Multiple Passdb's - Order
Hi,
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer.
Now I stumbled on the following issue.
In my configuration I use 2 backends (LDAP & passwd-file). passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static }
Now this worked fine before. But if I tested it, LDAP logins worked, and passwd-file logins failed.
Failed log (user is only in the passwd-file):
Aug 01 21:31:55 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Aug 01 21:31:55 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_mysql.so
Aug 01 21:31:55 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_pgsql.so
Aug 01 21:31:55 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_sqlite.so
Aug 01 21:31:55 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Aug 01 21:31:55 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Aug 01 21:31:55 auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Aug 01 21:31:55 auth: Debug: passwd-file /etc/dovecot/users: Read 10
users in 0 secs
Aug 01 21:31:55 auth: Debug: auth client connected (pid=5516)
Aug 01 21:31:55 auth: Debug: client in: AUTH 1 PLAIN
service=imap secured session=c34kcZb/uwBbtKLu lip=xxx
rip=xxxx lport=993 rport=52411
Aug 01 21:31:55 auth: Debug: client passdb out: CONT 1
Aug 01 21:31:55 auth: Debug: client in: CONT 1 xxxxx (previous
base64 data may contain sensitive data)
Aug 01 21:31:55 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
miss
Aug 01 21:31:55 auth: Debug: ldap(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
pass search: base=uid=info@xxx.com,ou=mail,dc=dupie,dc=be scope=subtree
filter=(&(objectClass=posixAccount)(uid=info@xxx.com))
fields=uid,userPassword
Aug 01 21:31:55 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
miss
Aug 01 21:31:55 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
miss
Aug 01 21:31:55 auth: Debug:
passwd-file(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>): lookup:
user=info@xxx.com file=/etc/dovecot/users
Aug 01 21:31:57 auth: Debug: client passdb out: FAIL 1
user=info@xxx.com temp
Aug 01 21:31:57 auth: Debug: client in: AUTH 2 PLAIN
service=imap secured session=c34kcZb/uwBbtKLu lip=xxx
rip=xxx lport=993 rport=52411 resp=xxx (previous base64 data
may contain sensitive data)
Aug 01 21:32:01 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
miss
Aug 01 21:32:01 auth: Debug: ldap(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
pass search: base=uid=info@xxx.com,ou=mail,dc=dupie,dc=be scope=subtree
filter=(&(objectClass=posixAccount)(uid=info@xxx.com))
fields=uid,userPassword
Aug 01 21:32:01 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
miss
Aug 01 21:32:01 auth: Debug: cache(info@xxx.com,xxx,<c34kcZb/uwBbtKLu>):
hit: {CRAM-MD5}19192922.....
Aug 01 21:32:03 auth: Debug: client passdb out: FAIL 2
user=info@xxx.com temp
As you see it returned a FAIL, but the password was retrieved from the users file (see the cache hit).
Now I changed the order of the passdb's in my config, to make passwd-file come first, and then LDAP. And what happend now, it started working ...
Logs:
Aug 01 21:30:23 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Aug 01 21:30:23 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_mysql.so
Aug 01 21:30:23 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_pgsql.so
Aug 01 21:30:23 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libdriver_sqlite.so
Aug 01 21:30:23 auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Aug 01 21:30:23 auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Aug 01 21:30:23 auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Aug 01 21:30:23 auth: Debug: passwd-file /etc/dovecot/users: Read 10
users in 0 secs
Aug 01 21:30:23 auth: Debug: auth client connected (pid=5459)
Aug 01 21:30:24 auth: Debug: client in: AUTH 1 PLAIN
service=imap secured session=TTm6a5b/swBbtKLu lip=xxx
rip=xxx lport=993 rport=52403
Aug 01 21:30:24 auth: Debug: client passdb out: CONT 1
Aug 01 21:30:24 auth: Debug: client in: CONT 1 xxxx (previous
base64 data may contain sensitive data)
Aug 01 21:30:24 auth: Debug: cache(info@xxx.com,xxx,<TTm6a5b/swBbtKLu>):
miss
Aug 01 21:30:24 auth: Debug:
passwd-file(info@xxx.com,xxx,<TTm6a5b/swBbtKLu>): lookup:
user=info@xxx.com file=/etc/dovecot/users
Aug 01 21:30:24 auth: Debug: client passdb out: OK 1 user=info@xxx.com
Aug 01 21:30:24 auth: Debug: master in: REQUEST 1973682177 5459
1 9976303da4c6eb55a008b0cae6ab12a1 session_pid=5462
request_auth_token
Aug 01 21:30:24 auth: Debug: master userdb out: USER 1973682177
info@xxx.com uid=1001 gid=1001 home=/var/vmail/xxx.com/info
auth_token=31afcf6ff0c5ed5150beb96ad3718cff452badae
The only thing I changed here was the order the passdb backends.
