Dovecot 2 LDAP "unknown user"

Aki Tuomi aki.tuomi at dovecot.fi
Sun Nov 6 06:39:54 UTC 2016 

You can relax case sensitivity requirements by using %Ln and %Lu instead of %u and %n.

Aki

> On November 6, 2016 at 6:53 AM Peter Fraser <petros.fraser at gmail.com> wrote:
> 
> 
> I finally managed to get this going but I have noticed in my case that:
> 
> 1. I need to make sure the user logon name in AD and the samAccountname are
> exactly the same, case and all. It seems postfix
>     uses the samAccountname and Dovecot the User logon name.
> 2. I also noticed that if the Display name for a user in AD is blank, that
> user cannot log in using telnet <server ip> 110.
> 
> I am quite willing to work with it as it is but if anyone knows if this is
> normal behavior or not, I would be glad to know. Not sure if some could be
> configured better.
> 
> Just for information, I am including my current configs. Thanks for your
> assistance Steffen.
> 
> listen = *
> login_greeting = Mail Server ready.
> mail_gid = 1002
> mail_home = /home/vmail/%u
> mail_location = maildir:~/Maildir
> mail_uid = 1002
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> service lmtp {
>   unix_listener lmtp {
>     user = vmail
>   }
> }
> ssl_cert = </usr/local/etc/certs/certs/dovecot.pem
> ssl_key =  # hidden, use -P to show it
> userdb {
>   args = /usr/local/etc/dovecot/dovecot-ldap-udb.conf.ext
>   driver = ldap
> }
> protocol lda {
>   mail_plugins =
> }
> 
> 
> dovecot-ldap-udb.conf.ext is a symlink to dovecot-ldap.conf.ext
> 
> and dovecot-ldap.conf.ext reads as follows
> 
> #Custom Settings
> hosts = ip address
> ldap_version = 3
> scope = subtree
> deref = never
> base = cn=users,dc=domain,dc=com
> dn = cn=administrator,cn=users,dc=domain,dc=com
> dnpass = password
> auth_bind = yes
> auth_bind_userdn = %n
> ldap_version = 3
> scope = subtree
> user_attrs = home=/home/vmail/%u,=uid=vmail,=gid=vmail
> pass_attrs = uid=%n,userPassword=password
> #pass_attrs=uid=user, userpassword=password
> user_filter = (&(objectclass=person)(samaccountname=%n))
> pass_filter = (&(objectclass=inetorgperson)(mail=%u))
> 
> 
> On Fri, Nov 4, 2016 at 2:21 PM, Peter Fraser <petros.fraser at gmail.com>
> wrote:
> 
> > Sorry yes, peter is the unmangled user name.
> >
> > On Fri, Nov 4, 2016 at 2:18 AM, Steffen Kaiser <
> > skdovecot at smail.inf.fh-brs.de> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On Thu, 3 Nov 2016, Peter Fraser wrote:
> >>
> >> The command doveadm user -u username successfully returns the username and
> >>> any information it can for the user in AD. As a matter of fact, I entered
> >>> some home directory information in AD and this command returned the
> >>> User's
> >>> Home Directory as well. Is it a problem though that the telnet test won't
> >>> work?
> >>>
> >>
> >> Hmm, I don't understand the question,
> >>
> >> telnet xyz 143
> >> 1 login username password
> >>
> >> must work in order to login via IMAP.
> >>
> >> But you didn't answered the other question, see below
> >>
> >> On Thu, Nov 3, 2016 at 2:36 AM, Steffen Kaiser <
> >>> skdovecot at smail.inf.fh-brs.de> wrote:
