[Dovecot] login w/ IMAP & LDAP

Timo Sirainen tss at iki.fi
Wed Aug 13 17:42:09 EEST 2003 

On Wednesday, Aug 13, 2003, at 10:03 Europe/Helsinki, Bob Hall wrote:

>> There should be another error message before that line?
>
> No. The complete log entries related to my last attempt to log in are
>
> Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob 
> [192.168.0.2]
> Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with 
> signal 11

OK, so the problem is that dovecot-auth process crashes. Maybe it's 
because you didn't give homeDirectory? It's not really needed, but 
there was a bug when it wasn't given. Here's a patch to fix it: 
http://dovecot.procontrol.fi/patches/auth-no-homedir.patch

> LOGIN dovecot secret

All IMAP commands starts with a "tag", which can be pretty much any 
text. Add "x" or whatever before the LOGIN command.

>> I'd guess it's because localhost resolves to IPv6 localhost ::1, and
>> Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it
>> requires two sockets.
>
> No, localhost resolves to 127.0.0.1. However, compiling Dovecot with
> the --disable-ipv6 flag fixed that problem. Now I can connect via
> localhost, but I can't LOGIN. Error is identical to above.

Well, that's a bit strange..

>> something to do with user ids. What uids have you given to users in
>> LDAP? Are they smaller than 500, which is the default minimum accepted
>> uid? You could change first_valid_uid in config file.
>
> I'm confused. In the documentation and schemas that come with OpenLDAP,
> a uid is a login.  E.g. my account uid is 'bob'. Unix uses numeric
> uids, but if I'm using LDAP, I'm not accessing anything with numeric
> uids. posixAccount uses uidNumber, but I'm not using that class.

Dovecot still needs to map usernames to system UID numbers. If you want 
to use only one system UID, you can set user_global_uid and 
user_global_gid in dovecot-ldap.conf. Otherwise you'll need to set 
uidNumber and gidNumber for all users.

>>> login_user = dovecot
>>> auth_user = dovecot
>>
>> It's better not to use the same user for auth and login. Maybe I 
>> should
>> add a check to disallow this entirely..
>
> I don't know enough about it to know why that's a bad idea, but I got
> it from a sample config file online. I've changed auth_user to
> dovecot-auth and I'm still getting the same error.

It's mostly just that login process is designed to be "safe" even if it 
contains some security holes. If other processes are running with same 
userid, the login process may be able to do some evil things to them.

More information about the dovecot mailing list