[Dovecot] Passwords not returned without auth_bind ?
Hi,
Maybe I am missing something simple, but I can't get users authenticated using password lookups, as opposed to auth_bind. This is how the log looks like when using password lookup:
dovecot: auth(default): new auth connection: pid=2449 dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=43458#011resp=<hidden> dovecot: auth(default): ldap(foo,127.0.0.1): pass search: base=uid=foo,ou=people,dc=djb,dc=hell,dc=qua scope=base filter=(accountStatus=noaccess) fields=(none) slapd[1834]: conn=1083 op=1 SRCH base="uid=foo,ou=people,dc=djb,dc=hell,dc=qua" scope=0 deref=0 filter="(accountStatus=noaccess)" slapd[1834]: conn=1083 op=1 SRCH attr=(none) slapd[1834]: conn=1083 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= dovecot: auth(default): ldap(foo,127.0.0.1): unknown user dovecot: auth(default): ldap(foo,127.0.0.1): pass search: base=ou=people,dc=djb,dc=hell,dc=qua scope=subtree filter=(accountStatus=active) fields=uid,userPassword,homeDirectory,uidNumber,gidNumber,mailQuotaSize slapd[1834]: conn=1084 op=1 SRCH base="ou=people,dc=djb,dc=hell,dc=qua" scope=2 deref=0 filter="(accountStatus=active)" slapd[1834]: conn=1084 op=1 SRCH attr=uid userPassword homeDirectory uidNumber gidNumber mailQuotaSize dovecot: auth(default): ldap(foo,127.0.0.1): result: uid(user)=foo uidNumber(userdb_uid)=1008 gidNumber(userdb_gid)=1008 homeDirectory(userdb_home)=/home/foo mailQuotaSize(userdb_quota_rule=*:bytes=%$)=*:bytes=10000000 dovecot: auth(default): ldap(foo,127.0.0.1): No password returned (and no nopassword) slapd[1834]: conn=1084 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= dovecot: auth(default): client out: FAIL#0111#011user=foo
*dovecot-ldap.pass*
uris = ldap://10.5.3.101
dn = uid=dove,ou=people,dc=djb,dc=hell,dc=qua
dnpass = debian
auth_bind = no
ldap_version = 3
base = ou=people,dc=djb,dc=hell,dc=qua
scope = subtree
pass_filter = (accountStatus=active)
pass_attrs = uid=user,userPassword=password,
homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid,mailQuotaSize=userdb_quota_rule=*:bytes=%$
*dovecot-ldap.deny* uris = ldap://10.5.3.101 ldap_version = 3 base = uid=%u,ou=people,dc=djb,dc=hell,dc=qua scope = base auth_bind = no pass_filter = (accountStatus=noaccess) pass_attrs = (none)
*dovecot.conf* # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-3-686 i686 Debian squeeze/sid log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap managesieve listen(default): * listen(imap): * listen(managesieve): *:2000 ssl: no disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_privileged_group: mail mail_location: maildir:~/Maildir mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_plugins(default): quota mail_plugins(imap): quota mail_plugins(managesieve): mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve managesieve_logout_format(default): bytes=%i/%o managesieve_logout_format(imap): bytes=%i/%o managesieve_logout_format(managesieve): bytes=%i%o lda: postmaster_address: bar@djb.hell.qua mail_plugins: quota sieve deliver_log_format: msgid=%m: %$ sendmail_path: /usr/lib/sendmail log_path: /var/log/ldaone info_log_path: /var/log/ldatwo debug: yes auth default: debug: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.deny deny: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.pass userdb: driver: prefetch userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.user socket: type: listen master: path: /var/run/dovecot/auth-master mode: 438 plugin: quota: maildir sieve: ~/.dovecot.sieve sieve_dir: ~/sieve
On 3.12.2010, at 11.42, Mohit Chawla wrote:
slapd[1834]: conn=1084 op=1 SRCH attr=uid userPassword homeDirectory uidNumber gidNumber mailQuotaSize
Dovecot asked for userPassword.
dovecot: auth(default): ldap(foo,127.0.0.1): result: uid(user)=foo uidNumber(userdb_uid)=1008 gidNumber(userdb_gid)=1008 homeDirectory(userdb_home)=/home/foo
slapd didn't return userPassword.
So your problems is probably http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups#LDAP_server_permis...
Hi,
On Fri, Dec 3, 2010 at 9:55 PM, Timo Sirainen tss@iki.fi wrote:
So your problems is probably http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups#LDAP_server_permis...
I am able to do ldapsearch and get userPassword attribute using the DN that I have specified in dovecot and slapd configuration files. So, that's probably not the issue. Any other suggestions to debug this ?
On Sat, Dec 4, 2010 at 1:45 AM, Mohit Chawla mohit.chawla.binary@gmail.comwrote:
Any other suggestions to debug this ?
Also, I did try using default_pass_scheme = SSHA in the configuration file. This is not in the configuration file posted above though, just fyi.
On 3.12.2010, at 20.15, Mohit Chawla wrote:
On Fri, Dec 3, 2010 at 9:55 PM, Timo Sirainen tss@iki.fi wrote:
So your problems is probably http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups#LDAP_server_permis...
I am able to do ldapsearch and get userPassword attribute using the DN that I have specified in dovecot and slapd configuration files. So, that's probably not the issue. Any other suggestions to debug this ?
Well, the problem is anyway that userPassword isn't returned by the query. Otherwise here:
dovecot: auth(default): ldap(foo,127.0.0.1): result: uid(user)=foo uidNumber(userdb_uid)=1008 gidNumber(userdb_gid)=1008 homeDirectory(userdb_home)=/home/foo
would be userPassword(password)=<hidden>
On Sat, Dec 4, 2010 at 4:39 AM, Timo Sirainen tss@iki.fi wrote:
So your problems is probably
http://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups#LDAP_server_permis...
Indeed. There were redundant acls in slapd.conf which I guess were causing the issue. The wiki clearly said "add only this line" (referring to granting read access to dovecot's DN ). I thought the loglevel for slapd was enough to figure out problems like these. Oh well.
Thanks.
participants (2)
-
Mohit Chawla
-
Timo Sirainen