It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug?
Thanks Jean-Louis
On 01 Aug 2014, at 22:00, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer.
Now I stumbled on the following issue. .. The only thing I changed here was the order the passdb backends.
It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug?
I can't reproduce it. Also did your log contain also the errors/warnings? It appeared that it was failing with some internal error, which you didn't show in the log. Also does it work if you disable auth cache? Full doveconf -n output may have been helpful also.
Hi,
Thanks for your response. The error/warning log was indeed not included.
I looked it up now, and dovecot only printed the following error: Aug 1 21:31:55 xcx dovecot: auth: Error: ldap(info@xxx.com,xxxxx,<c34kcZb/uwBbtKLu>): ldap_search(base=uid=info@xxx.com,ou=mail,dc=xxx,dc=com filter=(&(objectClass=posixAccount)(uid=info@dupie.be))) failed: No such object
This shouldn't really be a problem, because the user does indeed not exist in ldap, but only in the passwd-file. The problem also exists with auth cache disabled.
And my doveconf (the passdb order is the working order here): # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.6 auth_cache_size = 2 M mail_location = maildir:~/Maildir mail_plugins = virtual managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox virtual/Flagged { special_use = \Flagged } prefix = } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = /var/vmail/%d/%n/.dovecot.sieve sieve_dir = /var/vmail/%d/%n/sieve } postmaster_address = postmaster@xxx.com protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix-mailing/private/auth { mode = 0666 } unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } ssl_ca = </etc/dovecot/ca.pem ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = virtual sieve }
Thanks Jean-Louis
Op 2014-08-04 15:03, schreef Timo Sirainen:
On 01 Aug 2014, at 22:00, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer.
Now I stumbled on the following issue. .. The only thing I changed here was the order the passdb backends.
It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug?
I can't reproduce it. Also did your log contain also the errors/warnings? It appeared that it was failing with some internal error, which you didn't show in the log. Also does it work if you disable auth cache? Full doveconf -n output may have been helpful also.
Anyone might have a clue? Would like to get the issue solved. Or at least know why its acting this way.
Thanks Jean-Louis
Op 2014-08-04 15:11, schreef Jean-Louis Dupond:
Hi,
Thanks for your response. The error/warning log was indeed not included.
I looked it up now, and dovecot only printed the following error: Aug 1 21:31:55 xcx dovecot: auth: Error: ldap(info@xxx.com,xxxxx,<c34kcZb/uwBbtKLu>): ldap_search(base=uid=info@xxx.com,ou=mail,dc=xxx,dc=com filter=(&(objectClass=posixAccount)(uid=info@dupie.be))) failed: No such object
This shouldn't really be a problem, because the user does indeed not exist in ldap, but only in the passwd-file. The problem also exists with auth cache disabled.
And my doveconf (the passdb order is the working order here): # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.6 auth_cache_size = 2 M mail_location = maildir:~/Maildir mail_plugins = virtual managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox virtual/Flagged { special_use = \Flagged } prefix = } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = /var/vmail/%d/%n/.dovecot.sieve sieve_dir = /var/vmail/%d/%n/sieve } postmaster_address = postmaster@xxx.com protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix-mailing/private/auth { mode = 0666 } unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } ssl_ca = </etc/dovecot/ca.pem ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = virtual sieve }
Thanks Jean-Louis
Op 2014-08-04 15:03, schreef Timo Sirainen:
On 01 Aug 2014, at 22:00, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer.
Now I stumbled on the following issue. .. The only thing I changed here was the order the passdb backends.
It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug?
I can't reproduce it. Also did your log contain also the errors/warnings? It appeared that it was failing with some internal error, which you didn't show in the log. Also does it work if you disable auth cache? Full doveconf -n output may have been helpful also.
Two problems. These fix them both:
http://hg.dovecot.org/dovecot-2.2/rev/14082c2d81dd http://hg.dovecot.org/dovecot-2.2/rev/5e818f1b376d
On 12 Aug 2014, at 10:53, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Anyone might have a clue? Would like to get the issue solved. Or at least know why its acting this way.
