[Dovecot] Re: LDAP authentication via PAM

[Oscar A. Valdez]

Luis Meléndez escribió:
> Oscar A. Valdez wrote: 
> > I've configured dovecot to authenticate against a Fedora Directory
> > Server. The mail server on which dovecot is installed has the
> > nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the
> > following two lines:
> > 
> > auth_userdb = ldap /etc/dovecot-ldap.conf
> > auth_passdb = pam
> > ...
> > Is it possible to access the user database through PAM (auth_userdb =
> > pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really
> > be an LDAP query for users, and a query in /etc/passwd and /etc/group
> > for dovecot (since it's a local user and group on the mail server).
> 
> If you are using nss_ldap and have edited /etc/nsswitch.conf
> accordingly, you should get it done with:
> 
> auth_userdb = passwd
> 
> It doesn't mean to use /etc/passwd, but the O.S. nss mechanism.

Before trying to Luis' suggestion, I had the following in /var/log/messages:

dovecot(pam_unix)[4691]: check pass; user unknown
dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=
dovecot-auth[4691]: pam_ldap: could not open secret
file /etc/ldap.secret (No such file or directory)

I suppose the first two entries are the lookup for the dovecot user in
the DS, where it doesn't exist. And since I want anonymous binds to the
DS, I haven't created file /etc/ldap.secret. Users were able to
authenticate and get their mail.

After changing to auth_userdb = passwd, all the messages went away, but
the users weren't able to get their mail: Evolution gave me the
following error: "Unable to get a valid greeting" from the mailserver.

I went back to auth_userdb = ldap /etc/dovecot-ldap.conf, and then back
to auth_userdb = passwd. Users can get their mail, but the messages are
back in the log file.

I'd appreciate help in understanding this behavior.
-- 
Oscar A. Valdez