> >>>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> On Wed, 2 Nov 2016, Peter Fraser wrote:
> >>>>
> >>>> #Custom Settings
> >>>>
> >>>>> hosts = 192.168.153.143
> >>>>> dn = user at domain.com
> >>>>> dnpass = password
> >>>>> auth_bind = yes
> >>>>> auth_bind_userdn = %u at domain.com
> >>>>> ldap_version = 3
> >>>>> base = dc=rpservices,dc=com
> >>>>> #user_filter = (&(objectclass=person)(mail=%u))
> >>>>> user_filter = (&(objectclass=person)(uid=%u))
> >>>>> pass_filter = (&(objectclass=person)(uid=%u))
> >>>>> user_attrs = homeDirectory=/home/vmail/%u,uid=1002,gid=1002
> >>>>>
> >>>>>
> >>>> you wrote:
> >>>>
> >>>> root at BSD-11:/usr/local/etc/dovecot # doveadm auth test username
> >>>>>
> >>>>>>
> >>>>>> extra fields:
> >>>>>>>  user=username
> >>>>>>>
> >>>>>>>
> >>>>>> is successful. Is user=username
> >>>>                        ^^^^^^^   that same as the username in doveadm?
> >>>>
> >>>
> >>
> >> Here. You've posted mangled information only, so if the extra fields
> >> return another username, other tests are different.
> >>
> >> What about:
> >>>>
> >>>>  doveadm user -u username
> >>>>
> >>>> ?
> >>>>
> >>>>
> >>>> When I tried to log in again using telnet 127.0.0.1 110, the error
> >>>> shows up
> >>>>
> >>>>> in maillog. I first tried logging in with just the username, then I
> >>>>> tried
> >>>>> using username at domain.com. Using doveadm still works though.
> >>>>>
> >>>>>
> >>>>
> >>>> BSD-11 dovecot: auth: ldap(peter,127.0.0.1,<B9qF8FNAT3x/AAAB>): unknown
> >>>>> user
> >>>>> Nov  2 11:29:23 BSD-11 dovecot: auth: Error:
> >>>>> ldap(user,127.0.0.1,<B9qF8FNAT3x/AAAB>): user not found from userdb
> >>>>>
> >>>>
> >> what about here, is peter, appearing in the first line, the unmangled
> >> "user" here?
> >>
> >>
> >> Nov  2 11:29:23 BSD-11 dovecot: pop3: Error: Authenticated user not found
> >>>>> from userdb, auth lookup id=226492417 (client-pid=874 client-id=1)
> >>>>> Nov  2 11:29:23 BSD-11 dovecot: pop3-login: Internal login failure
> >>>>> (pid=874
> >>>>> id=1) (internal failure, 1 successful auths): user=<peter>,
> >>>>> method=PLAIN
> >>>>> Nov  2 11:30:42 BSD-11 dovecot: auth: ldap(user at domain.com): invalid
> >>>>> credentials
> >>>>> Nov  2 14:08:17 BSD-11 dovecot: auth:
> >>>>> ldap(user,127.0.0.1,<4uLkKVZAvY9/AAAB>): invalid credentials
> >>>>> Nov  2 14:09:38 BSD-11 dovecot: auth:
> >>>>> ldap(user at domain.com,127.0.0.1,<4uLkKVZAvY9/AAAB>):
> >>>>> invalid credentials
> >>>>> Nov  2 14:11:00 BSD-11 dovecot: pop3-login: Disconnected: Inactivity
> >>>>> (auth
> >>>>> failed, 2 attempts in 163 secs): user=<user at domain.com>
> >>>>>
> >>>>> On Wed, Nov 2, 2016 at 4:39 AM, Steffen Kaiser <
> >>>>> skdovecot at smail.inf.fh-brs.de> wrote:
> >>>>>
> >>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>
> >>>>>> Hash: SHA1
> >>>>>>
> >>>>>> On Tue, 1 Nov 2016, Peter Fraser wrote:
> >>>>>>
> >>>>>> root at BSD-11:/usr/local/etc/dovecot # doveadm auth test username
> >>>>>>
> >>>>>> Password:
> >>>>>>> passdb: user auth succeeded
> >>>>>>> extra fields:
> >>>>>>>  user=username
