Re: [Dovecot] login fails when username has apostrophe

Karl Latiss

7 Jan 2009 7 Jan '09

1:19 a.m.

Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.

Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.

Karl.

I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:

dovecot version 1.1.7 openldap client library 2.4.11

With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!

----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user

Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----

Users without apostrophes can authenticate successfully. If I've missed anything please let me know.

# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail

# grep -v '^ *$#.*$\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN

-- Karl Latiss klatiss@nextdigital.com Next Digital

Show replies by date

Robert Schetterer

7 Jan 7 Jan

1:26 a.m.

New subject: [Dovecot] login fails when username has apostrophe

Karl Latiss schrieb:

...

Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.

Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.

Karl.

Hi

I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:

dovecot version 1.1.7 openldap client library 2.4.11

With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!

----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user

Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----

Users without apostrophes can authenticate successfully. If I've missed anything please let me know.

# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail

# grep -v '^ *$#.*$\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN

just for quick testing try set auth_username_chars empty i.e auth_username_chars = in dovecot.conf

-- Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Karl Latiss

1:34 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 00:26 +0100, Robert Schetterer wrote:

...

Karl Latiss schrieb:

...
Sorry to bump so quickly but I have a handful of users who can't log in at the moment and would like to get this fixed.

Am I missing a config option or is this a bug? The only reference I can find in the mailing list archives is that this configuration should be supported.

Karl.

Hi

I've added the apostrophe character to auth_username_chars however authentication still fails. I'm using LDAP with the following details:

dovecot version 1.1.7 openldap client library 2.4.11

With auth_verbose = yes and auth_debug = yes set I see the following in the logs. Note the initial escaped apostrophe and the subsequent escaped escape in the filter!

----- start log ----- Jan 5 16:15:05 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=10.1.1.180 rip=10.3.96.60 lport=143 rport=48733 resp=<hidden>

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): unknown user

Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, rip=10.3.96.60, lip=10.1.1.180 ----- end log -----

Users without apostrophes can authenticate successfully. If I've missed anything please let me know.

# dovecot -n # 1.1.7: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs protocols: imap listen: 10.1.1.180 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes verbose_proctitle: yes first_valid_uid: 999 first_valid_gid: 999 mail_privileged_group: mail mail_uid: 999 mail_gid: 999 mail_location: maildir:/usr/home/vmail/%Ld/%Ln imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' username_format: %Lu passdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/etc/dovecot-ldap.conf socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 user: vmail

# grep -v '^ *$#.*$\?$' dovecot-ldap.conf uris = ldap://www-example1:389 dn = uid=xxxx,dc=example,dc=com dnpass = xxxx sasl_bind = no tls = no auth_bind = no ldap_version = 3 base = dc=example, dc=com user_attrs = homeDirectory=home=/usr/home/vmail/%L $,mailMessageStore=mail=maildir:/usr/home/vmail/%L$,=uid=999,=gid=999 user_filter = (&(objectClass=qmailUser)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=qmailUser)(uid=%n)) default_pass_scheme = PLAIN

just for quick testing try set auth_username_chars empty i.e auth_username_chars = in dovecot.conf

Sorry - should have mentioned that I tried that as well with no success.

Karl.

Timo Sirainen

1:33 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...

Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword

I think it should be julie.o\\\'reilly in there. Have to check why.

...

Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN,

But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

Karl Latiss

1:47 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...

On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword

I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN,

But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

Karl.

Seth Mattinen

2:04 a.m.

New subject: [Dovecot] login fails when username has apostrophe

Karl Latiss wrote:

...

On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.

~Seth

Karl Latiss

2:30 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:

...

Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.

~Seth

I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.

At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.

Karl.

Seth Mattinen

2:47 a.m.

New subject: [Dovecot] login fails when username has apostrophe

Karl Latiss wrote:

...

On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:

...
Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.

~Seth

I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.

At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.

Try a different auth method.

~Seth

Karl Latiss

5:38 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Tue, 2009-01-06 at 16:47 -0800, Seth Mattinen wrote:

...

Karl Latiss wrote:

...
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:

...
Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) field s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.

~Seth

I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.

At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.

Try a different auth method.

Do you mean try MySQL or PAM etc? I may be able to do that on another install however this project requires user accounts to be stored in LDAP so will need LDAP auth working one way or another.

Karl.

Seth Mattinen

7:09 a.m.

New subject: [Dovecot] login fails when username has apostrophe

Karl Latiss wrote:

...

