[Dovecot] Please help: LDAP configuration _almost_ works.
Red Hat Linux release 7.2 (Enigma) OpenLDAP 2.3.38 Dovecot 1.0.12
SHORT VERSION
Here is my dovecot-ldap.conf:hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ********* ldap_version = 3 auth_bind = yes pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
I have tested using the above information with ldapsearch, and it worksfine. However, when dovecot tries to authenticate the user, the LDAP server receives the query and responds to it (according to the LDAP log file), but dovecot just hangs there. 180 seconds later, it drops the IMAP client. E.g.:
The dovecot log shows:Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden> Apr 3 08:13:30 fourier dovecot: auth(default): ldap(jackmc@lorentz.com,y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com)) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS
The OpenLDAP log shows that the query is received and that itreturns a match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
LONG VERSION
My users login using their email address as username. Eachdomain has their own LDAP subtree. Each user has an entry in the ou=users subtree of the domain subtree, and has a mail: field (inetOrgPerson) listing their email address/login name. I am trying to use auth_bind: when I login with jackmc@lorentz.com, dovecot should search for mail=jackmc@lorentz.com in the onelevel below ou=users,dc=lorentz,dc=com and find me as "cn=Jack McKinney,ou=users,dc=lorentz,dc=com". I have created an entry in LDAP (varmail) that should be able to do this query. Indeed, from the command line, it works:
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D
'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel
'(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
# Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc@lorentz.com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
It appears that dovecot performs the above query successfully, but thennever uses the password and retrieved DN to attempt to bind and authenticate the user. Instead, it just times out. (See log files above in the SHORT VERSION). I tried to add pass_attrs, in case there was a bug in dovecot where it ignores the reply if there are no pass_attrs (even though none are needed), but it still fails the same way. Timo Sirainen suggested that I add a debug line to src/auth/db-ldap.c ldap_input() around line 372:
msgid = ldap_msgid(res);// added line: i_info("LDAP: Received reply %d", msgid);
I did this. Now, when the server first starts up, this line is logged.However, it is not logged when it queries the LDAP server as a result of an IMAP connection needing authentication.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz "There is no parameter that makes it impossible for you to perform still more excellently." -Mario Cuomo, on the lack of a clock in baseball
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 8 Apr 2008, Jack McKinney wrote:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ********* ldap_version = 3 auth_bind = yes pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
Your configuration looks bad:
You use auth_bind, but the displayed LDAP item does not contain no "userPassword" attribute and you've specified "dn", not necessary for auth_bind's. And you have no pass_attrs config.
I guess the first step is to set auth_bind = no and add the password attribute to the user.
Or keep the auth_bind = yes and add a userPassword attribute to the user, so each user can bind itself to his/her LDAP item.
Wiki: http://wiki.dovecot.org/AuthDatabase/LDAP
The OpenLDAP log shows that the query is received and that itreturns a match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Well, does nentries=1 really indicates one _match_ or just one returned item/packet? If I use ldapsearch -x uid=nonexisting , I get: "# numResponses: 1" in the last line, but no hit. You also see that the search is attr=uid, why?
I do _not_ know why Dovecot just hangs, this is probably a bug due to the configuration glitches.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH/xFeVJMDrex4hCIRAq1TAJ9MVpxpDnAmNgDp7y3MO1tIcE6zhQCeMMe4 GQ5xrufcilvadYYiyaJvvCI= =IgtW -----END PGP SIGNATURE-----
Hmmm... Perhaps my understanding is wrong. Below is the thoughtprocess that brought me here...
userPassword: this is not included _because_ I am using auth_bind. dovecot is not going to check the userPassword field itself; instead, it is going to try and use the password supplied by the user to authenticate to the LDAP server, using:
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email.
An illustration. As an end user, suppose the information that I am touse to connect is:
Username: jackmc@lorentz.com Password: test123
The sequence that I am trying to make occur is this:User sends "jackmc@lorentz.com", "test123" to dovecot
Dovecot searches ldap for a user with this email address. Specifically, the user needs to be in "ou=users, dc=lorentz, dc=com" (and not any subtree; only in the top level). This base DN is based on the username supplied: lorentz.com is converted to LDAP fomat. In order to search for for this, Dovecot needs access to the LDAP database. To this end, I have created a DN "cn=varmail, ou=users, dc=lorentz, dc=com" which can search all domains for the "mail" field. Thus, dovecot will bind using the varmail DN and then search onelevel of "ou=users, dc=lorentz, dc=com" for an inetOrgPerson entry whose mail field is jackmc@lorentz.com. As demonstrated by the ldapsearch in my earlier email, this will return the entry for "cn=Jack McKinney, ou=users, dc=lorentz, dc=com". Now that dovecot knows what the user's DN is, it will make a new connection to the LDAP server (this is my understanding of "auth_bind = yes") using "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" and the password "test123". If this LDAP connection authenticates, then the user is granted access to email (the email location is specified in a static userdb in my dovecot.conf).
Thus, dovecot never needs to see the userPassword field. Indeed, by design, varmail does not have access to this field. Dovecot is supposed to determine the DN for the user based on the supplied username (which in this case is an email address) and then use that DN and the password supplied by the user to try and authenticate to LDAP. If it succeeds, then the user can access their email.
On Fri, 2008-04-11 at 09:20 +0200, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 8 Apr 2008, Jack McKinney wrote:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ********* ldap_version = 3 auth_bind = yes pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
Your configuration looks bad:
You use auth_bind, but the displayed LDAP item does not contain no "userPassword" attribute and you've specified "dn", not necessary for auth_bind's. And you have no pass_attrs config.
I guess the first step is to set auth_bind = no and add the password attribute to the user.
Or keep the auth_bind = yes and add a userPassword attribute to the user, so each user can bind itself to his/her LDAP item.
Wiki: http://wiki.dovecot.org/AuthDatabase/LDAP
The OpenLDAP log shows that the query is received and that itreturns a match:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Well, does nentries=1 really indicates one _match_ or just one returned item/packet? If I use ldapsearch -x uid=nonexisting , I get: "# numResponses: 1" in the last line, but no hit. You also see that the search is attr=uid, why?
I do _not_ know why Dovecot just hangs, this is probably a bug due to the configuration glitches.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH/xFeVJMDrex4hCIRAq1TAJ9MVpxpDnAmNgDp7y3MO1tIcE6zhQCeMMe4 GQ5xrufcilvadYYiyaJvvCI= =IgtW -----END PGP SIGNATURE-----
Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 11 Apr 2008, Jack McKinney wrote:
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email.
This is done with an anonymous connection,
Now that dovecot knows what the user's DN is, it will make a new connection to the LDAP server (this is my understanding of "auth_bind =
It will use the same connection, but bind() anew.
yes") using "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" and the password "test123". If this LDAP connection authenticates, then the
Does this work? Can you bind as this user?
I mean ldapsearch -D "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" -x
- -w "test123" ?
supplied by the user to try and authenticate to LDAP. If it succeeds, then the user can access their email.
Yeah, it works in my setup :-)
Did you sniffed the LDAP connection already?
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIBKEbVJMDrex4hCIRAmJnAKCrCzTT9LmI3thw0W0fpB90n/pXjACg0Aci I8e6zOqcYFYzelTRas2OeUk= =Kdqi -----END PGP SIGNATURE-----
On Tue, 2008-04-15 at 14:35 +0200, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 11 Apr 2008, Jack McKinney wrote:
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email.
This is done with an anonymous connection,
Hmmm... wish the docs mentioned that. It means that I need to set upLDAP to allow anonymous searches for the mail field. Odd...
Does this work? Can you bind as this user?
I mean ldapsearch -D "cn=Jack McKinney, ou=users, dc=lorentz, dc=com" -x
- -w "test123" ?
Yes. My mail client, in fact, uses this binding to connect to theserver and get my contacts list.
supplied by the user to try and authenticate to LDAP. If it succeeds, then the user can access their email.
Yeah, it works in my setup :-)
Can you supply your config?!Did you sniffed the LDAP connection already?
Only indirectly through the LDAP logs, which shows that a response isindeed sent by the LDAP server.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email. This is done with an anonymous connection,
Hmmm... wish the docs mentioned that. It means that I need to set up LDAP to allow anonymous searches for the mail field. Odd...
is this true? does it mean that i should have something like this in /etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read
still it does not work and i have in log files:
dovecot: auth(default): ldap(wojtek,192.168.0.200): user search: base=ou=Users,dc=frontline scope=subtree filter=(&(objectClass=posixAccount)(uid=wojtek)) fields=homeDirectory,uidNumber dovecot: auth(default): ldap(wojtek,192.168.0.200): Authenticated user not found dovecot: auth(default): userdb(wojtek,192.168.0.200): user not found from userdb dovecot: auth(default): master out: NOTFOUND^I4
to be honest i do not know how to make ldap searchable for anonymous user. i have tried several options and it does not work.
