[Dovecot] Master user with "user="?
Hello,
In our configuration, we are using a "passdb passwd-file", with "user=" directives in each username, and a separate "userdb passwd-file" which contains the target usernames for the "user=" directives. This works fine, for normal logins via POP and IMAP.
For customer support testing purposes, we also set up a temporary "master=yes" passwd-file. This works fine, for any passdb username that does not have a "user=" field.
However, it seems that if we use the master user to log into a username that is in the passdb with a "user=" field, dovecot looks in the userdb for the original username, and not for the "user=" username specified in the passdb passwd-file.
Is this a known bug? Maybe I'm doing something wrong?
Thanks!
Alan Ferrency pair Networks, Inc. alan@pair.com
On Thu, 2008-11-20 at 15:42 -0500, Alan Ferrency wrote:
Hello,
In our configuration, we are using a "passdb passwd-file", with "user=" directives in each username, and a separate "userdb passwd-file" which contains the target usernames for the "user=" directives. This works fine, for normal logins via POP and IMAP.
For customer support testing purposes, we also set up a temporary "master=yes" passwd-file. This works fine, for any passdb username that does not have a "user=" field.
However, it seems that if we use the master user to log into a username that is in the passdb with a "user=" field, dovecot looks in the userdb for the original username, and not for the "user=" username specified in the passdb passwd-file.
Is this a known bug? Maybe I'm doing something wrong?
Works fine here with latest v1.1 code. Set auth_debug=yes and show me the logs when logging in? Also show dovecot -n output.
Timo,
Thanks for your response.
On Sun, 14 Dec 2008, Timo Sirainen wrote:
On Thu, 2008-11-20 at 15:42 -0500, Alan Ferrency wrote:
Hello,
In our configuration, we are using a "passdb passwd-file", with "user=" directives in each username, and a separate "userdb passwd-file" which contains the target usernames for the "user=" directives. This works fine, for normal logins via POP and IMAP.
For customer support testing purposes, we also set up a temporary "master=yes" passwd-file. This works fine, for any passdb username that does not have a "user=" field.
However, it seems that if we use the master user to log into a username that is in the passdb with a "user=" field, dovecot looks in the userdb for the original username, and not for the "user=" username specified in the passdb passwd-file.
Is this a known bug? Maybe I'm doing something wrong?
Works fine here with latest v1.1 code. Set auth_debug=yes and show me the logs when logging in? Also show dovecot -n output.
Here's a sample. I've included dovecot -n and log output below.
A passwd-file entry in virtual.ip.passwd (see dovecot -n for the passdb/userdb config): park@10.2.1.1:<snip>:3393:1000::/usr/boxes/basicguy/basicguydomain.com:: user=park@basicguydomain.com
The corresponding passdb/userdb entry, in virtual.passwd: park@basicguydomain.com:<snip- same passwd>:3393:1000::/usr/boxes/basicguy/basicguydomain.com::userdb_mail=mbox:~/park^/.imap:INBOX=~/park
The master user entry: staff:{crypt}<snip>::::::allow_nets=<snip>
A sample telnet session, attempting to log in to the IP based staff username:
- OK Dovecot ready. a login park@10.2.1.1*staff <snip>
- BYE Internal login failure. Refer to server log for more information.
The logs (below) indicate that the master user login succeeds, and then it looks in both of the userdb files for the username "park@10.2.1.1". However, this username never appears in the userdb files; instead, it has a "user=" entry in the passdb file.
In researching this problem I became aware of an unrelated configuration problem: I should also have a passdb entry for virtual.ip.passwd without the username_format parameter. However, adding this entry makes no difference: after logging in with the master user, dovecot still only checks in the userdb files and not the passdb files anyway.
Should I include the virtual.ip.passwd file as a userdb file as well? If I do, will dovecot follow the user= reference if it appears in a userdb file?
Thank you for your help!
