[Dovecot] suspected bug in dovecot-ldap setup?
Hi everyone,
[first post: long and boring. beware!]
I've been working on a virtual multidomain MX server with pop3 access. Accounting for users/domains is done via OpenLDAP with the Jamm[1] schema and dovecot is 1.0rc10 (dovecot-1.0-0_27.rc10.el4.at fetched as RPM from atrpms.net for CentOS 4.4).
I intended to have authenticated binds but there was a problem with the user_filter directive being ignored: user_filter = (&(objectClass=JammMailAccount)(mail=%n@%d)(accountActive=TRUE) (delete=FALSE))
dovecot: Oct 26 16:20:58 Info: auth(default): client in: AUTH 1 PLAIN
service=IMAP secured lip=::ffff:192.168.0.5 rip=::ffff:192.168.0.69
resp=<hidden>
dovecot: Oct 26 16:20:58 Info: auth(default):
ldap(dave@info.test,::ffff:192.168.0.69): bind search:
base=o=hosting,dc=example,dc=com scope=subtree filter=
**(&(objectClass=posixAccount(uid=dave@info.test))**
dovecot: Oct 26 16:20:58 Info: auth(default):
ldap(dave@info.test,::ffff:192.168.0.69): unknown user
dovecot: Oct 26 16:20:59 Info: auth(default): client out: FAIL 1
user=dave@info.test
dovecot: Oct 26 16:20:59 Info: imap-login: Disconnected:
user=<dave@info.test>, method=PLAIN, rip=::ffff:192.168.0.69,
lip=::ffff:192.168.0.5, TLS
(nevermind the data, it's test only)
As you can see from the info file, the search filter used was being (&(objectClass=posixAccount(uid=dave@info.test)) and not (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TRUE) (delete=FALSE)).
I sorted this out by trying to enable auth_bind_userdn: auth_bind_userdn = mail=%n@%d,jvd=%d,o=hosting,dc=example,dc=com
Now, the login worked well and the debug info is as follows:
dovecot: Oct 27 12:01:48 Info: auth(default): client in: AUTH 1 PLAIN
service=IMAP lip=::ffff:192.168.0.5 rip=::ffff:192.168.0.69
resp=AGRhdmVAaW5mb
y50ZXN0AFRlbXAuMTIz
dovecot: Oct 27 12:01:48 Info: auth(default): client out: OK 1
user=dave@info.test
dovecot: Oct 27 12:01:48 Info: auth(default): master in: REQUEST 1
10634 1
dovecot: Oct 27 12:01:48 Info: auth(default):
ldap(dave@info.test,::ffff:192.168.0.69): base=o=hosting,dc=example,dc=com
scope=subtree filter=(&(objectClass=JammMailAccount)(mail=dave@info.test)
(accountActive=TRUE)(delete=FALSE)) fields=mailbox
dovecot: Oct 27 12:01:48 Info: auth(default): master out: USER 1
dave@info.test mail=info.test/dave/ uid=5000 gid=5000
(nevermind the debug data, passwords, etc. it's test only)
In this case, the search filter is ok: (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TRUE) (delete=FALSE))
So aparently, the auth_bind_userdn directive that supposedly adds a performance gain by sparing one bind request, seems to interfere with the user_filter directive.
I suspect this might be a bug, so here's my report. Is this a new issue?
Thanks for surviving this far through this post, Best regards, Pedro Venda.
[1]: [Java Mail Manager]: web applications to manage virtual email account information stored in an LDAP directory. (http://jamm.sourceforge.net)
Pedro João Lopes Venda email: pjvenda at pjvenda org http://www.pjvenda.org
On Fri, 2006-10-27 at 12:45 +0100, Pedro Venda wrote:
I intended to have authenticated binds but there was a problem with the user_filter directive being ignored: user_filter = (&(objectClass=JammMailAccount)(mail=%n@%d)(accountActive=TRUE) (delete=FALSE)) .. ldap(dave@info.test,::ffff:192.168.0.69): bind search: base=o=hosting,dc=example,dc=com scope=subtree filter= **(&(objectClass=posixAccount(uid=dave@info.test))** dovecot: Oct 26 16:20:58 Info: auth(default): ldap(dave@info.test,::ffff:192.168.0.69): unknown user dovecot: Oct 26 16:20:59 Info: auth(default): client out: FAIL 1
user=dave@info.test dovecot: Oct 26 16:20:59 Info: imap-login: Disconnected: user=<dave@info.test>, method=PLAIN, rip=::ffff:192.168.0.69, lip=::ffff:192.168.0.5, TLS(nevermind the data, it's test only)
As you can see from the info file, the search filter used was being (&(objectClass=posixAccount(uid=dave@info.test)) and not (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TRUE) (delete=FALSE)).
user_filter is used by userdb only, after the password authentication was successful. So I guess you wanted to modify pass_filter instead?
