Dovecot & LDAP Take #2: Authentication failed and logging

David Scheele david.scheele2 at googlemail.com
Mon Mar 2 10:14:03 UTC 2015 

Ok I played around a bit and activated debugging correctly (Thanks to
Steffen)


Now I try to log in with the user johndoe (that is his cn and his uid) and
i get the following message in syslog:
Mar  2 11:03:32 mailserver dovecot: auth: Debug: master in:
REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
Mar  2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search:
base=ou=People,dc=[domainname],dc=de scope=subtree
filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
Mar  2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
not indexed
Mar  2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result:  uidNumber missing
Mar  2 11:03:32 mailserver dovecot: auth: Debug: master out:
USER#0111283457025#011johndoe
Mar  2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
session=<EYmiVEsQSgB/AAAB>
Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
Couldn't drop privileges: User is missing UID (see mail_uid setting)
Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
occurred. Refer to server log for more information.


I am confused what the line Mar  2 11:03:32 mailserver dovecot:
imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
missing UID (see mail_uid setting) is trying to tell me.

doveconf -n:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_login_user = vmail
disable_plaintext_auth = no
first_valid_gid = 2222
first_valid_uid = 2222
listen = *
mail_access_groups = vmail
mail_debug = yes
mail_location = maildir:/var/vmail/%n
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  process_min_avail = 1
  user = vmail
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :

hosts = mailserver.[domainname].de
debug_level = 0
auth_bind = yes
auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
base = ou=People,dc=[domainname],dc=de
user_attrs = uidNumber=uid
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
pass_attrs = userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=inetOrgPerson)


2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero at csi.it>:

>
> This is the user DN:
>
> > cn=Klara Fall,ou=People,dc=[domainname],dc=de
>
>
> According to your Dovecot configuration
>
> > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
>
> if you login with "klarafall" it will be expanded into
>
> cn=klarafall,ou=People,dc=[domainname],dc=de
>
> which is not the correct DN for Mrs Klara.
>
> So if you login with "Klara Fall" it should work, but that will probably
> mess up the things on Dovecot filesystem.
>
>
> I am strongly against setting a static DN when dealing with LDAP
> authentication. LDAP servers are optimized to serve search requests, so let
> yours do the job. Allow Dovecot to lookup the correct DN based on the
> attribute you supply (uid) and then authenticate.
>
> This should be achieved if you comment out the auth_bind_userdn line.
>
> Paolo Cravero
>

More information about the dovecot mailing list