[Dovecot] auth issues on centos5 with ldap backend

Timo Sirainen tss at iki.fi
Thu Jun 5 02:44:54 EEST 2008


On Wed, 2008-06-04 at 19:21 -0400, Jurvis LaSalle wrote:
> Hi,
> 
> 	We've had some issues with auth.  /var/log/secure is full of 1000s of  
> these lines:
> 
> Jun  4 19:12:08 khan dovecot-auth: pam_unix(dovecot:auth):  
> authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=  
> rhost=127.0.0.1  user=user123

Someone's trying to brute-force in?

> Users can usually login OK with their ldap credentials, but  
> occasionally logins slow to a crawl if not outright fail, esp people  
> checking mail through Squirrelmail.  Things get better after a dovecot  
> restart.

You used blocking=yes with PAM, which means the PAM processes get
reused. This might be why restarting helps. Have you tried how it works
without the blocking=yes?

> Googling around, I thought if we switched the order or  
> disabled the second passdb we had configured for our dovecotadmin  
> account, these failures would go away but that did not happen.

What do you mean second passdb? There's only one passdb in your dovecot
-n output:

>    passdb:
>      driver: pam
>      args: blocking=yes
>    userdb:
>      driver: passwd
>      args: blocking=yes

Anyway, one sure way to reduce PAM problems would be to get rid of it
and just configure Dovecot to use LDAP directly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080605/1231fd00/attachment.bin 


More information about the dovecot mailing list