That'll teach me for looking too quickly: the only things different from mine is the fact you don't look up the email address and you don't use prefetch.

Did you try tracing the LDAP server end (eg by upping the log level for your LDAP server or using tcpdump/wireshark?)

I'll shut up now before a 3rd foot goes in my trap!

Alex

On 04/06/13 18:43, Alex Crow wrote:

Forgot to say that the lines below would be part of a file included thusly:

passdb { driver = ldap

# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext }

userdb { driver = prefetch }

userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }

And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave you'll also need a line like:

uris = ldap://myldapserver1 ldap://myldapserver2

(I use 2 servers with referrals to the master)

Also look up iterate_attrs and iterate_filter to let doveadm and other things iterate over accounts.

Cheers

Alex

On 04/06/13 18:34, Alex Crow wrote:

...

Hi,

That can't be the full output of doveconf -n can it?

You need to define (examples from my configs using qmail schema; your values will probably be different if you are using AD or openLDAP with a different mail schema)

user_attrs = homeDirectory=home,mailMessageStore=mail user_filter = (&(objectClass=qmailUser)(mail=%u)) pass_attrs = userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail pass_filter = (&(objectClass=qmailUser)(mail=%u))

Also look at the auth_bind parameter. Mine is "yes" because I'm using userdb prefetch as you can see from the pass_attrs param.

And you probably need to set up virtual users as well!

Cheers

Alex

On 04/06/13 17:44, Christian Wiese wrote:

...

Hello Christian, I tried what you suggested by adding "REFERALS off" to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error persists.

On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese < christian.wiese@securepoint.de> wrote:

...

Hi Ron,

I didn't had the time to check all logs but the error log. First thing you should check if there are LDAP REFFERALS enabled in the systems ldap.conf. I had a similar looking issue and it took me a good amount of time to figure out that I had to disable LDAP REFFERALS globally. This happened when using an AD as LDAP backend, but also applies to Samba4 as you can see in the following mailing list thread:

http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+look...

The settings within the systems ldap.conf might influence dovecot, because libldap (openldap) functions might read the global ldap.conf settings.

Hope that helps.

Cheers, Chris

Am Tue, 4 Jun 2013 05:50:16 -0400 schrieb Ron Scott-Adams ron@tohuw.net:

...

a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED] Authentication failed." I believe I'm missing a configuration detail, but what?

info.log: http://pastebin.ca/2388873

debug.log: http://pastebin.ca/2388872

error.log: http://pastebin.ca/2388871

dovecot -n: http://pastebin.ca/2388870

dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867

Hi Ron,

TBH you were doing most things right anyway, I misread your pastebin stuff.

But I'm glad the details helped you, and you're welcome!

Cheers

Alex

On 04/06/13 19:04, Ron Scott-Adams wrote:

Hi Alex, thanks for your input. As you might have surmised from my doveconf output, I had things horribly misconfigured. :) Everything is dandy now, I just had to RTFM and understand userdb/passdb and the ldap settings better. My new configuration follows:

BEGIN DOVECONF: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS auth_debug = yes auth_debug_passwords = yes auth_verbose = yes log_path = /var/log/dovecot.log mail_location = maildir:~/.maildir passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap pop3" ssl_cert =

END DOVECONF

BEGIN DOVECOT-LDAP.CONF.EXT

uris = ldap://localhost:389 dn = uid=dovecot,ou=Services,dc=tohuw,dc=net dnpass = [redacted] debug_level = -1 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net base = dc=tohuw,dc=net user_filter = (uid=%u) pass_filter = (uid=%u) iterate_attrs = uid=user default_pass_scheme = SSHA

END DOVECOT-LDAP.CONF.EXT

The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation suggests I do.

On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow mailto:acrow@integrafin.co.uk> wrote:

Forgot to say that the lines below would be part of a file
included thusly:

passdb {
  driver = ldap

  # Path for LDAP configuration file, see
example-config/dovecot-ldap.conf.ext
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

userdb {
  driver = prefetch
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

And in the /ettc/dovecot-ldap.conf.ext as well as the examples I
gave you'll also need a line like:

uris =  ldap://myldapserver1 ldap://myldapserver2

(I use 2 servers with referrals to the master)

Also look up iterate_attrs and iterate_filter to let doveadm and
other things iterate over accounts.

Cheers

Alex


On 04/06/13 18:34, Alex Crow wrote:

    Hi,

    That can't be the full output of doveconf -n can it?

    You need to define (examples from my configs using qmail
    schema; your values will probably be different if you are
    using AD or openLDAP with a different mail schema)

    user_attrs = homeDirectory=home,mailMessageStore=mail
    user_filter = (&(objectClass=qmailUser)(mail=%u))
    pass_attrs =
    userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail
    pass_filter = (&(objectClass=qmailUser)(mail=%u))

    Also look at the auth_bind parameter. Mine is "yes" because
    I'm using userdb prefetch as you can see from the pass_attrs
    param.

    And you probably need to set up virtual users as well!

    Cheers

    Alex


    On 04/06/13 17:44, Christian Wiese wrote:

        Hello Christian,
        I tried what you suggested by adding "REFERALS off"
        to /etc/ldap/ldap.conf and restarting slapd and dovecot,
        but the error
        persists.


        On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese <
        christian.wiese@securepoint.de
        <mailto:christian.wiese@securepoint.de>> wrote:

            Hi Ron,

            I didn't had the time to check all logs but the error log.
            First thing you should check if there are LDAP
            REFFERALS enabled in
            the systems ldap.conf.
            I had a similar looking issue and it took me a good
            amount of time to
            figure out that I had to disable LDAP REFFERALS globally.
            This happened when using an AD as LDAP backend, but
            also applies to
            Samba4 as you can see in the following mailing list
            thread:


            http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts


            The settings within the systems ldap.conf might
            influence dovecot,
            because libldap (openldap) functions might read the
            global ldap.conf
            settings.

            Hope that helps.

            Cheers,
            Chris

            Am Tue, 4 Jun 2013 05:50:16 -0400
            schrieb Ron Scott-Adams <ron@tohuw.net
            <mailto:ron@tohuw.net>>:

                a login tohuw [myPassword] returns "NO
                [AUTHENTICATIONFAILED]
                Authentication failed." I believe I'm missing a
                configuration
                detail, but what?


                info.log: http://pastebin.ca/2388873

                debug.log: http://pastebin.ca/2388872

                error.log: http://pastebin.ca/2388871

                dovecot -n: http://pastebin.ca/2388870

                dovecot-ldap.conf.ext summary:
                http://pastebin.ca/2388867

-- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean.