Dovecot 2 LDAP "unknown user"

Peter Fraser petros.fraser at gmail.com
Sun Nov 6 04:53:41 UTC 2016 

I finally managed to get this going but I have noticed in my case that:

1. I need to make sure the user logon name in AD and the samAccountname are
exactly the same, case and all. It seems postfix
    uses the samAccountname and Dovecot the User logon name.
2. I also noticed that if the Display name for a user in AD is blank, that
user cannot log in using telnet <server ip> 110.

I am quite willing to work with it as it is but if anyone knows if this is
normal behavior or not, I would be glad to know. Not sure if some could be
configured better.

Just for information, I am including my current configs. Thanks for your
assistance Steffen.

listen = *
login_greeting = Mail Server ready.
mail_gid = 1002
mail_home = /home/vmail/%u
mail_location = maildir:~/Maildir
mail_uid = 1002
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
service lmtp {
  unix_listener lmtp {
    user = vmail
  }
}
ssl_cert = </usr/local/etc/certs/certs/dovecot.pem
ssl_key =  # hidden, use -P to show it
userdb {
  args = /usr/local/etc/dovecot/dovecot-ldap-udb.conf.ext
  driver = ldap
}
protocol lda {
  mail_plugins =
}


dovecot-ldap-udb.conf.ext is a symlink to dovecot-ldap.conf.ext

and dovecot-ldap.conf.ext reads as follows

#Custom Settings
hosts = ip address
ldap_version = 3
scope = subtree
deref = never
base = cn=users,dc=domain,dc=com
dn = cn=administrator,cn=users,dc=domain,dc=com
dnpass = password
auth_bind = yes
auth_bind_userdn = %n
ldap_version = 3
scope = subtree
user_attrs = home=/home/vmail/%u,=uid=vmail,=gid=vmail
pass_attrs = uid=%n,userPassword=password
#pass_attrs=uid=user, userpassword=password
user_filter = (&(objectclass=person)(samaccountname=%n))
pass_filter = (&(objectclass=inetorgperson)(mail=%u))


On Fri, Nov 4, 2016 at 2:21 PM, Peter Fraser <petros.fraser at gmail.com>
wrote:

> Sorry yes, peter is the unmangled user name.
>
> On Fri, Nov 4, 2016 at 2:18 AM, Steffen Kaiser <
> skdovecot at smail.inf.fh-brs.de> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Thu, 3 Nov 2016, Peter Fraser wrote:
>>
>> The command doveadm user -u username successfully returns the username and
>>> any information it can for the user in AD. As a matter of fact, I entered
>>> some home directory information in AD and this command returned the
>>> User's
>>> Home Directory as well. Is it a problem though that the telnet test won't
>>> work?
>>>
>>
>> Hmm, I don't understand the question,
>>
>> telnet xyz 143
>> 1 login username password
>>
>> must work in order to login via IMAP.
>>
>> But you didn't answered the other question, see below
>>
>> On Thu, Nov 3, 2016 at 2:36 AM, Steffen Kaiser <
>>> skdovecot at smail.inf.fh-brs.de> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On Wed, 2 Nov 2016, Peter Fraser wrote:
>>>>
>>>> #Custom Settings
>>>>
>>>>> hosts = 192.168.153.143
>>>>> dn = user at domain.com
>>>>> dnpass = password
>>>>> auth_bind = yes
>>>>> auth_bind_userdn = %u at domain.com
>>>>> ldap_version = 3
>>>>> base = dc=rpservices,dc=com
>>>>> #user_filter = (&(objectclass=person)(mail=%u))
>>>>> user_filter = (&(objectclass=person)(uid=%u))
>>>>> pass_filter = (&(objectclass=person)(uid=%u))
>>>>> user_attrs = homeDirectory=/home/vmail/%u,uid=1002,gid=1002
>>>>>
>>>>>
>>>> you wrote:
>>>>
>>>> root at BSD-11:/usr/local/etc/dovecot # doveadm auth test username
>>>>>
>>>>>>
>>>>>> extra fields:
>>>>>>>  user=username
>>>>>>>
>>>>>>>
>>>>>> is successful. Is user=username
>>>>                        ^^^^^^^   that same as the username in doveadm?
>>>>
>>>
>>
>> Here. You've posted mangled information only, so if the extra fields
>> return another username, other tests are different.
>>
>> What about:
>>>>
>>>>  doveadm user -u username
>>>>
>>>> ?
>>>>
>>>>
>>>> When I tried to log in again using telnet 127.0.0.1 110, the error
>>>> shows up
>>>>
>>>>> in maillog. I first tried logging in with just the username, then I
>>>>> tried
>>>>> using username at domain.com. Using doveadm still works though.
>>>>>
>>>>>
>>>>
>>>> BSD-11 dovecot: auth: ldap(peter,127.0.0.1,<B9qF8FNAT3x/AAAB>): unknown
>>>>> user
>>>>> Nov  2 11:29:23 BSD-11 dovecot: auth: Error:
>>>>> ldap(user,127.0.0.1,<B9qF8FNAT3x/AAAB>): user not found from userdb
>>>>>
>>>>
>> what about here, is peter, appearing in the first line, the unmangled
>> "user" here?
>>
>>
>> Nov  2 11:29:23 BSD-11 dovecot: pop3: Error: Authenticated user not found
>>>>> from userdb, auth lookup id=226492417 (client-pid=874 client-id=1)
>>>>> Nov  2 11:29:23 BSD-11 dovecot: pop3-login: Internal login failure
>>>>> (pid=874
>>>>> id=1) (internal failure, 1 successful auths): user=<peter>,
>>>>> method=PLAIN
>>>>> Nov  2 11:30:42 BSD-11 dovecot: auth: ldap(user at domain.com): invalid
>>>>> credentials
>>>>> Nov  2 14:08:17 BSD-11 dovecot: auth:
>>>>> ldap(user,127.0.0.1,<4uLkKVZAvY9/AAAB>): invalid credentials
>>>>> Nov  2 14:09:38 BSD-11 dovecot: auth:
>>>>> ldap(user at domain.com,127.0.0.1,<4uLkKVZAvY9/AAAB>):
>>>>> invalid credentials
>>>>> Nov  2 14:11:00 BSD-11 dovecot: pop3-login: Disconnected: Inactivity
>>>>> (auth
>>>>> failed, 2 attempts in 163 secs): user=<user at domain.com>
>>>>>
>>>>> On Wed, Nov 2, 2016 at 4:39 AM, Steffen Kaiser <
