[Dovecot] LDAP authentication via PAM

Stephen Warren swarren at wwwdotorg.org
Mon Aug 28 05:24:39 EEST 2006


Oscar A. Valdez wrote:
> El lun, 10-04-2006 a las 11:17 -0600, Stephen Warren escribió:
>> Oscar A. Valdez wrote:
>>> Before trying Luis' suggestion, I had the following in /var/log/messages:
>>>
>>> dovecot(pam_unix)[4691]: check pass; user unknown
>>> dovecot(pam_unix)[4691]: authentication failure; logname>>> tty>>
>> I believe this is because your PAM configuration checks both local files
>> (pam_unix: /etc/passwd) and pam_ldap: LDAP. The pam_unix module can't
>> find the user in the local database, and complains, then LDAP finds the
>> user information, and allows the login/whatever.
>>
>> The solution is probably to create a /etc/pam.d/system-auth-ldap-only
>> file that doesn't reference pam_unix, and use that pam configuration for
>> network services such as Dovecot.
>>
>> Or, possible, check pam_ldap first with a "sufficient" setting; perhaps
>> this will stop pam_unix being tried at all?
>>
>> I keep meaning to try this, since I'm seeing those messages from a
>> number of network services, but have never gotten around to it!
> 
> They tend to fill up the message log quickly, so if you get around to
> it, I'm interested in your fix.

Well, I finally got around to fiddling with this, and I now have created
a /etc/pam.d/system-auth that doesn't trigger the annoying
authentication failure messages in syslog. The file is shown below.

I've tested this by connecting in using SSH (setup for PAM) both as a
user in the local /etc/passwd and as a user in LDAP. Also, I tested
/etc/passwd users with the LDAP server stopped, and that worked too.
Finally, I tested connecting to Dovecot as an LDAP user.

Note: The only section that references LDAP is the auth section. That's
because account and session rely on pam_unix to pick up the information
using nss_ldap (i.e. /etc/nsswitch.conf says "files ldap" for passwd,
group, etc.) This seems to work for me...

Also, note that my LDAP server stores Samba passwords too, so that's why
the password section uses pam_smbpass (which in turn is setup to access
LDAP via /etc/samba/smb.conf) rather than pam_ldap. This is so both the
Unix and SMB passwords are updated in LDAP.

Anyway, here's my file. Anyone want to pick holes in it? Indented lines
are just mail formatting...

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so debug
auth        sufficient    /lib/security/$ISA/pam_unix.so
				use_first_pass likeauth
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so
				 uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_smbpass.so use_authtok
password    sufficient    /lib/security/$ISA/pam_unix.so
				nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so
				skel=/etc/skel/ umask 77


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20060827/3a47e49f/attachment.pgp 


More information about the dovecot mailing list