On Thursday 02 November 2006 18:42, Timo Sirainen wrote:
On Fri, 2006-10-27 at 12:45 +0100, Pedro Venda wrote:
I intended to have authenticated binds but there was a problem with the user_filter directive being ignored: user_filter = (&(objectClass=JammMailAccount)(mail=%n@%d)(accountActive=TRUE) (delete=FALSE))
..
ldap(dave@info.test,::ffff:192.168.0.69): bind search: base=o=hosting,dc=example,dc=com scope=subtree filter= **(&(objectClass=posixAccount(uid=dave@info.test))** dovecot: Oct 26 16:20:58 Info: auth(default): ldap(dave@info.test,::ffff:192.168.0.69): unknown user dovecot: Oct 26 16:20:59 Info: auth(default): client out: FAIL 1 user=dave@info.test dovecot: Oct 26 16:20:59 Info: imap-login: Disconnected: user=<dave@info.test>, method=PLAIN, rip=::ffff:192.168.0.69, lip=::ffff:192.168.0.5, TLS
(nevermind the data, it's test only)
As you can see from the info file, the search filter used was being (&(objectClass=posixAccount(uid=dave@info.test)) and not (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TRUE) (delete=FALSE)).
user_filter is used by userdb only, after the password authentication was successful. So I guess you wanted to modify pass_filter instead?
You see, I'm using auth_bind = yes, so pass_filter isn't relevant. Dovecot doesn't need to find the password, given that authentication relies on successfull binding.
Cheers,
Pedro João Lopes Venda email: pjvenda at pjvenda org http://www.pjvenda.org
On Fri, 2006-11-03 at 10:15 +0000, Pedro Venda wrote:
On Thursday 02 November 2006 18:42, Timo Sirainen wrote:
On Fri, 2006-10-27 at 12:45 +0100, Pedro Venda wrote:
I intended to have authenticated binds but there was a problem with the user_filter directive being ignored: user_filter = (&(objectClass=JammMailAccount)(mail=%n@%d)(accountActive=TRUE) (delete=FALSE))
..
ldap(dave@info.test,::ffff:192.168.0.69): bind search: base=o=hosting,dc=example,dc=com scope=subtree filter= **(&(objectClass=posixAccount(uid=dave@info.test))** dovecot: Oct 26 16:20:58 Info: auth(default): ldap(dave@info.test,::ffff:192.168.0.69): unknown user dovecot: Oct 26 16:20:59 Info: auth(default): client out: FAIL 1 user=dave@info.test dovecot: Oct 26 16:20:59 Info: imap-login: Disconnected: user=<dave@info.test>, method=PLAIN, rip=::ffff:192.168.0.69, lip=::ffff:192.168.0.5, TLS
(nevermind the data, it's test only)
As you can see from the info file, the search filter used was being (&(objectClass=posixAccount(uid=dave@info.test)) and not (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TRUE) (delete=FALSE)).
user_filter is used by userdb only, after the password authentication was successful. So I guess you wanted to modify pass_filter instead?
You see, I'm using auth_bind = yes, so pass_filter isn't relevant. Dovecot doesn't need to find the password, given that authentication relies on successfull binding.
If you use auth_bind=yes, but not auth_bind_userdn, then the dn is looked up using pass_filter, not user_filter. user_filter is used only after a successful authentication to look up the user_attrs.
On Saturday 04 November 2006 12:31, Timo Sirainen wrote:
On Fri, 2006-11-03 at 10:15 +0000, Pedro Venda wrote:
On Thursday 02 November 2006 18:42, Timo Sirainen wrote:
On Fri, 2006-10-27 at 12:45 +0100, Pedro Venda wrote:
I intended to have authenticated binds but there was a problem with the user_filter directive being ignored: user_filter = (&(objectClass=JammMailAccount)(mail=%n@%d)(accountActive=TRUE) (delete=FALSE))
..
ldap(dave@info.test,::ffff:192.168.0.69): bind search: base=o=hosting,dc=example,dc=com scope=subtree filter= **(&(objectClass=posixAccount(uid=dave@info.test))** dovecot: Oct 26 16:20:58 Info: auth(default): ldap(dave@info.test,::ffff:192.168.0.69): unknown user dovecot: Oct 26 16:20:59 Info: auth(default): client out: FAIL 1 user=dave@info.test dovecot: Oct 26 16:20:59 Info: imap-login: Disconnected: user=<dave@info.test>, method=PLAIN, rip=::ffff:192.168.0.69, lip=::ffff:192.168.0.5, TLS
(nevermind the data, it's test only)
As you can see from the info file, the search filter used was being (&(objectClass=posixAccount(uid=dave@info.test)) and not (&(objectClass=JammMailAccount)(mail=dave@info.test)(accountActive=TR UE) (delete=FALSE)).
user_filter is used by userdb only, after the password authentication was successful. So I guess you wanted to modify pass_filter instead?
You see, I'm using auth_bind = yes, so pass_filter isn't relevant. Dovecot doesn't need to find the password, given that authentication relies on successfull binding.
If you use auth_bind=yes, but not auth_bind_userdn, then the dn is looked up using pass_filter, not user_filter. user_filter is used only after a successful authentication to look up the user_attrs.
ok Timo, I understood.
These options aren't very intuitive, however, because with auth_bind = yes, you don't need to lookup any password, so I figured pass_filter wasn't necessary... That was my first mistake. On the other hand, user_filter would be the filter to look for a given user... my second mistake.
Best regards,
Pedro João Lopes Venda email: pjvenda at pjvenda org http://www.pjvenda.org
On Tue, 2006-11-07 at 10:10 +0000, Pedro Venda wrote:
These options aren't very intuitive, however, because with auth_bind = yes, you don't need to lookup any password, so I figured pass_filter wasn't necessary... That was my first mistake. On the other hand, user_filter would be the filter to look for a given user... my second mistake.
Yep. I already updated dovecot-ldap.conf's comments in rc12.
participants (2)
-
Pedro Venda
-
Timo Sirainen