[Dovecot] Fw: Cannot Authenticate via LDAP
Alex Crow
acrow at integrafin.co.uk
Tue Jun 4 21:07:06 EEST 2013
Hi Ron,
TBH you were doing most things right anyway, I misread your pastebin stuff.
But I'm glad the details helped you, and you're welcome!
Cheers
Alex
On 04/06/13 19:04, Ron Scott-Adams wrote:
> Hi Alex, thanks for your input. As you might have surmised from my
> doveconf output, I had things horribly misconfigured. :) Everything is
> dandy now, I just had to RTFM and understand userdb/passdb and the
> ldap settings better. My new configuration follows:
>
> BEGIN DOVECONF:
> # 2.0.19: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS
> auth_debug = yes
> auth_debug_passwords = yes
> auth_verbose = yes
> log_path = /var/log/dovecot.log
> mail_location = maildir:~/.maildir
> passdb {
> driver = pam
> }
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> protocols = " imap pop3"
> ssl_cert = </etc/ssl/certs/dovecot.pem
> ssl_key = </etc/ssl/private/dovecot.key
> ssl_parameters_regenerate = 0
> userdb {
> driver = passwd
> }
> userdb {
> args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
> driver = ldap
> }
> verbose_ssl = yes
>
> END DOVECONF
> -----------------------------------------------------------
> BEGIN DOVECOT-LDAP.CONF.EXT
>
> uris = ldap://localhost:389
> dn = uid=dovecot,ou=Services,dc=tohuw,dc=net
> dnpass = [redacted]
> debug_level = -1
> auth_bind = yes
> auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net
> base = dc=tohuw,dc=net
> user_filter = (uid=%u)
> pass_filter = (uid=%u)
> iterate_attrs = uid=user
> default_pass_scheme = SSHA
>
> END DOVECOT-LDAP.CONF.EXT
> -----------------------------------------------------------
>
> The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation
> suggests I do.
>
>
> On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow <acrow at integrafin.co.uk
> <mailto:acrow at integrafin.co.uk>> wrote:
>
> Forgot to say that the lines below would be part of a file
> included thusly:
>
> passdb {
> driver = ldap
>
> # Path for LDAP configuration file, see
> example-config/dovecot-ldap.conf.ext
> args = /etc/dovecot/dovecot-ldap.conf.ext
> }
>
> userdb {
> driver = prefetch
> }
>
> userdb {
> driver = ldap
> args = /etc/dovecot/dovecot-ldap.conf.ext
> }
>
> And in the /ettc/dovecot-ldap.conf.ext as well as the examples I
> gave you'll also need a line like:
>
> uris = ldap://myldapserver1 ldap://myldapserver2
>
> (I use 2 servers with referrals to the master)
>
> Also look up iterate_attrs and iterate_filter to let doveadm and
> other things iterate over accounts.
>
> Cheers
>
> Alex
>
>
> On 04/06/13 18:34, Alex Crow wrote:
>
> Hi,
>
> That can't be the full output of doveconf -n can it?
>
> You need to define (examples from my configs using qmail
> schema; your values will probably be different if you are
> using AD or openLDAP with a different mail schema)
>
> user_attrs = homeDirectory=home,mailMessageStore=mail
> user_filter = (&(objectClass=qmailUser)(mail=%u))
> pass_attrs =
> userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail
> pass_filter = (&(objectClass=qmailUser)(mail=%u))
>
> Also look at the auth_bind parameter. Mine is "yes" because
> I'm using userdb prefetch as you can see from the pass_attrs
> param.
>
> And you probably need to set up virtual users as well!
>
> Cheers
>
> Alex
>
>
> On 04/06/13 17:44, Christian Wiese wrote:
>
> Hello Christian,
> I tried what you suggested by adding "REFERALS off"
> to /etc/ldap/ldap.conf and restarting slapd and dovecot,
> but the error
> persists.
>
>
> On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese <
> christian.wiese at securepoint.de
> <mailto:christian.wiese at securepoint.de>> wrote:
>
> Hi Ron,
>
> I didn't had the time to check all logs but the error log.
> First thing you should check if there are LDAP
> REFFERALS enabled in
> the systems ldap.conf.
> I had a similar looking issue and it took me a good
> amount of time to
> figure out that I had to disable LDAP REFFERALS globally.
> This happened when using an AD as LDAP backend, but
> also applies to
> Samba4 as you can see in the following mailing list
> thread:
>
>
> http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts
>
>
> The settings within the systems ldap.conf might
> influence dovecot,
> because libldap (openldap) functions might read the
> global ldap.conf
> settings.
>
> Hope that helps.
>
> Cheers,
> Chris
>
> Am Tue, 4 Jun 2013 05:50:16 -0400
> schrieb Ron Scott-Adams <ron at tohuw.net
> <mailto:ron at tohuw.net>>:
>
> a login tohuw [myPassword] returns "NO
> [AUTHENTICATIONFAILED]
> Authentication failed." I believe I'm missing a
> configuration
> detail, but what?
>
>
> info.log: http://pastebin.ca/2388873
>
> debug.log: http://pastebin.ca/2388872
>
> error.log: http://pastebin.ca/2388871
>
> dovecot -n: http://pastebin.ca/2388870
>
> dovecot-ldap.conf.ext summary:
> http://pastebin.ca/2388867
>
>
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
More information about the dovecot
mailing list