LDAP auth problems "unknown user"

20 Nov 2016 · *\(#.*


      Hi,
I am setting up a dovecot instance to host a bunch of virtual domains,
with ldap backing for auth. I am using a single hostname for test
purposes, with a couple of entries in the diectory. If I use auth binds
I get a result, but this does not suit the end purpose of the server.
If I use ldapsearch with the same base, search filter, and credentials
as the ldap auth config I get the correct attributes returned, and I
have bit of perl that verifies the password hash matches the password
provided.
I am running out of ideas here, I had thought of putting in a custom
bit of perl and using the checkpassword method, but this is sub
optimal. If anyone can help with this I'd be grateful.
# dovecot --version
2.2.26.0 (23d1de6)
# dovecot -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.8.0-1-amd64 x86_64 Debian stretch/sid ext3
auth_cache_size = 2 M
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = maliuta.org
auth_master_user_separator = *
auth_mechanisms = plain login
auth_realms = maliuta.org
auth_verbose = yes
auth_verbose_passwords = yes
first_valid_uid = 117
last_valid_uid = 117
lda_mailbox_autocreate = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
%c
mail_gid = vmail
mail_location = maildir:/var/spool/vmail/%d/%n/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-
character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment
mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
list = yes
location = 
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = 
}
passdb {
args = /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
driver = ldap
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve"
service auth-worker {
user = $default_internal_user
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
user = $default_internal_user
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
ssl_cert = 
# grep -v '^ *\(#.*\)\?$' /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
uris = ldap://localhost
dn = cn=admin,dc=maliuta,dc=org
dnpass = <secret>
tls = yes
tls_ca_cert_dir = /etc/ssl/certs
auth_bind = no
ldap_version = 3
base = ou=mail,dc=mailuta,dc=org
scope = subtree
default_pass_scheme = SSHA
deref = never
user_attrs = postfixDeliveryAddress=user
user_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
pass_attrs = postfixDeliveryAddress=user,userPassword=password
pass_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD
eliveryAddress=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=postfixMailPerson)
# ldapsearch -H ldap://localhost:389 -x -D 'cn=admin,dc=maliuta,dc=org' -W -b "ou=mail,dc=maliuta,dc=org" -s sub -LLL -ZZ  '(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai@test.maliuta.org))' uid userPassword
Enter LDAP Password:
dn: mail=nikolai@test.maliuta.org,ou=mail,dc=maliuta,dc=org
uid: nikolai
userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY=
## From /var/log/mail.log
Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected (pid=27086)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=#011rip=#011lport=143#011rport=36116#011local_name=<hostname>#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0 (previous base64 data may contain sensitive data)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai@test.maliuta.org,,<1kW2C65BFI2WZbl8>): cache miss
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai@test.maliuta.org,): pass search: base=ou=mail,dc=mailuta,dc=org scope=subtree filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai@test.maliuta.org)) fields=postfixDeliveryAddress,userPassword
Nov 20 07:24:20 kiliya dovecot: auth: ldap(nikolai@test.maliuta.org,,<1kW2C65BFI2WZbl8>): unknown user (given password: )
Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out: FAIL#0111#011user=nikolai@test.maliuta.org
--
Nikolai Lusan nikolai@lusan.id.au

Nikolai Lusan

Steffen Kaiser

Nikolai Lusan

This was not a real problem - it was a PEBKAC error. One that any programmer/sysadmin is familiar with and suffers from at some point :)

tags

participants (2)