Thanks Jean-Louis
Op 2014-08-04 15:11, schreef Jean-Louis Dupond:
Hi, Thanks for your response. The error/warning log was indeed not included. I looked it up now, and dovecot only printed the following error: Aug 1 21:31:55 xcx dovecot: auth: Error: ldap(info@xxx.com,xxxxx,<c34kcZb/uwBbtKLu>): ldap_search(base=uid=info@xxx.com,ou=mail,dc=xxx,dc=com filter=(&(objectClass=posixAccount)(uid=info@dupie.be))) failed: No such object This shouldn't really be a problem, because the user does indeed not exist in ldap, but only in the passwd-file. The problem also exists with auth cache disabled. And my doveconf (the passdb order is the working order here): # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.6 auth_cache_size = 2 M mail_location = maildir:~/Maildir mail_plugins = virtual managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox virtual/Flagged { special_use = \Flagged } prefix = } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = /var/vmail/%d/%n/.dovecot.sieve sieve_dir = /var/vmail/%d/%n/sieve } postmaster_address = postmaster@xxx.com protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix-mailing/private/auth { mode = 0666 } unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } ssl_ca = </etc/dovecot/ca.pem ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = virtual sieve } Thanks Jean-Louis Op 2014-08-04 15:03, schreef Timo Sirainen:
On 01 Aug 2014, at 22:00, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer. Now I stumbled on the following issue. .. The only thing I changed here was the order the passdb backends. It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug? I can't reproduce it. Also did your log contain also the errors/warnings? It appeared that it was failing with some internal error, which you didn't show in the log. Also does it work if you disable auth cache? Full doveconf -n output may have been helpful also.
Hi,
Thanks alot for those changes. A 'bug' killed again :) Will test them out later, but the changes seems logic indeed.
Thx Jean-Louis
Op 15-08-14 om 13:06 schreef Timo Sirainen:
Two problems. These fix them both:
http://hg.dovecot.org/dovecot-2.2/rev/14082c2d81dd http://hg.dovecot.org/dovecot-2.2/rev/5e818f1b376d
On 12 Aug 2014, at 10:53, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Anyone might have a clue? Would like to get the issue solved. Or at least know why its acting this way.
Thanks Jean-Louis
Op 2014-08-04 15:11, schreef Jean-Louis Dupond:
Hi, Thanks for your response. The error/warning log was indeed not included. I looked it up now, and dovecot only printed the following error: Aug 1 21:31:55 xcx dovecot: auth: Error: ldap(info@xxx.com,xxxxx,<c34kcZb/uwBbtKLu>): ldap_search(base=uid=info@xxx.com,ou=mail,dc=xxx,dc=com filter=(&(objectClass=posixAccount)(uid=info@dupie.be))) failed: No such object This shouldn't really be a problem, because the user does indeed not exist in ldap, but only in the passwd-file. The problem also exists with auth cache disabled. And my doveconf (the passdb order is the working order here): # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.6 auth_cache_size = 2 M mail_location = maildir:~/Maildir mail_plugins = virtual managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox virtual/Flagged { special_use = \Flagged } prefix = } passdb { args = scheme=CRYPT username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = /var/vmail/%d/%n/.dovecot.sieve sieve_dir = /var/vmail/%d/%n/sieve } postmaster_address = postmaster@xxx.com protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix-mailing/private/auth { mode = 0666 } unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } ssl_ca = </etc/dovecot/ca.pem ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = virtual sieve } Thanks Jean-Louis Op 2014-08-04 15:03, schreef Timo Sirainen:
On 01 Aug 2014, at 22:00, Jean-Louis Dupond <jean-louis@dupond.be> wrote:
Today I upgraded my dovecot to a newer version (2.2.9 debian wheezy-backports) At that moment I also reconfigured the whole thing a bit nicer. Now I stumbled on the following issue. .. The only thing I changed here was the order the passdb backends. It works fine now, but it not clear to me why the order is so important. Could somebody explain this? Or is this some bug? I can't reproduce it. Also did your log contain also the errors/warnings? It appeared that it was failing with some internal error, which you didn't show in the log. Also does it work if you disable auth cache? Full doveconf -n output may have been helpful also.
participants (2)
-
Jean-Louis Dupond
-
Timo Sirainen