[Dovecot] [BUG?] LDAP authentication with aliases issues
Hello,
I am trying to configure Dovecot with LDAP authentication. My LDAP tree structure is as following: dc=root,dc=pl \_ ou=Users \_ uid=test \_ ou=Mail \_ ou=domain.pl \_ uid=alias_to_test
I cannot authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following entry appears in the Dovecot's log file:
#v+
auth: Debug: client in: AUTH 1 PLAIN service=imap secured
lip=127.0.0.1 rip=127.0.0.1 lport=993 rport=59818
resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA==
auth: Debug: ldap(alias_to_test@domain.pl,127.0.0.1): pass search:
base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base
filter=(&(objectClass=posixAccount)) fields=uid,userPassword
auth: Debug: auth(alias_to_test@domain.pl,127.0.0.1): username changed
alias_to_test@domain.pl -> test
auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test
userPassword(password)={CRYPT}ACnZvF4.K46UI
auth: Debug: client out: OK 1 user=test
auth: Debug: ldap(test,127.0.0.1): user search:
base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base
filter=(&(objectClass=posixAccount)(uid=test))
fields=homeDirectory,uidNumber,gidNumber
auth: Debug: master out: FAIL 2551840769
#v-
In the LDAP server log file, following entries appear during authentication attempt
#v+ ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" method=128 ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" mech=SIMPLE ssf=0 ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text= ldap slapd[11729]: conn=1125 op=1 SRCH base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 deref=3 filter="(&(objectClass=posixAccount))" ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: "uid=test,ou=,ou=Mail,dc=root,dc=pl" ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN #v-
It seems that LDAP AuthDatabase doesn't change the context when looking up for the target object, to which the alias points. Futhermore, the filter for the target object '(&(objectClass=posixAccount)(uid=test))' was not defined by me anywhere in the configuration file 'dovecot-ldap.ext'. I have tried both authentication ways: 'password lookups' and 'authentication binding' with the same result. However, There is no problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of cource after modifying the configuration file listed at the end).
I suppose that it can be a bug in LDAP AuthDatabase, so I am writing this post as a potential bug report.
Below are my configuration data:
# dovecot -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.38.8-1 x86_64 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes auth_verbose_passwords = plain listen = * mail_debug = yes mail_gid = 2000 mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@domain.pl protocols = imap pop3 sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_cert = </etc/openssl/certs/vmail.pem ssl_key = </etc/openssl/private/vmail.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_ssl = yes
# cat /etc/dovecot/dovecot-ldap.ext uris = ldap://X.Y.Z.V/ dn = cn=Manager,dc=root,dc=pl dnpass = password auth_bind = no ldap_version = 3 base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl deref = always scope = base pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)) default_pass_scheme = CRYPT
W dniu 31.07.2011 22:48, Paweł Lęcznar pisze:
Hello,
I am trying to configure Dovecot with LDAP authentication. My LDAP tree structure is as following: dc=root,dc=pl \_ ou=Users \_ uid=test \_ ou=Mail \_ ou=domain.pl \_ uid=alias_to_test
I cannot authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following entry appears in the Dovecot's log file:
#v+ auth: Debug: client in: AUTH 1 PLAIN service=imap
secured lip=127.0.0.1 rip=127.0.0.1 lport=993
rport=59818
resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA== auth: Debug: ldap(alias_to_test@domain.pl,127.0.0.1): pass search: base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base filter=(&(objectClass=posixAccount)) fields=uid,userPassword auth: Debug: auth(alias_to_test@domain.pl,127.0.0.1): username changed alias_to_test@domain.pl -> test auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test userPassword(password)={CRYPT}ACnZvF4.K46UI auth: Debug: client out: OK 1 user=test auth: Debug: ldap(test,127.0.0.1): user search: base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base filter=(&(objectClass=posixAccount)(uid=test)) fields=homeDirectory,uidNumber,gidNumber auth: Debug: master out: FAIL 2551840769 #v-In the LDAP server log file, following entries appear during authentication attempt
#v+ ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" method=128 ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" mech=SIMPLE ssf=0 ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text= ldap slapd[11729]: conn=1125 op=1 SRCH base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 deref=3 filter="(&(objectClass=posixAccount))" ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: "uid=test,ou=,ou=Mail,dc=root,dc=pl" ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN #v-
It seems that LDAP AuthDatabase doesn't change the context when looking up for the target object, to which the alias points. Futhermore, the filter for the target object '(&(objectClass=posixAccount)(uid=test))' was not defined by me anywhere in the configuration file 'dovecot-ldap.ext'. I have tried both authentication ways: 'password lookups' and 'authentication binding' with the same result. However, There is no problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of cource after modifying the configuration file listed at the end).
I suppose that it can be a bug in LDAP AuthDatabase, so I am writing this post as a potential bug report.
Below are my configuration data:
# dovecot -n # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.38.8-1 x86_64 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes auth_verbose_passwords = plain listen = * mail_debug = yes mail_gid = 2000 mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@domain.pl protocols = imap pop3 sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_cert = </etc/openssl/certs/vmail.pem ssl_key = </etc/openssl/private/vmail.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_ssl = yes
# cat /etc/dovecot/dovecot-ldap.ext uris = ldap://X.Y.Z.V/ dn = cn=Manager,dc=root,dc=pl dnpass = password auth_bind = no ldap_version = 3 base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl deref = always scope = base pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)) default_pass_scheme = CRYPT
nobody? nothing? is there any chance that author of authentication ldap module will fix this problem?
participants (1)
-
Paweł Lęcznar