[Dovecot] Changin password in LDAP

Arto Saraniva arto.saraniva at artio.net
Wed Feb 20 14:42:28 EET 2013


We are using now dovecot 2.0.21 with open-ldap, but this situations has already taken a quite long time. When user changes the password, we have to reload dovecot every time, otherwise the change is ignored and dovecot sees only the old password.  Any ideas where the problem might exist?

Conf:

# 2.0.21: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.24.1.el5 i686 CentOS release 5.9 (Final) auth_cache_size = 100 M auth_mechanisms = plain login auth_verbose = yes default_process_limit = 5000 disable_plaintext_auth = no info_log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir:INDEX=/var/spool/indexes/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  quota = maildir:User Quota
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at artio.net service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}
service imap-login {
  service_count = 0
}
service imap-postlogin {
  executable = script-login /usr/local/sbin/dovecot-postscript-imap
  user = root
}
service imap {
  executable = imap imap-postlogin
}
service pop3-postlogin {
  executable = script-login /usr/local/sbin/dovecot-postscript-pop3
  user = root
}
service pop3 {
  executable = pop3 pop3-postlogin
}
ssl_ca = </usr/share/ssl/certs/mail_artio_net-2012-geotrust.ca
ssl_cert = </usr/share/ssl/certs/mail_artio_net-2012-geotrust.crt
ssl_key = </usr/share/ssl/private/mail_artio_net-2012-geotrust.key
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lda {
  mail_plugins = sieve quota
}
protocol imap {
  mail_max_userip_connections = 50
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
  pop3_uidl_format = %08Xu%08Xv
}


Dovecot-ldap.conf:

# NOTE: We don't support "authentication binds", so you'll have to give # dovecot-auth read access to userPassword field in LDAP server. With OpenLDAP # this is done by modifying /etc/ldap/slapd.conf. There should already be # something like this:

# access to attribute=userPassword
#        by dn="<dovecot's dn>" read # add this
#        by anonymous auth
#        by self write
#        by * none

# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts = 
hosts = 123.123.123.123 123.123.123.124

# Distinguished Name - the username used to login to the LDAP server #dn = 

# Password for LDAP server
#dnpass = 

# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3

# LDAP base
#base = uid=someone, dc=foo, dc=bar, dc=org base = dc=artio,dc=net

# Dereference: never, searching, finding, always deref = never

# Search scope: base, onelevel, subtree
scope = subtree

# User attributes in order:
#  Virtual user name (user at domain)
#  Home directory
#  MAIL environment
#  System user name (for getting user's groups from /etc/group)
#    - For virtual users you don't want to use this, so this defaults to none.
#  System UID
#  System GID
#user_attrs = uid,homeDirectory,,,uidNumber,gidNumber
# user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# user_attrs = cn,homeDirectory,,uid,uidNumber,gidNumber
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,artioMailQuotaSize=quota_rule=*:storage=%$M

# Filter for user lookup. Some variables can be used:
#   %u - username
#   %n - user part in user at domain, same as %u if there's no domain
#   %d - domain part in user at domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
user_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))


# Password checking attributes in order:
#  Virtual user name (user at domain)
#  Password, may optionally start with {type}, eg. {crypt} #pass_attrs = uid,userPassword # pass_attrs = cn,userPassword pass_attrs = uid=user, userPassword=password


# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))

# Default password scheme. "{scheme}" before password overrides this.
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT #default_pass_scheme = CRYPT default_pass_scheme = CRYPT

# You can use same UID and GID for all user accounts if you really want to.
# If the UID/GID is still found from LDAP reply, it overrides these values.
#user_global_uid =
#user_global_gid = 


Pam:
/etc/pam.d/dovecot
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth






More information about the dovecot mailing list