On Tue, 2009-01-06 at 16:47 -0800, Seth Mattinen wrote:

...
Karl Latiss wrote:

...
On Tue, 2009-01-06 at 16:04 -0800, Seth Mattinen wrote:

...
Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote: > Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o > \'reilly@example.com,10.3.96.60): pass search: base=dc=example, dc=com > scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) > field > s=mail,userPassword I think it should be julie.o\\\'reilly in there. Have to check why.

> Jan 5 16:15:07 www-example1 dovecot: auth(default): client out: FAIL > 1 user=julie.o\'reilly@example.com > failed, 1 attempts): user=, method=PLAIN, But I think your client (PHP webmail with automatic slashing enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure. The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

It's not an apostrophe - it's an unmatched quote. You'll probably get faster results by changing to logins that don't anger input string sanity checks. Otherwise, be prepared to wait a while for a solution. Probably not what you want to hear, but if you have people knocking down the door over this problem, you're going to have to use what will work.

~Seth I understand how it could be interpreted as an unmatched quote but according to Timo (http://www.mail-archive.com/dovecot@dovecot.org/msg09489.html) this should work.

At any rate since the user database is provided by the client from their (various) systems it's unlikely I will be able to change user names.

Try a different auth method.

Do you mean try MySQL or PAM etc? I may be able to do that on another install however this project requires user accounts to be stored in LDAP so will need LDAP auth working one way or another.

Start with PAM or some other "simple" auth method. If it works and LDAP won't, then you know it's not Doevcot and to focus on LDAP - either Dovecot's LDAP module or LDAP itself.

~Seth

Timo Sirainen

7:08 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:

...

On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPassword

I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=,
method=PLAIN,

But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.

Timo Sirainen

7:12 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 00:08 -0500, Timo Sirainen wrote:

...

On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPassword

I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=,
method=PLAIN,

But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.

Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

dovecot: Jan 07 12:10:29 Info: auth(default): new auth connection: pid=12264 dovecot: Jan 07 12:10:31 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34122 resp=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): pass search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=uid,userPassword dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uid(user)=a'b userPassword(password)=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): client out: OK 1 user=a'b dovecot: Jan 07 12:10:31 Info: auth(default): master in: REQUEST 3 12257 1 dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): user search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=homeDirectory,uidNumber,gidNumber dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uidNumber(uid)=1000 gidNumber(gid)=1000 homeDirectory(home)=/home/tss dovecot: Jan 07 12:10:31 Info: auth(default): master out: USER 3 a'b uid=1000 gid=1000 home=/home/tss dovecot: Jan 07 12:10:31 Info: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Timo Sirainen

7:26 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...

...
...
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.

Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:

imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Scott Silva

9:09 p.m.

New subject: [Dovecot] login fails when username has apostrophe

on 1-7-2009 9:26 AM Timo Sirainen spake the following:

...

On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...
...
...
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:

imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I wonder if the OP has a character set or encoding issue?

-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!

Karl Latiss

11:27 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:

...

on 1-7-2009 9:26 AM Timo Sirainen spake the following:

...
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...
...
...
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:

imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I wonder if the OP has a character set or encoding issue?

My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?

Karl.

Timo Sirainen

11:31 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Thu, 2009-01-08 at 08:27 +1100, Karl Latiss wrote:

...

On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:

...
on 1-7-2009 9:26 AM Timo Sirainen spake the following:

...
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...
...
...
The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:

imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I wonder if the OP has a character set or encoding issue?

My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?

No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)

Karl Latiss

11:50 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 16:31 -0500, Timo Sirainen wrote:

...

On Thu, 2009-01-08 at 08:27 +1100, Karl Latiss wrote:

...
On Wed, 2009-01-07 at 11:09 -0800, Scott Silva wrote:

...
on 1-7-2009 9:26 AM Timo Sirainen spake the following:

...
On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...
...
> The previous log output is with me telnetting in manually, however the > webmail software (roundcube) produces the same results. That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird. Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

Also I'm a bit surprised that I've managed to get escaping working with all special LDAP characters without having it tested before:

imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I wonder if the OP has a character set or encoding issue?

My dovecot package has a dependency on libiconv-1.11_1. Could that have something to do with it?

No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)

That doesn't look any different...

Jan 8 08:39:22 www-example1 dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=63870 resp=AGp1bGllLm8ncmVpbGx5QHFmY3Jldy5jb20ANTcyMjIz Jan 8 08:39:22 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,127.0.0.1): pass search: base=dc=example, dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\\'reilly)) fields=mail,userPassword Jan 8 08:39:22 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,127.0.0.1): unknown user Jan 8 08:39:24 www-example1 dovecot: auth(default): client out: FAIL 1 user=julie.o\'reilly@example.com Jan 8 08:39:28 www-example1 dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Karl.