>>>>> skdovecot at smail.inf.fh-brs.de> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>
>>>>>> Hash: SHA1
>>>>>>
>>>>>> On Tue, 1 Nov 2016, Peter Fraser wrote:
>>>>>>
>>>>>> root at BSD-11:/usr/local/etc/dovecot # doveadm auth test username
>>>>>>
>>>>>> Password:
>>>>>>> passdb: user auth succeeded
>>>>>>> extra fields:
>>>>>>>  user=username
>>>>>>> root at BSD-11:/usr/local/etc/dovecot #
>>>>>>>
>>>>>>> But when I run telnet 127.0.0.1 110 and try to log in it says unknown
>>>>>>> user.
>>>>>>> Error below in maillog.
>>>>>>> BSD-11 dovecot: pop3: Error: Authenticated user not found from
>>>>>>> userdb,
>>>>>>> auth
>>>>>>> lookup id=2262958081 (client-pid=2273 client-id=1)
>>>>>>> Nov  1 15:15:41 BSD-11 dovecot: pop3-login: Internal login failure
>>>>>>> (pid=2273 id=1) (internal failure, 1 successful auths): user=
>>>>>>>
>>>>>>>
>>>>>>> passdb {
>>>>>>
>>>>>>  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
>>>>>>>  driver = ldap
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> userdb {
>>>>>>
>>>>>>  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
>>>>>>>  driver = ldap
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> #Contents of dovecot-ldap.conf.ext
>>>>>>
>>>>>> hosts = 192.168.153.143
>>>>>>> dn = user at domain.com
>>>>>>> dnpass = password
>>>>>>> auth_bind = yes
>>>>>>> auth_bind_userdn = domain\%u
>>>>>>> ldap_version = 3
>>>>>>> base = dc=domain,dc=com
>>>>>>> pass_filter = (&(objectclass=person)(uid=%u))
>>>>>>> user_attrs = homeDirectory=/home/vmail/%u,uid=1002,gid=1002
>>>>>>>
>>>>>>>
>>>>>>> duplicate pass_filter to user_filter.
>>>>>>
>>>>>> - -- Steffen Kaiser
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1
>>>>>>
>>>>>> iQEVAwUBWBm0Onz1H7kL/d9rAQJWhQf+PRD5yd29UyL1drjlTOWD/s4qUffg8OBh
>>>>>> inb8L3eCKDuSad8s9INUJSa6WxGEVdatL4PKjTcbL5IsPIob87W5jOduWFMtPlt0
>>>>>> FXxWtfc1bAjRyNLzkGe1mUT1z0EDVO22UkQSd9J3bZQ9wR+FzgeGqdcyzl+WSyzB
>>>>>> Eaiea23ieCjhZRAZF/pl1gDjkap+tPQ8gZLdt4p1QQrY5Jllifu5jYEyjqPkwUXf
>>>>>> YMfEiCJSInyMQ8CCuL1Aj8iM/7qLLi8pyC9KSA6NntK4mpHAaInYln6SZY+ZGJCY
>>>>>> KV60nGuwwv3qQFeKchhhr+GpGDQYXJ5eBq+Ji+cKgvbypFa13NNS8A==
>>>>>> =l02F
>>>>>> -----END PGP SIGNATURE-----
>>>>>>
>>>>>>
>>>>>>
>>>>> - -- Steffen Kaiser
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>>
>>>> iQEVAwUBWBrpDnz1H7kL/d9rAQKwzggAnJz4LR0SXVWSFdSDrKYs40IEN/ko/4el
>>>> D7/4q4lVBo9dntf+NeGS1JxttebiN7ng4F5pm841Z0l7acj6z8HzMCr11Voqbuy7
>>>> 4WJirG2DnwmzxZRi1M86QGqXWU00jhFplSvZfWhX8uQasmp1FqV3hhUMmcTFfXTX
>>>> DqtFali5ymUPV87XU2hZEtpe3jkBdjWmmHW8gVfSXVXBcRBa96+12FEOwONLVVcQ
>>>> VGZRb6XxWexRcwAo4NY+NfqcM3OEGC4AZgfqBsWnZOUhijnw+ffbu4YL8aZBIGlB
>>>> P78R0N0DtpRAToRJYvr00OMk27dkHU+0Ock/cFUr6H1cYXHBsfvO2A==
>>>> =lz82
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>
>> - -- Steffen Kaiser
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>>
>> iQEVAwUBWBw2Mnz1H7kL/d9rAQKpQwf/YQnMaR+j3qyQBxrMi239bgmWksieVkCb
>> seScL3JN7pWE4PYQ9qduQW2vEmzHKplCpkmNd0Q8xLee4KR8J4aaZy45Mhbjbk4a
>> RMSGAS1+Z11WZM/ipCiKqyaCo12zSK0/8Q+ozZ7KUR1hajDjTEZ5hoR3icUrWV8Q
>> BQXzdGhs7DLfjDWxtnmvW2LVR640h3n855TDmDMpeFpj8BNuVh5vu4JJWxSysaYN
>> FYj0RGuIFvUb134f1YACEF97zXGdV09hSqJw8qcVNQgtvO85/gBZwlPJfF3WNHvw
>> CV3KcZVxk8E2wKoz6b7j6cT5nohJD1bvVgT+autGGcsgVMWWoo3WWQ==
>> =6ZWZ
>> -----END PGP SIGNATURE-----
>>
>
>

More information about the dovecot mailing list