[Dovecot] Fw: Cannot Authenticate via LDAP

Ron Scott-Adams ron at tohuw.net
Tue Jun 4 21:04:27 EEST 2013 

Hi Alex, thanks for your input. As you might have surmised from my doveconf
output, I had things horribly misconfigured. :) Everything is dandy now, I
just had to RTFM and understand userdb/passdb and the ldap settings better.
My new configuration follows:

BEGIN DOVECONF:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_location = maildir:~/.maildir
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = " imap pop3"
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.key
ssl_parameters_regenerate = 0
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
verbose_ssl = yes

END DOVECONF
-----------------------------------------------------------
BEGIN DOVECOT-LDAP.CONF.EXT

uris = ldap://localhost:389
dn = uid=dovecot,ou=Services,dc=tohuw,dc=net
dnpass = [redacted]
debug_level = -1
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net
base = dc=tohuw,dc=net
user_filter = (uid=%u)
pass_filter = (uid=%u)
iterate_attrs = uid=user
default_pass_scheme = SSHA

END DOVECOT-LDAP.CONF.EXT
-----------------------------------------------------------

The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation
suggests I do.


On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow <acrow at integrafin.co.uk> wrote:

> Forgot to say that the lines below would be part of a file included thusly:
>
> passdb {
>   driver = ldap
>
>   # Path for LDAP configuration file, see example-config/dovecot-ldap.**
> conf.ext
>   args = /etc/dovecot/dovecot-ldap.**conf.ext
> }
>
> userdb {
>   driver = prefetch
> }
>
> userdb {
>   driver = ldap
>   args = /etc/dovecot/dovecot-ldap.**conf.ext
> }
>
> And in the /ettc/dovecot-ldap.conf.ext as well as the examples I gave
> you'll also need a line like:
>
> uris =  ldap://myldapserver1 ldap://myldapserver2
>
> (I use 2 servers with referrals to the master)
>
> Also look up iterate_attrs and iterate_filter to let doveadm and other
> things iterate over accounts.
>
> Cheers
>
> Alex
>
>
> On 04/06/13 18:34, Alex Crow wrote:
>
>> Hi,
>>
>> That can't be the full output of doveconf -n can it?
>>
>> You need to define (examples from my configs using qmail schema; your
>> values will probably be different if you are using AD or openLDAP with a
>> different mail schema)
>>
>> user_attrs = homeDirectory=home,**mailMessageStore=mail
>> user_filter = (&(objectClass=qmailUser)(**mail=%u))
>> pass_attrs = userPassword=password,**homeDirectory=userdb_home,**
>> mailMessageStore=userdb_mail
>> pass_filter = (&(objectClass=qmailUser)(**mail=%u))
>>
>> Also look at the auth_bind parameter. Mine is "yes" because I'm using
>> userdb prefetch as you can see from the pass_attrs param.
>>
>> And you probably need to set up virtual users as well!
>>
>> Cheers
>>
>> Alex
>>
>>
>> On 04/06/13 17:44, Christian Wiese wrote:
>>
>>> Hello Christian,
>>> I tried what you suggested by adding "REFERALS off"
>>> to /etc/ldap/ldap.conf and restarting slapd and dovecot, but the error
>>> persists.
>>>
>>>
>>> On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese <
>>> christian.wiese at securepoint.de**> wrote:
>>>
>>>  Hi Ron,
>>>>
>>>> I didn't had the time to check all logs but the error log.
>>>> First thing you should check if there are LDAP REFFERALS enabled in
>>>> the systems ldap.conf.
>>>> I had a similar looking issue and it took me a good amount of time to
>>>> figure out that I had to disable LDAP REFFERALS globally.
>>>> This happened when using an AD as LDAP backend, but also applies to
>>>> Samba4 as you can see in the following mailing list thread:
>>>>
>>>>
>>>> http://dovecot.markmail.org/**message/mjurv4fp4w65u2ib?q=**
>>>> Dovecot+LDA+LDAP+lookups+on+**samba4+server+ends+very+often+**
>>>> in+timeouts<http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts>
>>>>
>>>> The settings within the systems ldap.conf might influence dovecot,
>>>> because libldap (openldap) functions might read the global ldap.conf
>>>> settings.
>>>>
>>>> Hope that helps.
>>>>
>>>> Cheers,
>>>> Chris
>>>>
>>>> Am Tue, 4 Jun 2013 05:50:16 -0400
>>>> schrieb Ron Scott-Adams <ron at tohuw.net>:
>>>>
>>>>  a login tohuw [myPassword] returns "NO [AUTHENTICATIONFAILED]
>>>>> Authentication failed." I believe I'm missing a configuration
>>>>> detail, but what?
>>>>>
>>>>>
>>>>> info.log: http://pastebin.ca/2388873
>>>>>
>>>>> debug.log: http://pastebin.ca/2388872
>>>>>
>>>>> error.log: http://pastebin.ca/2388871
>>>>>
>>>>> dovecot -n: http://pastebin.ca/2388870
>>>>>
>>>>> dovecot-ldap.conf.ext summary: http://pastebin.ca/2388867
>>>>>
>>>>
>>>>
>>
>>
>

More information about the dovecot mailing list