Timo Sirainen

8 Jan 8 Jan

12:05 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Thu, 2009-01-08 at 08:50 +1100, Karl Latiss wrote:

...

...
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)

That doesn't look any different...

OK, so the problem is auth_username_format instead of LDAP. Fixed: http://hg.dovecot.org/dovecot-1.1/rev/3d32b23f7437

Or just comment out the auth_username_format setting.

Karl Latiss

12:14 a.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 17:05 -0500, Timo Sirainen wrote:

...

On Thu, 2009-01-08 at 08:50 +1100, Karl Latiss wrote:

...
...
No. You have several extra \ characters in the logs and they just shouldn't be there unless the client sent them. Set auth_debug_passwords=yes and paste the full logs when logging in? (Use a password that isn't important.)

That doesn't look any different...

OK, so the problem is auth_username_format instead of LDAP. Fixed: http://hg.dovecot.org/dovecot-1.1/rev/3d32b23f7437

Or just comment out the auth_username_format setting.

That's it!

Now login works perfect. Thanks for your quick responses and fix.

Karl.

Karl Latiss

7 Jan 7 Jan

11:23 p.m.

New subject: [Dovecot] login fails when username has apostrophe

On Wed, 2009-01-07 at 12:12 -0500, Timo Sirainen wrote:

...

On Wed, 2009-01-07 at 00:08 -0500, Timo Sirainen wrote:

...
On Jan 6, 2009, at 6:47 PM, Karl Latiss wrote:

...
On Tue, 2009-01-06 at 18:33 -0500, Timo Sirainen wrote:

...
On Wed, 2009-01-07 at 10:19 +1100, Karl Latiss wrote:

...
Jan 5 16:15:05 www-example1 dovecot: auth(default): ldap(julie.o \'reilly@example.com,10.3.96.60): pass search: base=dc=example,
dc=com scope=subtree filter=(&(objectClass=qmailUser)(uid=julie.o\ \'reilly)) field s=mail,userPassword

I think it should be julie.o\\\'reilly in there. Have to check why.

...
Jan 5 16:15:07 www-example1 dovecot: auth(default): client out:
FAIL 1 user=julie.o\'reilly@example.com failed, 1 attempts): user=,
method=PLAIN,

But I think your client (PHP webmail with automatic slashing
enabled?) is sending the initial \ here. Try logging in manually with telnet to make sure.

The previous log output is with me telnetting in manually, however the webmail software (roundcube) produces the same results.

That's weird. I'll try to reproduce it tomorrow. I don't have a
working LDAP server setup currently though. Ubuntu slapd config looks
weird.

Works fine here with the current v1.1 hg (but I don't remember having done any fixes related to LDAP for a long time):

OK Dovecot ready. x login "a'b" pass x OK Logged in.

dovecot: Jan 07 12:10:29 Info: auth(default): new auth connection: pid=12264 dovecot: Jan 07 12:10:31 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34122 resp=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): pass search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=uid,userPassword dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uid(user)=a'b userPassword(password)=<hidden> dovecot: Jan 07 12:10:31 Info: auth(default): client out: OK 1 user=a'b dovecot: Jan 07 12:10:31 Info: auth(default): master in: REQUEST 3 12257 1 dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): user search: base=ou=dovecot, dc=domain, dc=org scope=subtree filter=(&(objectClass=posixAccount)(uid=a'b)) fields=homeDirectory,uidNumber,gidNumber dovecot: Jan 07 12:10:31 Info: auth(default): ldap(a'b,127.0.0.1): result: uidNumber(uid)=1000 gidNumber(gid)=1000 homeDirectory(home)=/home/tss dovecot: Jan 07 12:10:31 Info: auth(default): master out: USER 3 a'b uid=1000 gid=1000 home=/home/tss dovecot: Jan 07 12:10:31 Info: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Where else can I look? This version was compiled on FreeBSD 7.0 64 bit using the ports system with the following configure options:

--localstatedir=/var
--with-statedir=/var/db/dovecot
--without-shadow
--with-ioloop=kqueue
--without-gssapi
--without-vpopmail
--with-ldap
--without-pgsql
--without-mysql
--without-sqlite

The openldap libraries used were openldap-client-2.4.11

Karl.

5798

Age (days ago)

5799

Last active (days ago)

List overview

19 comments

5 participants

participants (5)

Karl Latiss
Robert Schetterer
Scott Silva
Seth Mattinen
Timo Sirainen