> >>>>>>> root at BSD-11:/usr/local/etc/dovecot #
> >>>>>>>
> >>>>>>> But when I run telnet 127.0.0.1 110 and try to log in it says unknown
> >>>>>>> user.
> >>>>>>> Error below in maillog.
> >>>>>>> BSD-11 dovecot: pop3: Error: Authenticated user not found from
> >>>>>>> userdb,
> >>>>>>> auth
> >>>>>>> lookup id=2262958081 (client-pid=2273 client-id=1)
> >>>>>>> Nov  1 15:15:41 BSD-11 dovecot: pop3-login: Internal login failure
> >>>>>>> (pid=2273 id=1) (internal failure, 1 successful auths): user=
> >>>>>>>
> >>>>>>>
> >>>>>>> passdb {
> >>>>>>
> >>>>>>  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
> >>>>>>>  driver = ldap
> >>>>>>> }
> >>>>>>>
> >>>>>>>
> >>>>>>> userdb {
> >>>>>>
> >>>>>>  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
> >>>>>>>  driver = ldap
> >>>>>>> }
> >>>>>>>
> >>>>>>>
> >>>>>>> #Contents of dovecot-ldap.conf.ext
> >>>>>>
> >>>>>> hosts = 192.168.153.143
> >>>>>>> dn = user at domain.com
> >>>>>>> dnpass = password
> >>>>>>> auth_bind = yes
> >>>>>>> auth_bind_userdn = domain\%u
> >>>>>>> ldap_version = 3
> >>>>>>> base = dc=domain,dc=com
> >>>>>>> pass_filter = (&(objectclass=person)(uid=%u))
> >>>>>>> user_attrs = homeDirectory=/home/vmail/%u,uid=1002,gid=1002
> >>>>>>>
> >>>>>>>
> >>>>>>> duplicate pass_filter to user_filter.
> >>>>>>
> >>>>>> - -- Steffen Kaiser
> >>>>>> -----BEGIN PGP SIGNATURE-----
> >>>>>> Version: GnuPG v1
> >>>>>>
> >>>>>> iQEVAwUBWBm0Onz1H7kL/d9rAQJWhQf+PRD5yd29UyL1drjlTOWD/s4qUffg8OBh
> >>>>>> inb8L3eCKDuSad8s9INUJSa6WxGEVdatL4PKjTcbL5IsPIob87W5jOduWFMtPlt0
> >>>>>> FXxWtfc1bAjRyNLzkGe1mUT1z0EDVO22UkQSd9J3bZQ9wR+FzgeGqdcyzl+WSyzB
> >>>>>> Eaiea23ieCjhZRAZF/pl1gDjkap+tPQ8gZLdt4p1QQrY5Jllifu5jYEyjqPkwUXf
> >>>>>> YMfEiCJSInyMQ8CCuL1Aj8iM/7qLLi8pyC9KSA6NntK4mpHAaInYln6SZY+ZGJCY
> >>>>>> KV60nGuwwv3qQFeKchhhr+GpGDQYXJ5eBq+Ji+cKgvbypFa13NNS8A==
> >>>>>> =l02F
> >>>>>> -----END PGP SIGNATURE-----
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> - -- Steffen Kaiser
> >>>> -----BEGIN PGP SIGNATURE-----
> >>>> Version: GnuPG v1
> >>>>
> >>>> iQEVAwUBWBrpDnz1H7kL/d9rAQKwzggAnJz4LR0SXVWSFdSDrKYs40IEN/ko/4el
> >>>> D7/4q4lVBo9dntf+NeGS1JxttebiN7ng4F5pm841Z0l7acj6z8HzMCr11Voqbuy7
> >>>> 4WJirG2DnwmzxZRi1M86QGqXWU00jhFplSvZfWhX8uQasmp1FqV3hhUMmcTFfXTX
> >>>> DqtFali5ymUPV87XU2hZEtpe3jkBdjWmmHW8gVfSXVXBcRBa96+12FEOwONLVVcQ
> >>>> VGZRb6XxWexRcwAo4NY+NfqcM3OEGC4AZgfqBsWnZOUhijnw+ffbu4YL8aZBIGlB
> >>>> P78R0N0DtpRAToRJYvr00OMk27dkHU+0Ock/cFUr6H1cYXHBsfvO2A==
> >>>> =lz82
> >>>> -----END PGP SIGNATURE-----
> >>>>
> >>>>
> >>>
> >> - -- Steffen Kaiser
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1
> >>
> >> iQEVAwUBWBw2Mnz1H7kL/d9rAQKpQwf/YQnMaR+j3qyQBxrMi239bgmWksieVkCb
> >> seScL3JN7pWE4PYQ9qduQW2vEmzHKplCpkmNd0Q8xLee4KR8J4aaZy45Mhbjbk4a
> >> RMSGAS1+Z11WZM/ipCiKqyaCo12zSK0/8Q+ozZ7KUR1hajDjTEZ5hoR3icUrWV8Q
> >> BQXzdGhs7DLfjDWxtnmvW2LVR640h3n855TDmDMpeFpj8BNuVh5vu4JJWxSysaYN
> >> FYj0RGuIFvUb134f1YACEF97zXGdV09hSqJw8qcVNQgtvO85/gBZwlPJfF3WNHvw
> >> CV3KcZVxk8E2wKoz6b7j6cT5nohJD1bvVgT+autGGcsgVMWWoo3WWQ==
> >> =6ZWZ
> >> -----END PGP SIGNATURE-----
> >>
> >
> >

More information about the dovecot mailing list