[Dovecot] [BUG?] LDAP authentication with aliases issues
Paweł Lęcznar
maillistpld at gmail.com
Thu Aug 4 22:23:17 EEST 2011
W dniu 31.07.2011 22:48, Paweł Lęcznar pisze:
> Hello,
>
> I am trying to configure Dovecot with LDAP authentication. My LDAP
> tree structure is as following:
> dc=root,dc=pl
> \_ ou=Users
> \_ uid=test
> \_ ou=Mail
> \_ ou=domain.pl
> \_ uid=alias_to_test
>
> I cannot authenticate using
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to
> authenticate using
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following
> entry appears in the Dovecot's log file:
>
> #v+
> auth: Debug: client in: AUTH 1 PLAIN service=imap
> secured lip=127.0.0.1 rip=127.0.0.1 lport=993
> rport=59818
> resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA==
> auth: Debug: ldap(alias_to_test at domain.pl,127.0.0.1): pass search:
> base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base
> filter=(&(objectClass=posixAccount)) fields=uid,userPassword
> auth: Debug: auth(alias_to_test at domain.pl,127.0.0.1): username changed
> alias_to_test at domain.pl -> test
> auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test
> userPassword(password)={CRYPT}ACnZvF4.K46UI
> auth: Debug: client out: OK 1 user=test
> auth: Debug: ldap(test,127.0.0.1): user search:
> base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base
> filter=(&(objectClass=posixAccount)(uid=test))
> fields=homeDirectory,uidNumber,gidNumber
> auth: Debug: master out: FAIL 2551840769
> #v-
>
>
> In the LDAP server log file, following entries appear during
> authentication attempt
>
> #v+
> ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl"
> method=128
> ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl"
> mech=SIMPLE ssf=0
> ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text=
> ldap slapd[11729]: conn=1125 op=1 SRCH
> base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0
> deref=3 filter="(&(objectClass=posixAccount))"
> ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
> ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0
> nentries=1 text=
> ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn:
> "uid=test,ou=,ou=Mail,dc=root,dc=pl"
> ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34
> nentries=0 text=invalid DN
> #v-
>
> It seems that LDAP AuthDatabase doesn't change the context when
> looking up for the target object, to which the alias points.
> Futhermore, the filter for the target object
> '(&(objectClass=posixAccount)(uid=test))' was not defined by me
> anywhere in the configuration file 'dovecot-ldap.ext'.
> I have tried both authentication ways: 'password lookups' and
> 'authentication binding' with the same result. However, There is no
> problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of
> cource after modifying the configuration file listed at the end).
>
> I suppose that it can be a bug in LDAP AuthDatabase, so I am writing
> this post as a potential bug report.
>
>
> Below are my configuration data:
> ***************
> # dovecot -n
> # 2.0.13: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.38.8-1 x86_64
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_verbose = yes
> auth_verbose_passwords = plain
> listen = *
> mail_debug = yes
> mail_gid = 2000
> mail_uid = 2000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> plugin {
> sieve = ~/.dovecot.sieve
> sieve_dir = ~/sieve
> }
> postmaster_address = postmaster at domain.pl
> protocols = imap pop3 sieve
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> }
> unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
> }
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service pop3-login {
> inet_listener pop3 {
> port = 110
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> ssl = required
> ssl_cert = </etc/openssl/certs/vmail.pem
> ssl_key = </etc/openssl/private/vmail.key
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> verbose_ssl = yes
>
> ***************
> # cat /etc/dovecot/dovecot-ldap.ext
> uris = ldap://X.Y.Z.V/
> dn = cn=Manager,dc=root,dc=pl
> dnpass = password
> auth_bind = no
> ldap_version = 3
> base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
> deref = always
> scope = base
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectClass=posixAccount))
> default_pass_scheme = CRYPT
nobody? nothing? is there any chance that author of authentication ldap
module will fix this problem?
More information about the dovecot
mailing list