Yeah, it works in my setup :-)
Can you supply your config?!
yes. could you please send config please both dovecot (/etc/dovecot/dovecot*.conf) and openldap (/etc/ldap/*.conf)
Did you sniffed the LDAP connection already?
Only indirectly through the LDAP logs, which shows that a response is indeed sent by the LDAP server.
how would you recommend to sniff?
interesting thing. i also changed auth_bind to no dn and dnpass supplied and it does not work. looks like dovecot still tries to bind to ldap using anonymous user.
cheers, Wojtek
On Tue, 2008-04-15 at 19:09 +0100, Wojtek Bogusz wrote:
dn: dovecot needs a dn with which to search the database to find the user's DN based on their email. This is done with an anonymous connection,
Hmmm... wish the docs mentioned that. It means that I need to set up LDAP to allow anonymous searches for the mail field. Odd...
is this true? does it mean that i should have something like this in /etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read
I do not have this in my configuration, and dovecot does indeed use thecredential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read
I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot dovecot-1.0-1.2.0.el5
# dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass=XXXXXXXX auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect.
Hope this helps you. Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read
I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
dear Rob, thank you for support! there are small differences in mine and yours config, like:
you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :(
Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config...
cheers, Wojtek
Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot dovecot-1.0-1.2.0.el5
# dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass=XXXXXXXX auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect.
Hope this helps you. Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded ‘Retailer of the Year’ at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote:
dear Rob, thank you for support! there are small differences in mine and yours config, like:
- you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
Our initial connection is made using the "dn" and "dnpass" settings. This looks up the user's dn based on the "(&(objectClass=user)(mail=% u))" search criteria.
My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn.
If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ?
- you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
Our users login with their email address as the userid - hence "mail=user" telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by "user_global_uid = dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n"
- i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :(
something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup.
Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config...
As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd.
Regards, Rob
Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot dovecot-1.0-1.2.0.el5
# dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass=XXXXXXXX auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect.
Hope this helps you. Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
It seems that Rob and I are doing almost exactly the same thing except:He uses AD, I use OpenLDAP
His works, mine doesn't.
I have:
Red Hat Linux release 7.2 (Enigma)
OpenLDAP 2.3.38
Dovecot 1.0.12, 1.0.13, and 1.1.rc4 (they all fail the same way).
Sigh... Rob, It sounds like you are trying to do EXACTLY what I am trying to do:
- My users login with their email address.
2a. My users are all over the tree in the sense that you cannot determine the DN from the email alone. E.g., I am jackmc@lorentz.com, but my DN is "cn=Jack McKinney, ou=users, dc=lorentz, dc=com". Thus, I need to do a lookup to get the DN to use for auth_bind. However,
2b. My users have contact databases under their DNs. For example, all of my contacts are in ou=AddressBook,cn=Jack McKinney, ou=users, dc=lorentz, dc=com. If I did a subtree search, then mail=jackmc@lorentz.com would pick up my DN, plus the DN of any entry in anyone's addressbook for me. I.e., if foo@example.com had an account on my system, and they had an entry in their addressbook, then the subtree query for mail=jackmc@lorentz.com would turn up two entries:
dn: cn=Jack McKinney, ou=users, dc=lorentz, dc=com dn: cn=Jack McKinney, ou=AddressBook, cn=Foo Bar, ou=users, dc=example, dc=com
Thus, I do a query with base "ou=users, dc=%Dd" and scope = onelevel,so that only the real users are matched.
My users do not have any logins on the system. Just like a web server is just a web server and not a login system, the same with my email: all mail lives under the same username and group (varmail/varmail), and everyone's maildir is /var/mail/domain/user/Maildir/
My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP.
On Wed, 2008-04-16 at 11:17 +0000, Rob Coward wrote:
On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote:
dear Rob, thank you for support! there are small differences in mine and yours config, like:
- you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
Our initial connection is made using the "dn" and "dnpass" settings. This looks up the user's dn based on the "(&(objectClass=user)(mail=% u))" search criteria.
My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn.
If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ?
- you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
Our users login with their email address as the userid - hence "mail=user" telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by "user_global_uid = dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n"
- i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :(
something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup.
Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config...
As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd.
Regards, Rob
Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot dovecot-1.0-1.2.0.el5
# dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass=XXXXXXXX auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect.
Hope this helps you. Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling.
i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP.
What do you see in the dovecot logs with auth debug on?
Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden> Apr 3 08:13:30 fourier dovecot: auth(default): ldap(jackmc@lorentz.com,y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com)) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS
For full details, see the original email. It would appear from theOpenLDAP logs that OpenLDAP is sending the match, but that dovecot is not receiving it.
On Wed, 2008-04-16 at 15:31 +0100, Gavin Henry wrote:
My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP.
What do you see in the dovecot logs with auth debug on?
Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
<quote who="Jack McKinney"> > Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: > pid=15774 > Apr 3 08:13:30 fourier dovecot: auth(default): client in: > AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden> > Apr 3 08:13:30 fourier dovecot: auth(default): > ldap(jackmc@lorentz.com,y.y.y.y): bind search: base=ou=users, > dc=lorentz,dc=com > filter=(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com)) > Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: > method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS >
This isn't a TLS mismatch kidn of thing is it?
No, it isn't. I have verified the connection with "openssl s_client".Besides, the server is receiving the username "jackmc@lorentz.com", so the connection has already been made by this time. What is happening every time is that dovecot sends the correct query to OpenLDAP (as noted in the log below), OpenLDAP receives that query (according to its log) and responds with one match, but dovecot never seems to see that response. 180 seconds after the auth fails, dovecot drops the connection with the IMAP client for inactivity.
On Wed, 2008-04-16 at 19:41 +0100, Gavin Henry wrote:
<quote who="Jack McKinney"> > Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: > pid=15774 > Apr 3 08:13:30 fourier dovecot: auth(default): client in: > AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=<hidden> > Apr 3 08:13:30 fourier dovecot: auth(default): > ldap(jackmc@lorentz.com,y.y.y.y): bind search: base=ou=users, > dc=lorentz,dc=com > filter=(&(objectClass=inetOrgPerson)(mail=jackmc@lorentz.com)) > Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: > method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS >
This isn't a TLS mismatch kidn of thing is it?
Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
<quote who="Jack McKinney"> > No, it isn't. I have verified the connection with "openssl s_client". > Besides, the server is receiving the username "jackmc@lorentz.com", so > the connection has already been made by this time. > What is happening every time is that dovecot sends the correct query to > OpenLDAP (as noted in the log below), OpenLDAP receives that query > (according to its log) and responds with one match, but dovecot never > seems to see that response. 180 seconds after the auth fails, dovecot > drops the connection with the IMAP client for inactivity. >
I've gone back to your first post, and you slapd logs show:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Which shows the correct filter, but the requested attribute to return is "uid", which is _not_ in your entry:
# Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc at lorentz.com
Try the same search again, but using (note uid on end):
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid
It should be empty, hence why dovecot isn't getting anything.
So why is dovecot searching for uid? I am not asking it to; in fact, mypass_attrs field is empty. Also, I have switched around my setup to not use auth_bind:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ******* ldap_version = 3 auth_bind = no pass_attrs = userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
With this configuration, it becomes inconsistant. Sometimes my clientauthenticates, and sometimes my client goes through the same timeout as below. I have not had time to run enough trials to prove this, but it seems like this new configuration works for the first connection made to dovecot, and then times out on subsequent connections. If I restart dovecot, then I get one successful connection again, and then the others fail. I am not certain on this, however. I seem to remember the first connection timing out on one run...
On Wed, 2008-04-16 at 23:20 +0100, Gavin Henry wrote:
<quote who="Jack McKinney"> > No, it isn't. I have verified the connection with "openssl s_client". > Besides, the server is receiving the username "jackmc@lorentz.com", so > the connection has already been made by this time. > What is happening every time is that dovecot sends the correct query to > OpenLDAP (as noted in the log below), OpenLDAP receives that query > (according to its log) and responds with one match, but dovecot never > seems to see that response. 180 seconds after the auth fails, dovecot > drops the connection with the IMAP client for inactivity. >
I've gone back to your first post, and you slapd logs show:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Which shows the correct filter, but the requested attribute to return is "uid", which is _not_ in your entry:
# Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc at lorentz.com
Try the same search again, but using (note uid on end):
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid
It should be empty, hence why dovecot isn't getting anything.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
<quote who="Jack McKinney"> > So why is dovecot searching for uid? I am not asking it to; in fact, my > pass_attrs field is empty.
Im' no tsure, I was hoping someone else would know why. Is it a hard coded default?
Also, I have switched around my setup to not use auth_bind:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ******* ldap_version = 3 auth_bind = no pass_attrs = userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel
With this configuration, it becomes inconsistant. Sometimes my client authenticates, and sometimes my client goes through the same timeout as below. I have not had time to run enough trials to prove this, but it seems like this new configuration works for the first connection made to dovecot, and then times out on subsequent connections. If I restart dovecot, then I get one successful connection again, and then the others fail. I am not certain on this, however. I seem to remember the first connection timing out on one run...
