Raw backtrace multiple passwords not allowed
Hi
Recently enabled support for encrypted passwords on my proxies - CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most users are working perfectly though every so often I see this happening in the logs:
Jul 09 06:32:51 auth: Error: ldap(user@domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple password values not supported Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jul 09 06:32:51 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7ff4db0a338c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7ff4db0a47ef] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7ff4db0a3415] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff4db03a033] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5454ac] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5456a1] Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=8759, EOF) Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 1 secs, pid=8764, EOF)
Password debug shows: Jul 09 06:38:25 auth: Debug: ldap(user@domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: 4b616e6761733138 Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541 user=user@domain.com pass=NotPassword original_user=user Jul 09 06:38:37 auth: Debug: passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username changed user -> user@domain.com Jul 09 06:38:37 auth: Debug: passwd-file(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): Allowing any password Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: base=o=domains,dc=mail,dc=com scope=subtree filter=(&(objectClass=mail)(status=active)(|(|(mail=user@domain.com)(&(uid=user@domain.com)))(&(enabledService=shadowaddress)(shadowAddress user@domain.com)))) fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mail,userPlaintextPassword unused Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mailstoreHost missing Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) != 'NotPassword' Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826 user=user@domain.com original_user=user
This particular user has a space in their password.. some other users do not when seeing this error.
I run multiple passdb and config is: passdb { args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext default_fields = nopassword=y password= driver = ldap result_failure = continue-fail result_internalfail = continue-fail result_success = continue-ok } passdb { args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains default_fields = nopassword=y password= driver = passwd-file result_success = continue-fail } passdb { args = /etc/dovecot/dovecot-ldap-proxy.conf.ext driver = ldap }
LDAP passdb specifies 'PLAIN' as default_pass_scheme.
[root@S605 dovecot]# dovecot --version 2.2.24 (a82c823)
Any ideas what's going on here?
This turned into quite a large problem for me but think I have resolved it.
After toying this a few settings I ended up (out of sheer desperation) setting "blocking = yes" in my LDAP configuration.
Is this a logical thing to do? I couldn't find much on it other than i'm guessing queries are no long async.
I don't really see the downside given the upside is auth is not crashing and causing password prompts for all my customers...
On 09/07/16 15:26, Leon Kyneur wrote:
Hi
Recently enabled support for encrypted passwords on my proxies - CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most users are working perfectly though every so often I see this happening in the logs:
Jul 09 06:32:51 auth: Error: ldap(user@domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple password values not supported Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jul 09 06:32:51 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7ff4db0a338c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7ff4db0a47ef] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7ff4db0a3415] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff4db03a033] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5454ac] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5456a1] Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=8759, EOF) Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 1 secs, pid=8764, EOF)
Password debug shows: Jul 09 06:38:25 auth: Debug: ldap(user@domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: 4b616e6761733138 Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541 user=user@domain.com pass=NotPassword original_user=user Jul 09 06:38:37 auth: Debug: passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username changed user -> user@domain.com Jul 09 06:38:37 auth: Debug: passwd-file(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): Allowing any password Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: base=o=domains,dc=mail,dc=com scope=subtree filter=(&(objectClass=mail)(status=active)(|(|(mail=user@domain.com)(&(uid=user@domain.com)))(&(enabledService=shadowaddress)(shadowAddress user@domain.com)))) fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mail,userPlaintextPassword unused Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mailstoreHost missing Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) != 'NotPassword' Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826 user=user@domain.com original_user=user
This particular user has a space in their password.. some other users do not when seeing this error.
I run multiple passdb and config is: passdb { args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext default_fields = nopassword=y password= driver = ldap result_failure = continue-fail result_internalfail = continue-fail result_success = continue-ok } passdb { args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains default_fields = nopassword=y password= driver = passwd-file result_success = continue-fail } passdb { args = /etc/dovecot/dovecot-ldap-proxy.conf.ext driver = ldap }
LDAP passdb specifies 'PLAIN' as default_pass_scheme.
[root@S605 dovecot]# dovecot --version 2.2.24 (a82c823)
Any ideas what's going on here?
You sure you're not returning multiple password attributes from LDAP?
Aki
On July 10, 2016 at 1:32 PM Leon Kyneur leon@f-m.fm wrote:
This turned into quite a large problem for me but think I have resolved it.
After toying this a few settings I ended up (out of sheer desperation) setting "blocking = yes" in my LDAP configuration.
Is this a logical thing to do? I couldn't find much on it other than i'm guessing queries are no long async.
I don't really see the downside given the upside is auth is not crashing and causing password prompts for all my customers...
On 09/07/16 15:26, Leon Kyneur wrote:
Hi
Recently enabled support for encrypted passwords on my proxies - CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most users are working perfectly though every so often I see this happening in the logs:
Jul 09 06:32:51 auth: Error: ldap(user@domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple password values not supported Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jul 09 06:32:51 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7ff4db0a338c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7ff4db0a47ef] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7ff4db0a3415] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff4db03a033] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5454ac] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> dovecot/auth 13 wait, 1 passdb, 0 userdb [0x7ff4db5456a1] Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=8759, EOF) Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 pending requests (max 1 secs, pid=8764, EOF)
Password debug shows: Jul 09 06:38:25 auth: Debug: ldap(user@domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: 4b616e6761733138 Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541 user=user@domain.com pass=NotPassword original_user=user Jul 09 06:38:37 auth: Debug: passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username changed user -> user@domain.com Jul 09 06:38:37 auth: Debug: passwd-file(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): Allowing any password Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: base=o=domains,dc=mail,dc=com scope=subtree filter=(&(objectClass=mail)(status=active)(|(|(mail=user@domain.com)(&(uid=user@domain.com)))(&(enabledService=shadowaddress)(shadowAddress user@domain.com)))) fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mail,userPlaintextPassword unused Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: mail=user@domain.com userPlaintextPassword=NotPassword; mailstoreHost missing Jul 09 06:38:37 auth: Debug: ldap(user@domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) != 'NotPassword' Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826 user=user@domain.com original_user=user
This particular user has a space in their password.. some other users do not when seeing this error.
I run multiple passdb and config is: passdb { args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext default_fields = nopassword=y password= driver = ldap result_failure = continue-fail result_internalfail = continue-fail result_success = continue-ok } passdb { args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains default_fields = nopassword=y password= driver = passwd-file result_success = continue-fail } passdb { args = /etc/dovecot/dovecot-ldap-proxy.conf.ext driver = ldap }
LDAP passdb specifies 'PLAIN' as default_pass_scheme.
[root@S605 dovecot]# dovecot --version 2.2.24 (a82c823)
Any ideas what's going on here?
You sure you're not returning multiple password attributes from LDAP?
Aki
pass_attrs = 'mail=user, userPlaintextPassword=password_noscheme, =proxy=y, =pass=%{ldap:userPlaintextPassword}, =host=%{ldap:mailstoreHost}'
I am returning the same password attribute into different fields : password_noscheme - to auth the user pass = to send plaintext password to backend
This is the only workable solution I could muster to terminate encrypted passwords on the proxy layer.
participants (2)
-
aki.tuomi@dovecot.fi
-
Leon Kyneur