't look any different...
Jan 8 08:39:22 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=63870 resp=AGp1bGllLm8ncmVpbGx5QHFmY3Jldy5jb20ANTcyMjIz Jan 8 08:39:22 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,127.0.0.1): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) fields=mail,userPassword Jan 8 08:39:22 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,127.0.0.1): unknown user Jan 8 08:39:24 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com Jan 8 08:39:28 www-example1 dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<julie.o\'reilly@example.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Karl.
On Thu, 2009-01-08 at 08:50 +1100, Karl Latiss wrote:
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)
That doesn't look any different...
OK, so the problem is auth_username_format instead of LDAP. Fixed: http://hg.dovecot.org/dovecot-1.1/rev/3d32b23f7437
Or just comment out the auth_username_format setting.
On Wed, 2009-01-07 at 17:05 -0500, Timo Sirainen wrote:
On Thu, 2009-01-08 at 08:50 +1100, Karl Latiss wrote:
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)
That doesn't look any different...
OK, so the problem is auth_username_format instead of LDAP. Fixed: http://hg.dovecot.org/dovecot-1.1/rev/3d32b23f7437
Or just comment out the auth_username_format setting.
That's it!
Now login works perfect. Thanks for your quick responses and fix.
Karl.
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 00:08 -0500, Timo Sirainen wrote:
On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPasswordI think it should be julie.o\\\'reilly in there. Have to check why.
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=<julie.o\'reilly@example.com>,
method=PLAIN,But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.
That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):
- OK Dovecot ready. x login "a'b" pass x OK Logged in.
dovecot: Jan 07 12:10:29 Info: auth(default): new auth connection: pid=12264 dovecot: Jan 07 12:10:31 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34122 resp=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): pass search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=uid,userPassword dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uid(user)=a'b userPassword(password)=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): client out: OK 1 user=a'b dovecot: Jan 07 12:10:31 Info: auth(default): master in: REQUEST 3 12257 1 dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): user search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=homeDirectory,uidNumber,gidNumber dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uidNumber(uid)=1000 gidNumber(gid)=1000 homeDirectory(home)=/home/tss dovecot: Jan 07 12:10:31 Info: auth(default): master out: USER 3 a'b uid=1000 gid=1000 home=/home/tss dovecot: Jan 07 12:10:31 Info: imap-login: Login: user=<a'b>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Where else can I look? This version was compiled on FreeBSD 7.0 64 bit using the ports system with the following configure options:
--localstatedir=/var
--with-statedir=/var/db/dovecot
--without-shadow
--with-ioloop=kqueue
--without-gssapi
--without-vpopmail
--with-ldap
--without-pgsql
--without-mysql
--without-sqlite
The openldap libraries used were openldap-client-2.4.11
Karl.
participants (5)
-
Karl Latiss
-
Robert Schetterer
-
Scott Silva
-
Seth Mattinen
-
Timo Sirainen