CentOS 6.5, dovecot 2.0.9-7
I was using http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ to get LDAP auth working. And what's really annoying is, it worked... until I screwed something up and had to pull my work back from a backup. Now it doesn't work :-(
[joliver@localhost ~]$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. a1 LOGIN testuser1 password a1 NO [AUTHENTICATIONFAILED] Authentication failed.
Turn on debugging and see:
Sep 10 11:26:58 localhost dovecot: auth: Debug: pam(testuser1,127.0.0.1): lookup service=dovecot Sep 10 11:26:58 localhost dovecot: auth: Debug: pam(testuser1,127.0.0.1): #1/1 style=1 msg=Password: Sep 10 11:27:00 localhost dovecot: auth: pam(testuser1,127.0.0.1): pam_authenticate() failed: Permission denied Sep 10 11:27:00 localhost dovecot: auth: ldap(testuser1,127.0.0.1): invalid credentials Sep 10 11:27:02 localhost dovecot: auth: Debug: client out: FAIL#0111#011user=testuser1
So, I don't know what permission is being denied by PAM, or if that was there or not when this did work. I can access my LDAP server just fine.
What else can I check?
--
- John Oliver http://www.john-oliver.net/ *
*
Hi,
Sep 10 11:27:00 localhost dovecot: auth: pam(testuser1,127.0.0.1): pam_authenticate() failed: Permission denied Sep 10 11:27:00 localhost dovecot: auth: ldap(testuser1,127.0.0.1): invalid credentials
I am not clear from this if you are using pam auth first and ldap auth 2nd, or if you are trying to use pam to do your ldap authentication for you. Assuming the former, I would guess that you are either failing the auth_bind, or the attributes you are using for user_filter/pass_filter aren't matching the username format. I would start by checking the settings in your dovecot-ldap.conf file...
Sep 10 11:27:02 localhost dovecot: auth: Debug: client out: FAIL#0111#011user=testuser1
So, I don't know what permission is being denied by PAM, or if that was there or not when this did work. I can access my LDAP server just fine.
What else can I check?
On Wed, Sep 10, 2014 at 12:41:16PM -0700, Bob Miller wrote:
Hi,
Sep 10 11:27:00 localhost dovecot: auth: pam(testuser1,127.0.0.1): pam_authenticate() failed: Permission denied Sep 10 11:27:00 localhost dovecot: auth: ldap(testuser1,127.0.0.1): invalid credentials
I am not clear from this if you are using pam auth first and ldap auth 2nd, or if you are trying to use pam to do your ldap authentication for you. Assuming the former, I would guess that you are either failing the auth_bind, or the attributes you are using for user_filter/pass_filter aren't matching the username format. I would start by checking the settings in your dovecot-ldap.conf file...
[joliver@localhost ~]$ dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-431.el6.x86_64 x86_64 CentOS release 6.5 (Final) auth_debug = yes auth_username_format = %Lu auth_verbose = yes mail_access_groups = mail mail_location = mbox:~/mail/:INBOX=/var/mail/%u mail_privileged_group = mail mbox_write_locks = fcntl passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } userdb { args = uid=503 gid=504 home=/home/vmail/%u driver = static } [joliver@localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext hosts = localhost base = ou=Users,dc=my,dc=domain ldap_version = 3 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
--
- John Oliver http://www.john-oliver.net/ *
*
Hi,
[joliver@localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext hosts = localhost base = ou=Users,dc=my,dc=domain ldap_version = 3 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
this looks different than mine. here is my example config file, maybe it helps:
hosts = 192.168.26.10:389 debug_level = 0 auth_bind = yes auth_bind_userdn = %Ln@computerisms.com base = dn=computerisms,dn=com scope = subtree user_filter = (&(sAMAccountName=%Ln)) pass_filter = (&(sAMAccountName=%Ln))
On Wed, Sep 10, 2014 at 01:09:11PM -0700, Bob Miller wrote:
Hi,
[joliver@localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext hosts = localhost base = ou=Users,dc=my,dc=domain ldap_version = 3 auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
this looks different than mine. here is my example config file, maybe it helps:
hosts = 192.168.26.10:389 debug_level = 0 auth_bind = yes auth_bind_userdn = %Ln@computerisms.com base = dn=computerisms,dn=com scope = subtree user_filter = (&(sAMAccountName=%Ln)) pass_filter = (&(sAMAccountName=%Ln))
I wish it was possible to kiss someone over the Internet :-)
The debug_level helped me immensely... I realized it was literally looking for 'uid' on my LDAP. Changed to 'cn' and all is well!
THANK YOU!!!
--
- John Oliver http://www.john-oliver.net/ *
*
participants (2)
-
Bob Miller
-
John Oliver