[Dovecot] login w/ IMAP & LDAP

Bob Hall rjhjr at cox.net
Wed Aug 13 21:38:39 EEST 2003 

On Wed, Aug 13, 2003 at 05:42:09PM +0300, Timo Sirainen wrote:
> On Wednesday, Aug 13, 2003, at 10:03 Europe/Helsinki, Bob Hall wrote:
> 
> >>There should be another error message before that line?
> >
> >No. The complete log entries related to my last attempt to log in are
> >
> >Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob 
> >[192.168.0.2]
> >Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with 
> >signal 11
> 
> OK, so the problem is that dovecot-auth process crashes. Maybe it's 
> because you didn't give homeDirectory? It's not really needed, but 
> there was a bug when it wasn't given. Here's a patch to fix it: 
> http://dovecot.procontrol.fi/patches/auth-no-homedir.patch

I've never done a patch before, and I looked at the FBSD documentation 
on it, and couldn't figure out how it was done. So I modified my test 
entry in the LDAP directory and added posixAccount with homeDirectory 
and uidNumber and gidNumber. Restart OpenLDAP, retest, and same error 
message. 
 
> >LOGIN dovecot secret
> 
> All IMAP commands starts with a "tag", which can be pretty much any 
> text. Add "x" or whatever before the LOGIN command.

x login dovecot secret
x NO Authentication failed.

The dovecot Unix account and the dovecot LDAP entry have been assigned 
the same password.
 
> >>I'd guess it's because localhost resolves to IPv6 localhost ::1, and
> >>Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it
> >>requires two sockets.
> >
> >No, localhost resolves to 127.0.0.1. However, compiling Dovecot with
> >the --disable-ipv6 flag fixed that problem. Now I can connect via
> >localhost, but I can't LOGIN. Error is identical to above.
> 
> Well, that's a bit strange..
> 
> >>something to do with user ids. What uids have you given to users in
> >>LDAP? Are they smaller than 500, which is the default minimum accepted
> >>uid? You could change first_valid_uid in config file.
> >
> >I'm confused. In the documentation and schemas that come with OpenLDAP,
> >a uid is a login.  E.g. my account uid is 'bob'. Unix uses numeric
> >uids, but if I'm using LDAP, I'm not accessing anything with numeric
> >uids. posixAccount uses uidNumber, but I'm not using that class.
> 
> Dovecot still needs to map usernames to system UID numbers. If you want 
> to use only one system UID, you can set user_global_uid and 
> user_global_gid in dovecot-ldap.conf. Otherwise you'll need to set 
> uidNumber and gidNumber for all users.

OK. I've added uidNumber and gidNumber for my LDAP test entry, and 
	user_global_uid = 2000
	user_global_gid = 6
6 is the mail group. 2000 is no one in particular. I added dovecot 
to the mail group, but since Dovecot runs as root, I don't think that's 
necessary.
 
> >>>login_user = dovecot
> >>>auth_user = dovecot
> >>
> >>It's better not to use the same user for auth and login. Maybe I 
> >>should
> >>add a check to disallow this entirely..
> >
> >I don't know enough about it to know why that's a bad idea, but I got
> >it from a sample config file online. I've changed auth_user to
> >dovecot-auth and I'm still getting the same error.
> 
> It's mostly just that login process is designed to be "safe" even if it 
> contains some security holes. If other processes are running with same 
> userid, the login process may be able to do some evil things to them.

OK. Dovecot (the app) runs under root. dovecot-auth (the process) runs 
under dovecot-auth (the user), imap-login runs under dovecot (the user), 
and nor the twain shall meet. Does that seem right?

Sorry if I seem slow, but I'm really unfamiliar with mail servers and 
authentication. It takes me hours to think through your replies and 
apply them to what I've done.

Bob Hall

More information about the dovecot mailing list