[Dovecot] LDAP Auth problems with auth_bind=yes
Rob Coward
Rob.Coward at game.co.uk
Fri Aug 18 15:19:19 EEST 2006
Hi,
I first posted this problem a day or two ago and have not seen any
responses yet.
To clarify my problem, I am authenticating virtual users against Active
Directory on Win2k3, where their login id is their email address. I am
using an almost identical setup to Suranga's below, however my initial
bind user doesn't have access to the userPassword attribute, so I am
using:
auth_bind = yes
This is working fine when users enter their correct email address &
password, or if the email address is not found, however if a valid email
address is given but the password is incorrect, it seems to kill
something in the ldap_auth code as all further connections get a
temporary authentication error at the client, and the following in
/var/log/maillog:
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
1 PLAIN service=IMAP secured lip=::ffff:127.0.0.1
rip=::ffff:127.0.0.1 resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,::ffff:127.0.0.1): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,::ffff:127.0.0.1): ldap_search() failed:
Operations error
Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
1 user=0999 at stores.game.co.uk temp
Aug 18 13:04:31 gm-ho-lin-06 dovecot: imap-login: Aborted login:
user=<0999 at stores.game.co.uk>, method=PLAIN, rip=::ffff:127.0.0.1,
lip=::ffff:127.0.0.1, secured
Is the auth_ldap code not resetting the ldap connection bind details to
the dn/dnpass values for each login ?
You help would be greatly appreciated as I hope to make this a
production server within the next week.
Regards,
Rob Coward
Unix Developer
GAME STORES GROUP LTD
Tel: 01256 784476
Email: Rob.Coward at game.net
-----Original Message-----
From: dovecot-bounces at dovecot.org [mailto:dovecot-bounces at dovecot.org]
On Behalf Of suranga de silva
Sent: 18 August 2006 19:14
To: dovecot at dovecot.org
Subject: Re: [Dovecot] dovecot Digest, Vol 40, Issue 65
Dear Tim Schafer,
Take a look at my sample dovecot-ldap.conf
hosts = localhost
dn = cn=root,dc=ceylonlinux,dc=com
dnpass = secret
ldap_version = 3
base = dc=ceylonlinux,dc=com
deref = never
scope = subtree
user_attrs =
mail,homeDirectory=mailMessageStore,uidNumber=1003,gidNumber=1003
user_filter = (&(objectClass=user)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=user)(mail=%u))
default_pass_scheme = CRYPT
user_global_uid = 1003
user_global_gid = 1003
Here I am using my own schema called "user", but in your case change it
to inetOrgPerson or the schema name you are using.
I think the most common problem in this process is the ldap filter.
Above in my configuration user_filter and pass_filter are used as ldap
filters for querying user name and password. There I am using mail
attribute.
gid and uid are belong to the user vmail.
May be this explanation will help you to figure out your problem
You can refer my article in the following link for further reference
http://www.ceylonlinux.com/pdf/openldap_backsql_postfix_maildir_cl.pdf
Cheers!!!
Suranga De Silva.
CTO
CEYLON LINUX
This e-mail and any files transmitted with it are confidential and intended solely
for the use of the individual or entity to whom they are addressed. If you have
received this e-mail in error please notify the system manager at:
mailto:postmaster at game.net
The recipient acknowledges that the transmissions made via the Internet
can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries
do not give any warranty as to the quality or accuracy of any information
contained in the message or assume any liability for it or for its transmission,
reception or storage.
This footnote also confirms that this e-mail message has been swept by
anti-virus software for the presence of computer viruses.
http://www.game.co.uk
http://www.gamegroup.plc.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20060818/1255e951/attachment-0001.html
More information about the dovecot
mailing list