[Dovecot] Fw: Cannot Authenticate via LDAP
Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.
On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de> wrote:
Hi Ron,
I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:
http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+look...
The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.
Hope that helps.
Cheers, Chris
Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net>:
a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what?
info.log: http://pastebin.ca/2388873
debug.log: http://pastebin.ca/2388872
error.log: http://pastebin.ca/2388871
dovecot -n: http://pastebin.ca/2388870
dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
Hi,
That can't be the full output of doveconf -n can it?
You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema)
user_attrs = homeDirectory=home,mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(mail=%u)) pass_attrs = userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(mail=%u))
Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param.
And you probably need to set up virtual users as well!
Cheers
Alex
On 04/06/13 17:44, Christian Wiese wrote:
Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.
On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de> wrote:
Hi Ron,
I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:
http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+look...
The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.
Hope that helps.
Cheers, Chris
Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net>:
a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what?
info.log: http://pastebin.ca/2388873
debug.log: http://pastebin.ca/2388872
error.log: http://pastebin.ca/2388871
dovecot -n: http://pastebin.ca/2388870
dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
Forgot to say that the lines below would be part of a file included thusly:
passdb { driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = prefetch }
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave you'll also need a line like:
uris = ldap://myldapserver1 ldap://myldapserver2
(I use 2 servers with referrals to the master)
Also look up iterate_attrs and iterate_filter to let doveadm and other things iterate over accounts.
Cheers
Alex
On 04/06/13 18:34, Alex Crow wrote:
Hi,
That can't be the full output of doveconf -n can it?
You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema)
user_attrs = homeDirectory=home,mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(mail=%u)) pass_attrs = userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(mail=%u))
Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param.
And you probably need to set up virtual users as well!
Cheers
Alex
On 04/06/13 17:44, Christian Wiese wrote:
Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.
On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de> wrote:
Hi Ron,
I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:
http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+look...
The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.
Hope that helps.
Cheers, Chris
Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net>:
a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what?
info.log: http://pastebin.ca/2388873
debug.log: http://pastebin.ca/2388872
error.log: http://pastebin.ca/2388871
dovecot -n: http://pastebin.ca/2388870
dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
That'll teach me for looking too quickly: the only things different from mine is the fact you don't look up the email address and you don't use prefetch.
Did you try tracing the LDAP server end (eg by upping the log level for your LDAP server or using tcpdump/wireshark?)
I'll shut up now before a 3rd foot goes in my trap!
Alex
On 04/06/13 18:43, Alex Crow wrote:
Forgot to say that the lines below would be part of a file included thusly:
passdb { driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext }
userdb { driver = prefetch }
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave you'll also need a line like:
uris = ldap://myldapserver1 ldap://myldapserver2
(I use 2 servers with referrals to the master)
Also look up iterate_attrs and iterate_filter to let doveadm and other things iterate over accounts.
Cheers
Alex
On 04/06/13 18:34, Alex Crow wrote:
Hi,
That can't be the full output of doveconf -n can it?
You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema)
user_attrs = homeDirectory=home,mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(mail=%u)) pass_attrs = userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(mail=%u))
Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param.
And you probably need to set up virtual users as well!
Cheers
Alex
On 04/06/13 17:44, Christian Wiese wrote:
Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.
On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de> wrote:
Hi Ron,
I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:
http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+look...
The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.
Hope that helps.
Cheers, Chris
Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net>:
a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what?
info.log: http://pastebin.ca/2388873
debug.log: http://pastebin.ca/2388872
error.log: http://pastebin.ca/2388871
dovecot -n: http://pastebin.ca/2388870
dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
Hi Alex, thanks for your input. As you might have surmised from my doveconf output, I had things horribly misconfigured. :) Everything is dandy now, I just had to RTFM and understand userdb/passdb and the ldap settings better. My new configuration follows:
BEGIN DOVECONF: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS auth_debug = yes auth_debug_passwords = yes auth_verbose = yes log_path = /var/log/dovecot.log mail_location = maildir:~/.maildir passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap pop3" ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.key ssl_parameters_regenerate = 0 userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } verbose_ssl = yes
END DOVECONF
BEGIN DOVECOT-LDAP.CONF.EXT
uris = ldap://localhost:389 dn = uid=dovecot,ou=Services,dc=tohuw,dc=net dnpass = [redacted] debug_level = -1 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net base = dc=tohuw,dc=net user_filter = (uid=%u) pass_filter = (uid=%u) iterate_attrs = uid=user default_pass_scheme = SSHA
END DOVECOT-LDAP.CONF.EXT
The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation suggests I do.
