[Dovecot] LDAP authentication stops working...

J. David Rye of Roadtech david at roadtech.co.uk
Thu Jan 11 16:20:19 UTC 2007 

>
>
> On Wednesday 10 January 2007 15:07, J.M. Maurer wrote:
>> On Tue, 2007-01-09 at 09:54 +0000, Gavin Henry wrote:
>> > <quote who="Adrian Close">
>> >
>> > > Hi all,
>> > >
>> > > I'm running dovecot-1.0.rc17 on OpenBSD 3.9, using userdb and passdb
>> > > methods of "ldap" (SSL on 636/tcp) in addition to "passwd".
>> > >
>> > > Occasionally (generally after a few hours of operation, but not
>> > > always), LDAP-based logins stop working (e.g. hang/timeout after
>> POP3
>> > > PASS command).  Accounts with local passwords (as opposed to
>> accounts
>> > > with a password field of "x") still work fine at this point.
>> >
>> > We also get this. Twice a day we have to restart dovecot, using userdb
>> > and passdb via LDAP, with userdb_prefetch.
>>
>> Just to add: we moved from rc<something before 5> to rc15 recently, and
>> we now also see a lot of hangs with ldap_authbind.
>>
>> The result handler for the initial ldap_search to find the dn to bind to
>> is never called. I assume Timo fscked something up recently in my
>> auth_bind code ;-P
>>
>> Anyway, restarting ldap every hour or so with cron does the job :-|
>>
>> I'd debug this if I had the time, but I won't have before next week.
>>
>> Cheers,
>>    Marc
>>
>>
>> *RT IMSS Scanned*
> I get this problem as well, with dovecot running on a server running
> Fedora5
> I first noticed this problem after a yum update that moved the server upto
> the rpm dovecot-1.0.0.beta8.3.fc5.i386
> The server original ran OK after it was originaly upgraded to Fedora5,
> which
> shiped with the rpm dovecot-1.0.0.beta2.7.i386
>
> The LDAP server is openldap-2.0.27-8 running redhat 9.0
>
> The minimum to fix the problem seems to be kill the dovecot auth
> processes.
>

Its happened again.

---------------------------------------------------------------
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): client in: AUTH     1 
     PLAIN   service=POP3    lip=195.245.100.152     rip=172.
16.20.72        resp=<hidden>
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): client out: CONT    1
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): client in: CONT<hidden>
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): client out: OK      1 
     user=mikey
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): master in: REQUEST 
2354    1718    1
Jan 11 08:16:21 viruswall-1 dovecot: auth(default): master out: USER   
2354    mikey   system_user=mikey       uid=1011        gid=513
home=/home/mikey
Jan 11 08:16:21 viruswall-1 dovecot: pop3-login: Login: user=<mikey>,
method=PLAIN, rip=172.16.20.72, lip=195.245.100.152
Jan 11 08:16:21 viruswall-1 dovecot: POP3(mikey): Disconnected: Logged out
top=0/0, retr=0/0, del=0/772, size=8769550
Jan 11 08:16:40 viruswall-1 dovecot: pop3-login: Disconnected:
rip=172.16.20.108, lip=195.245.100.152
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): client in: AUTH     1 
     PLAIN   service=POP3    lip=195.245.100.152     rip=172.
16.20.31        resp=<hidden>
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): client in: AUTH     1 
     PLAIN   service=POP3    lip=195.245.100.152     rip=172.
16.24.161       resp=<hidden>
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): client out: CONT    1
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): client in: CONT<hidden>
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): client out: OK      1 
     user=wrosen
Jan 11 08:16:54 viruswall-1 dovecot: auth(default): master in: REQUEST 
2355    1867    1
Jan 11 08:17:47 viruswall-1 dovecot: pop3-login: Disconnected:
rip=172.16.20.108, lip=195.245.100.152
Jan 11 08:17:54 viruswall-1 dovecot: pop3-login: Disconnected: Inactivity:
method=PLAIN, rip=172.16.24.161, lip=195.245.100.152
-----------------------------------------------------------------
Summary :-
The login from 172.16.20.72 @ Jan 11 08:16:21 was successfull

Problem appears to start with the near concurrent logins at Jan 11 08:16:54
All of the LDAP lookup for the first of these run over the same tcp
connection as the preceding calls to auth master, 

dovecot-auth seems run mostly with the same tcp tcp socket for anything from 6 
minutes to an hour then close the socket and open a new one.
Very occasionally dovecot-auth exits logging the event 
BROKEN NSS IMPLEMENTATION
It is then immediately restarted by dovecot.

Dovecot is configured to use pam for passdb and userdb with pam inturn 
configured to use LDAP.

At the time it hung there were two tcp connections with 
some of the queries for the second of the overlapping logins
runs over a second tcp connection to the LDAP server.

ps/lsof show 3 dovecot-auth processes.

1 zombie
1 the parent with a single tcp connection to the LDAP server
1 a child with 2 connections to the LDAP server

----------------------------------------------------------------


************************************************************************
This e-mail is confidential and may be legally privileged. It is intended
solely for the use of the individual(s) to whom it is addressed. Any
content in this message is not necessarily a view or statement from Road
Tech Computer Systems Limited but is that of the individual sender. If
you are not the intended recipient, be advised that you have received
this e-mail in error and that any use, dissemination, forwarding,
printing, or copying of this e-mail is strictly prohibited. We use 
reasonable endeavours to virus scan all e-mails leaving the company but
no warranty is given that this e-mail and any attachments are virus free.
You should undertake your own virus checking. The right to monitor e-mail 
communications through our networks is reserved by us
*************************************************************************

More information about the dovecot mailing list