On Wed, 2008-04-16 at 23:20 +0100, Gavin Henry wrote:
<quote who="Jack McKinney"> > No, it isn't. I have verified the connection with "openssl s_client". > Besides, the server is receiving the username "jackmc@lorentz.com", so > the connection has already been made by this time. > What is happening every time is that dovecot sends the correct query to > OpenLDAP (as noted in the log below), OpenLDAP receives that query > (according to its log) and responds with one match, but dovecot never > seems to see that response. 180 seconds after the auth fails, dovecot > drops the connection with the IMAP client for inactivity. >
I've gone back to your first post, and you slapd logs show:
Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Which shows the correct filter, but the requested attribute to return is "uid", which is _not_ in your entry:
# Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc at lorentz.com
Try the same search again, but using (note uid on end):
ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid
It should be empty, hence why dovecot isn't getting anything.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 17 Apr 2008, Gavin Henry wrote:
So why is dovecot searching for uid? I am not asking it to; in fact, my pass_attrs field is empty.
Im' no tsure, I was hoping someone else would know why. Is it a hard coded default?
Also, I have switched around my setup to not use auth_bind:
hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = ******* ldap_version = 3 auth_bind = no pass_attrs = userPassword=password
I got the impression that this is problem, see the Doc: http://wiki.dovecot.org/AuthDatabase/LDAP
pass_attrs = uid=user,userPassword=password
This is the default, please add "mail=user" to your pass_attrs and re-add auth_bind. Also, kill all dovecot processes (well, you know: make sure it is correct confuig that is used, e.g. add a syntax error, so you see it is even the correct file you're editing)
Rob had this in his conf:
user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u))
Note the two mail=user settings, I have them, too. Drop the mail=userdb_user, as you use another userdb.
Rob also have
user_global_uid = dovecot user_global_gid = dovecot
"If you're using a single UID and GID for all the users, you can use user_global_uid and user_global_gid settings instead of of returning them from LDAP." Which seems to apply to userdb only, but who knows?
Also, could you please drop the TLS/SSL on the connection, if any, and sniff the connection?
To sniff, use wireshark (ethereal) or tshark (tethereal) "port 389" as capture filter. wireshark understands the LDAP protocol und decodes it. Moreover, you see _what_ is returned in detail.
BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, dns or ldap server? Did you disabled it?
BTW: I didn't know you can use dn/dnbpass for the initial lookup, now I know.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFICFdqVJMDrex4hCIRAsWKAJ9SgI3ldlcd+gTuWIT6v7JZtYqkAwCeKAO7 ciaWVAteW3Lcx3hApX9VZsc= =Sy5f -----END PGP SIGNATURE-----
On Fri, 2008-04-18 at 10:10 +0200, Steffen Kaiser wrote:
I got the impression that this is problem, see the Doc: http://wiki.dovecot.org/AuthDatabase/LDAP
pass_attrs = uid=user,userPassword=password
This is the default, please add "mail=user" to your pass_attrs and re-add auth_bind. Also, kill all dovecot processes (well, you know: make sure it is correct confuig that is used, e.g. add a syntax error, so you see it is even the correct file you're editing)
I did try it with mail=user; same failure mode. Since I also get thisfailure mode with auth_bind = no, I don't think this is the issue.
Rob had this in his conf:
user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u))
Note the two mail=user settings, I have them, too. Drop the mail=userdb_user, as you use another userdb.
Problematic, since my userdb is static.Rob also have
user_global_uid = dovecot user_global_gid = dovecot
"If you're using a single UID and GID for all the users, you can use user_global_uid and user_global_gid settings instead of of returning them from LDAP." Which seems to apply to userdb only, but who knows?
Also, could you please drop the TLS/SSL on the connection, if any, and sniff the connection?
To sniff, use wireshark (ethereal) or tshark (tethereal) "port 389" as capture filter. wireshark understands the LDAP protocol und decodes it. Moreover, you see _what_ is returned in detail.
I am not using TLS/SSL for the LDAP connection.BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, dns or ldap server? Did you disabled it?
LDAP and IMAP are on the same server. Since the query and the resultboth show up in the LDAP logs, it couldn't be a firewall issue.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
On Fri, 2008-04-18 at 08:12 -0500, Jack McKinney wrote:
BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, dns or ldap server? Did you disabled it?