On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow <acrow@integrafin.co.uk> wrote:
Forgot to say that the lines below would be part of a file included thusly:
passdb { driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.** conf.ext args = /etc/dovecot/dovecot-ldap.**conf.ext }
userdb { driver = prefetch }
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.**conf.ext }
And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave you'll also need a line like:
uris = ldap://myldapserver1 ldap://myldapserver2
(I use 2 servers with referrals to the master)
Also look up iterate_attrs and iterate_filter to let doveadm and other things iterate over accounts.
Cheers
Alex
On 04/06/13 18:34, Alex Crow wrote:
Hi,
That can't be the full output of doveconf -n can it?
You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema)
user_attrs = homeDirectory=home,**mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(**mail=%u)) pass_attrs = userPassword=password,**homeDirectory=userdb_home,** mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(**mail=%u))
Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param.
And you probably need to set up virtual users as well!
Cheers
Alex
On 04/06/13 17:44, Christian Wiese wrote:
Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.
On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de**> wrote:
Hi Ron,
I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:
http://dovecot.markmail.org/**message/mjurv4fp4w65u2ib?q=** Dovecot+LDA+LDAP+lookups+on+**samba4+server+ends+very+often+** in+timeouts<http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts>
The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.
Hope that helps.
Cheers, Chris
Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net>:
a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED]
Authentication failed." I believe I'm missing a configuration detail, but what?
info.log: http://pastebin.ca/2388873
debug.log: http://pastebin.ca/2388872
error.log: http://pastebin.ca/2388871
dovecot -n: http://pastebin.ca/2388870
dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
Hi Ron,
TBH you were doing most things right anyway, I misread your pastebin stuff.
But I'm glad the details helped you, and you're welcome!
Cheers
Alex
On 04/06/13 19:04, Ron Scott-Adams wrote:
Hi Alex, thanks for your input. As you might have surmised from my doveconf output, I had things horribly misconfigured. :) Everything is dandy now, I just had to RTFM and understand userdb/passdb and the ldap settings better. My new configuration follows:
BEGIN DOVECONF: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS auth_debug = yes auth_debug_passwords = yes auth_verbose = yes log_path = /var/log/dovecot.log mail_location = maildir:~/.maildir passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap pop3" ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.key ssl_parameters_regenerate = 0 userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } verbose_ssl = yes
END DOVECONF
BEGIN DOVECOT-LDAP.CONF.EXT
uris = ldap://localhost:389 dn = uid=dovecot,ou=Services,dc=tohuw,dc=net dnpass = [redacted] debug_level = -1 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net base = dc=tohuw,dc=net user_filter = (uid=%u) pass_filter = (uid=%u) iterate_attrs = uid=user default_pass_scheme = SSHA
END DOVECOT-LDAP.CONF.EXT
The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation suggests I do.
On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow <acrow@integrafin.co.uk <mailto:acrow@integrafin.co.uk>> wrote:
Forgot to say that the lines below would be part of a file included thusly: passdb { driver = ldap # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave you'll also need a line like: uris = ldap://myldapserver1 ldap://myldapserver2 (I use 2 servers with referrals to the master) Also look up iterate_attrs and iterate_filter to let doveadm and other things iterate over accounts. Cheers Alex On 04/06/13 18:34, Alex Crow wrote: Hi, That can't be the full output of doveconf -n can it? You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema) user_attrs = homeDirectory=home,mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(mail=%u)) pass_attrs = userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(mail=%u)) Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param. And you probably need to set up virtual users as well! Cheers Alex On 04/06/13 17:44, Christian Wiese wrote: Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists. On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de <mailto:christian.wiese@securepoint.de>> wrote: Hi Ron, I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread: http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings. Hope that helps. Cheers, Chris Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams <ron@tohuw.net <mailto:ron@tohuw.net>>: a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what? info.log: http://pastebin.ca/2388873 debug.log: http://pastebin.ca/2388872 error.log: http://pastebin.ca/2388871 dovecot -n: http://pastebin.ca/2388870 dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
-- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is believed to be clean.
participants (3)
-
Alex Crow
-
Christian Wiese
-
Ron Scott-Adams