[Dovecot] Using Dovecot with nsswitch for LDAP on Solaris
Hello all,
I'm having some issues configuring dovecot 1.0.10 on a Solaris 10 box, that uses LDAP¨for its accounts.
The local accounts (in /etc/passwd) are authenticated properly and work as expected, but all accounts from the LDAP fail authentication.
Those are declared for the system using PAM and NSS (/etc/pam.conf and /etc/nsswitch.conf are configured accordingly).
Currently, there are WU-IMAP and Qpopper installed and working, and neither of them needed any special configuration to use the login, they're just using Unix auth.
I tried various configurations, based on what I read in the wiki documentation, but nothing works, even the passwd userdb/passdb, which *should* if I understand correctly.
Trying to use PAM in dovecot fails, too.
Any idea what I'm doing wrong, or pointers to hints? Google returned little information about configuring Dovecot on Solaris, and none that was useful.
TIA,
Laurent
# /opt/csw/sbin/dovecot --version 1.0.10
Sample of failure in the dovecot logs:
Jan 30 18:11:00 balif dovecot: [ID 107833 local1.info] auth(default): new auth connection: pid=13210 Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info] auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 resp=xxxxx Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info] auth-worker(default): pam(lblume,127.0.0.1): lookup service=dovecot Jan 30 18:11:10 balif dovecot: [ID 107833 local1.info] auth(default): client out: FAIL 1 user=lblume Jan 30 18:11:17 balif dovecot: [ID 107833 local1.info] imap-login: Aborted login (1 authentication attempts): user=<lblume>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
My latest config try:
# /opt/csw/sbin/dovecot -n # 1.0.10: /opt/csw/etc/dovecot.conf base_dir: /var/run/dovecot/ syslog_facility: local1 protocols: imap pop3 listen(default): *:60143 listen(imap): *:60143 listen(pop3): *:60110 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable(default): /opt/csw/libexec/dovecot/imap-login login_executable(imap): /opt/csw/libexec/dovecot/imap-login login_executable(pop3): /opt/csw/libexec/dovecot/pop3-login mail_location: mbox:~/:INBOX=/var/mail/%u mail_executable(default): /opt/csw/libexec/dovecot/imap mail_executable(imap): /opt/csw/libexec/dovecot/imap mail_executable(pop3): /opt/csw/libexec/dovecot/pop3 mail_plugin_dir(default): /opt/csw/lib/dovecot/imap mail_plugin_dir(imap): /opt/csw/lib/dovecot/imap mail_plugin_dir(pop3): /opt/csw/lib/dovecot/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: blocking=yes setcred=yes dovecot userdb: driver: passwd args: blocking=yes
-- / Leader de Projet & Communauté | I'm working, but not speaking for \ G11N http://fr.opensolaris.org | Bull Services http://www.bull.com / FOSUG http://guses.org |
On Thu, 2008-01-31 at 09:58 +0100, Laurent Blume wrote:
Currently, there are WU-IMAP and Qpopper installed and working, and neither of them needed any special configuration to use the login, they're just using Unix auth.
What service name do they use? If they already work, make Dovecot use the same service name (e.g. passdb pam { args = imap }).
Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info] auth-worker(default): pam(lblume,127.0.0.1): lookup service=dovecot Jan 30 18:11:10 balif dovecot: [ID 107833 local1.info] auth(default): client out: FAIL 1 user=lblume
See if PAM also logged something (/var/log/authlog?).
Timo Sirainen a écrit :
What service name do they use? If they already work, make Dovecot use the same service name (e.g. passdb pam { args = imap }).
They're not using PAM directly, only the system login, so they don't have a service name.
See if PAM also logged something (/var/log/authlog?).
No, but actually, it seems to be a problem specific to the Blastwave's binary. I decided to build my own, without simple configure options.
Using the same startup and configuration files, it works. So I reported the bug on the Blastwave's site. Maybe they somehow disabled PAM, and it seems that Dovecot needs to use it when accessing accounts not in /etc/passwd.
Thank you for your answer, and sorry for the inconvenience, I really thought I was doing something wrong.
Laurent
/ Leader de Projet & Communauté | I'm working, but not speaking for \ G11N http://fr.opensolaris.org | Bull Services http://www.bull.com / FOSUG http://guses.org |
participants (2)
-
Laurent Blume
-
Timo Sirainen