LDAP auth problems "unknown user"

Nikolai Lusan nikolai at lusan.id.au
Sun Nov 20 05:51:22 UTC 2016


Hi,

I am setting up a dovecot instance to host a bunch of virtual domains,
with ldap backing for auth. I am using a single hostname for test
purposes, with a couple of entries in the diectory. If I use auth binds
I get a result, but this does not suit the end purpose of the server.

If I use ldapsearch with the same base, search filter, and credentials
as the ldap auth config I get the correct attributes returned, and I
have bit of perl that verifies the password hash matches the password
provided.

I am running out of ideas here, I had thought of putting in a custom
bit of perl and using the checkpassword method, but this is sub
optimal. If anyone can help with this I'd be grateful.




# dovecot --version
2.2.26.0 (23d1de6)

# dovecot -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.8.0-1-amd64 x86_64 Debian stretch/sid ext3
auth_cache_size = 2 M
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = maliuta.org
auth_master_user_separator = *
auth_mechanisms = plain login
auth_realms = maliuta.org
auth_verbose = yes
auth_verbose_passwords = yes
first_valid_uid = 117
last_valid_uid = 117
lda_mailbox_autocreate = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
%c
mail_gid = vmail
mail_location = maildir:/var/spool/vmail/%d/%n/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-
character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment
mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  list = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve"
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
  user = $default_internal_user
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = 

# grep -v '^ *\(#.*\)\?$' /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
uris = ldap://localhost
dn = cn=admin,dc=maliuta,dc=org
dnpass = <secret>
tls = yes
tls_ca_cert_dir = /etc/ssl/certs
auth_bind = no
ldap_version = 3
base = ou=mail,dc=mailuta,dc=org
scope = subtree
default_pass_scheme = SSHA
deref = never
user_attrs = postfixDeliveryAddress=user
user_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
pass_attrs = postfixDeliveryAddress=user,userPassword=password
pass_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD
eliveryAddress=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=postfixMailPerson)


# ldapsearch -H ldap://localhost:389 -x -D 'cn=admin,dc=maliuta,dc=org' -W -b "ou=mail,dc=maliuta,dc=org" -s sub -LLL -ZZ  '(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai at test.maliuta.org))' uid userPassword
Enter LDAP Password: 
dn: mail=nikolai at test.maliuta.org,ou=mail,dc=maliuta,dc=org
uid: nikolai
userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY=

## From /var/log/mail.log
Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected (pid=27086)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=<local_ip>#011rip=<remote_ip>#011lport=143#011rport=36116#011local_name=<hostname>#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0 (previous base64 data may contain sensitive data)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): cache miss
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at test.maliuta.org,<remote_ip,<1kW2C65BFI2WZbl8>): pass search: base=ou=mail,dc=mailuta,dc=org scope=subtree filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai at test.maliuta.org)) fields=postfixDeliveryAddress,userPassword
Nov 20 07:24:20 kiliya dovecot: auth: ldap(nikolai at test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): unknown user (given password: <correct_password>)
Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out: FAIL#0111#011user=nikolai at test.maliuta.org

-- 
Nikolai Lusan <nikolai at lusan.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20161120/c53870ff/attachment.sig>


More information about the dovecot mailing list