Alan Ferrency pair Networks, Inc. alan@pair.com
- Logs:
Dec 16 11:47:41 qenni dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=<snip> rip=<snip> lport=143 rport=62216 resp=<hidden> Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file /usr/boxes/.passwd/master.user: Read 1 users Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file(staff,<snip>,master): lookup: user=staff file=/usr/boxes/.passwd/master.user Dec 16 11:47:41 qenni dovecot: auth(default): auth(staff,<snip>,master): allow_nets: Matching for network <snip> Dec 16 11:47:41 qenni dovecot: auth(default): passdb(staff,<snip>,master): Master user logging in as park@10.2.1.1 Dec 16 11:47:41 qenni dovecot: auth(default): client out: OK 1 user=park@10.2.1.1 Dec 16 11:47:41 qenni dovecot: auth(default): master in: REQUEST 3 96912 1 Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file(park@10.2.1.1,<snip>): lookup: user=park@10.2.1.1 file=/usr/boxes/.passwd/virtual.passwd Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file(park@10.2.1.1,<snip>): unknown user Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file(park@10.2.1.1,<snip>): lookup: user=park@10.2.1.1 file=/usr/boxes/.passwd/master.passwd Dec 16 11:47:41 qenni dovecot: auth(default): passwd-file(park@10.2.1.1,<snip>): unknown user Dec 16 11:47:41 qenni dovecot: auth(default): userdb(park@10.2.1.1,<snip>): user not found from userdb Dec 16 11:47:41 qenni dovecot: auth(default): master out: NOTFOUND 3 Dec 16 11:47:41 qenni dovecot: imap-login: Internal login failure (auth failed, 1 attempts): user=park@10.2.1.1, method=PLAIN, rip=<snip>, lip=<snip>
- dovecot -n
1.1.6: /etc/postfix/dovecot.conf
# OS: FreeBSD 6.2-RELEASE-p12 i386 base_dir: /var/run/dovecot protocols: imap imaps pop3 pop3s ssl_cert_file: /usr/local/ssl/certs/imapd-ssl.pem ssl_key_file: /usr/local/ssl/certs/imapd-ssl.pem ssl_cipher_list: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login fsync_disable: yes mbox_read_locks: flock mbox_write_locks: flock mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugins(default): pair_relay quota imap_quota mail_plugins(imap): pair_relay quota imap_quota mail_plugins(pop3): pair_relay quota mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 imap_client_workarounds(default): outlook-idle tb-extra-mailbox-sep imap_client_workarounds(imap): outlook-idle tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_no_flag_updates: yes pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login master_user_separator: * passdb: driver: passwd-file args: /usr/boxes/.passwd/virtual.passwd passdb: driver: passwd-file args: username_format=%n@%l /usr/boxes/.passwd/virtual.ip.passwd passdb: driver: passwd-file args: /usr/boxes/.passwd/master.passwd passdb: driver: passwd-file args: /usr/boxes/.passwd/master.user master: yes userdb: driver: passwd-file args: /usr/boxes/.passwd/virtual.passwd userdb: driver: passwd-file args: /usr/boxes/.passwd/master.passwd socket: type: listen master: path: /var/run/dovecot/auth-master mode: 432 user: vmail group: users plugin: PAIR_RELAY_PACKET: %u %l %r PAIR_RELAY_INTERVAL: 1800
On Tue, 2008-12-16 at 12:16 -0500, Alan Ferrency wrote:
However, it seems that if we use the master user to log into a username that is in the passdb with a "user=" field, dovecot looks in the userdb for the original username, and not for the "user=" username specified in the passdb passwd-file.
Is this a known bug? Maybe I'm doing something wrong?
Works fine here with latest v1.1 code. Set auth_debug=yes and show me the logs when logging in? Also show dovecot -n output.
Oh, I was just testing it wrong. It's anyway a simple problem:
passdb: driver: passwd-file args: /usr/boxes/.passwd/master.user master: yes
This causes Dovecot to log in the user immediately without doing another passdb lookup. Add pass=yes inside the passdb {} and it'll do the passdb lookup and find the user extra field.
That did the trick.
Thanks!
Alan
On Fri, 9 Jan 2009, Timo Sirainen wrote:
On Tue, 2008-12-16 at 12:16 -0500, Alan Ferrency wrote:
However, it seems that if we use the master user to log into a username that is in the passdb with a "user=" field, dovecot looks in the userdb for the original username, and not for the "user=" username specified in the passdb passwd-file.
Is this a known bug? Maybe I'm doing something wrong?
Works fine here with latest v1.1 code. Set auth_debug=yes and show me the logs when logging in? Also show dovecot -n output.
Oh, I was just testing it wrong. It's anyway a simple problem:
passdb: driver: passwd-file args: /usr/boxes/.passwd/master.user master: yes
This causes Dovecot to log in the user immediately without doing another passdb lookup. Add pass=yes inside the passdb {} and it'll do the passdb lookup and find the user extra field.
participants (2)
-
Alan Ferrency
-
Timo Sirainen