Dovecot & LDAP Take #2: Authentication failed and logging

Mihai Badici mihai at badici.ro
Mon Mar 2 10:53:02 UTC 2015 

On Monday 02 March 2015 11:14:03 David Scheele wrote:
> Ok I played around a bit and activated debugging correctly (Thanks to
> Steffen)
> 

> 
> Now I try to log in with the user johndoe (that is his cn and his uid) and
> i get the following message in syslog:
> Mar  2 11:03:32 mailserver dovecot: auth: Debug: master in:
> REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
> Mar  2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search:
> base=ou=People,dc=[domainname],dc=de scope=subtree
> filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
> Mar  2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
> not indexed
> Mar  2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result:  uidNumber missing


There are two strategies: put the uid of each user in ldap or use the same uid 
for all accounts.
for the second choice, you need to put something like
mail_uid = 10000
mail_gid = 10000

in 10-mail.conf
This user need some rights on dovecot storage folder.

When using the first choice, you will need a mechanism to generate those uid's 
( this should be implemented in the ldap management tool)


> Mar  2 11:03:32 mailserver dovecot: auth: Debug: master out:
> USER#0111283457025#011johndoe
> Mar  2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>,
> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
> session=<EYmiVEsQSgB/AAAB>
> Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
> Couldn't drop privileges: User is missing UID (see mail_uid setting)
> Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
> occurred. Refer to server log for more information.
> 
> 
> I am confused what the line Mar  2 11:03:32 mailserver dovecot:
> imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
> missing UID (see mail_uid setting) is trying to tell me.
> 
> doveconf -n:
> 
> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> default_login_user = vmail
> disable_plaintext_auth = no
> first_valid_gid = 2222
> first_valid_uid = 2222
> listen = *
> mail_access_groups = vmail
> mail_debug = yes
> mail_location = maildir:/var/vmail/%n
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> protocols = imap
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   user = root
> }
> service imap-login {
>   process_min_avail = 1
>   user = vmail
> }
> ssl = no
> userdb {
>   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
>   driver = ldap
> }
> grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
> 
> hosts = mailserver.[domainname].de
> debug_level = 0
> auth_bind = yes
> auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
> base = ou=People,dc=[domainname],dc=de
> user_attrs = uidNumber=uid
> user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
> pass_attrs = userPassword=password
> pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
> iterate_attrs = uid=user
> iterate_filter = (objectClass=inetOrgPerson)
> 
> 2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero at csi.it>:
> > This is the user DN:
> > > cn=Klara Fall,ou=People,dc=[domainname],dc=de
> > 
> > According to your Dovecot configuration
> > 
> > > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
> > 
> > if you login with "klarafall" it will be expanded into
> > 
> > cn=klarafall,ou=People,dc=[domainname],dc=de
> > 
> > which is not the correct DN for Mrs Klara.
> > 
> > So if you login with "Klara Fall" it should work, but that will probably
> > mess up the things on Dovecot filesystem.
> > 
> > 
> > I am strongly against setting a static DN when dealing with LDAP
> > authentication. LDAP servers are optimized to serve search requests, so
> > let
> > yours do the job. Allow Dovecot to lookup the correct DN based on the
> > attribute you supply (uid) and then authenticate.
> > 
> > This should be achieved if you comment out the auth_bind_userdn line.
> > 
> > Paolo Cravero
-- 
Mihai Bădici
http://mihai.badici.ro

More information about the dovecot mailing list