LDAP and IMAP are on the same server. Since the query and the result both show up in the LDAP logs, it couldn't be a firewall issue.
But last I asked Dovecot didn't log it with i_info(), meaning Dovecot probably didn't receive the reply. So verifying with Wireshark that the reply was really sent would get you further..
Rob. actually it works... you made me check one thing again and i did have a mistake with the user specified in dn in dovecot-ldap.conf. it was not possible to search userdb information with it. so a small fix in slapd.conf and it is working.
now i am off to setting the ldap aliases for postfix. setting mailing lists with mailman, making ldap work with samba, etc...
i need to offer users simple way of changing the password and editing mail address aliases. i was thinking of writing a simple web interface. but maybe there are already programs for doing this?
all the best! Wojtek
Rob Coward wrote:
On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote:
dear Rob, thank you for support! there are small differences in mine and yours config, like:
- you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek
Our initial connection is made using the "dn" and "dnpass" settings. This looks up the user's dn based on the "(&(objectClass=user)(mail=% u))" search criteria.
My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn.
If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ?
- you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference.
Our users login with their email address as the userid - hence "mail=user" telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by "user_global_uid = dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n"
- i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :(
something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup.
Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config...
As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd.
Regards, Rob
Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
Our setup looks like this:
# rpm -q dovecot dovecot-1.0-1.2.0.el5
# dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf
# cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass=XXXXXXXX auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect.
Hope this helps you. Rob
On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote:
/etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling. i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?).
[on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.]
in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '(&(objectClass=posixAccount)(uid=wojtek))' homeDirectory
so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is:
access to dn.children="ou=Users,dc=frontline" attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=frontline" write by anonymous auth by self write by * none access to dn.children="ou=Users,dc=frontline" by dn="cn=root,ou=Users,dc=frontline" read by anonymous auth by self write access to dn.base="" by * read access to * by dn="cn=admin,dc=frontline" write by * read
maybe the problem is here... any hints please?
regards, Wojtek
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded ‘Retailer of the Year’ at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
Wojtek Bogusz wrote:
i need to offer users simple way of changing the password and editing mail address aliases. i was thinking of writing a simple web interface. but maybe there are already programs for doing this?
I found Phamm and GOsa while looking for this kind of thing.
Anders.
On Wed, 2008-04-16 at 08:16 +0000, Rob Coward wrote:
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot.
This is exactly what I am trying to achieve, though I am usingOpenLDAP.
Our setup looks like this:
user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot
Hmmm. I am not using LDAP for userdb. The only userdb information thatis needed is the homedir for the mail (and the uid/gid, but these are always "varmail"). In my case, this is always determined by the email address:
jackmc@lorentz.com -> /var/mail/lorentz.com/jackmc
Thus, I have this in my config:userdb: driver: static args: uid=varmail gid=varmail home=/var/mail/%Ld/%Ln
Looking at your config, it seems that your passdb for LDAP depends onyour userdb, as you have mail= twice in your pass_attrs, once for userdb_user. For that matter, why do you have userPassword=password? dovecot should never need to see the contents of this field. Indeed, this is the whole point of using auth_bind: instead of dovecot retrieving the password from LDAP and checking it against the user-supplied one, dovecot should _send_ the password to LDAP in the form of a bind and have LDAP accept or reject it.
-- Jack McKinney GPG 1024D/99C6A174 jackmc@lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs
On Wed, 2008-04-16 at 08:28 -0500, Jack McKinney wrote:
Looking at your config, it seems that your passdb for LDAP depends on your userdb, as you have mail= twice in your pass_attrs, once for userdb_user. For that matter, why do you have userPassword=password? dovecot should never need to see the contents of this field. Indeed, this is the whole point of using auth_bind: instead of dovecot retrieving the password from LDAP and checking it against the user-supplied one, dovecot should _send_ the password to LDAP in the form of a bind and have LDAP accept or reject it.
I never said that it was right, only that it works for us ;)
It may be that some of our config settings are unnecessary, redundant or sub-optimal, but it works, its running happily in an active-passive RHEL5 cluster configuration using ext3 on DRBD for storing the mailboxes, and until we look at upgrading to the latest dovecot stable release, we aren't likely to play with any config settings....
Please consider the environment before printing this email.
GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
participants (7)
-
Anders
-
Gavin Henry
-
Jack McKinney
-
Rob Coward
-
Steffen Kaiser
-
Timo Sirainen
-
Wojtek Bogusz