Problem with multiple ldap passdb

Martin Wheldon martin.wheldon at greenhills-it.co.uk
Mon Nov 28 15:10:28 UTC 2016 

Hi,

In case anyone is experiencing the same issue in the future, seems that 
this probably is a bug.
I've upgraded to dovecot 2.2.24 from Jessie backports and it works as 
documented with no configuration changes.

Hope someone else finds this useful.

Best Regards

Martin

On 2016-11-22 16:39, Martin Wheldon wrote:
> Hi mailing list,
> 
> I'm currently running dovecot 2.2.13 from Debian Jessie, all is
> running fine. However I am attempting to merge 2 LDAP authentication
> sources.
> 
> I would like to attempt to authenticate against the first
> authentication source, if that fails either by password fail or user
> not found,
> then attempt the next LDAP server.
> 
> I've added the a passdb and userdb entry for the new ldap server. As
> you can see from the log below the user isn't found in the first LDAP
> query, but
> is in the second one. However the authentication fails:
> 
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: client in:
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=WTLjLuRB9QBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=56821#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
> (previous base64 data may contain sensitive data)
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
> base=dc=greenhills-it,dc=co,dc=uk
> filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
> at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Error: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>):
> ldap_search(base=dc=greenhills-it,dc=co,dc=uk
> filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
> at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))))
> failed: No such object
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
> base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
> greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result:
> uid=00000001; uid unused
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): username
> changed martin.wheldon at greenhills-it.co.uk -> 00000001
> Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug:
> ldap(00000001,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: uid=00000001
> Nov 22 13:59:40 he01-imap-01 dovecot: auth: Debug: client passdb out:
> FAIL#0111#011user=00000001#011temp#011original_user=martin.wheldon at
> greenhills-it.co.uk
> 
> 
> I know that the password was entered correctly because if I disable
> the new ldap config and login I get authenticated properly.
> 
> 
> Nov 22 14:00:38 he01-imap-01 dovecot: auth: Debug: auth client
> connected (pid=2626)
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client in:
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=ipKBMuRBBQBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=38149#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
> (previous base64 data may contain sensitive data)
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): bind search:
> base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
> greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result:
> uid=00000001; uid unused
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
> at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): username
> changed martin.wheldon at greenhills-it.co.uk -> 00000001
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug:
> ldap(00000001,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: uid=00000001
> Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client passdb out:
> OK#0111#011user=00000001#011original_user=martin.wheldon at
> greenhills-it.co.uk
> 
> 
> I've done loads of googling and I believe that this is possible so I
> must either have misread the documentation or am triggering a bug.
> Neither of which I seem to be able to confirm.
> 
> Any help would be much appreciated.
> 
> My broken configuration is below:
> 
> # 2.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> default_vsz_limit = 512 M
> lmtp_rcpt_check_quota = yes
> lmtp_save_to_detail_mailbox = yes
> mail_location = maildir:~/Maildir
> mail_plugins = " quota"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date ihave
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap-new.conf.ext
>   driver = ldap
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
>   skip = authenticated
> }
> plugin {
>   antispam_backend = pipe
>   antispam_pipe_program = /usr/sbin/sendmail
>   antispam_pipe_program_args = -f;%{auth_user};-r;%{auth_user}
>   antispam_pipe_program_notspam_arg = 
> retrain-as-ham at greenhills-it.co.uk
>   antispam_pipe_program_spam_arg = retrain-as-spam at greenhills-it.co.uk
>   antispam_spam = Spam
>   antispam_trash = Trash
>   quota = maildir:User quota
>   quota_rule = *:storage=1G
>   quota_rule2 = Trash:ignore
>   quota_rule3 = Spam:ignore
>   sieve = ~/.dovecot.sieve
>   sieve_before = /var/lib/dovecot/sieve/move-spam.sieve
>   sieve_dir = ~/sieve
> }
> protocols = " imap lmtp sieve pop3"
> service imap-login {
>   process_min_avail = 20
>   service_count = 1
> }
> service imap {
>   process_min_avail = 20
> }
> service lmtp {
>   inet_listener lmtp {
>     address = he01-imap-01.greenhills-it.co.uk 127.0.0.1
>     port = 2003
>   }
> }
> service pop3 {
>   process_min_avail = 20
> }
> ssl = required
> ssl_cert = </etc/ssl/certs/combined_2015_greenhills-it.co.uk.cert
> ssl_cipher_list =
> ALL:HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:!PSK:!DES:!3DES:!MD5:!DES+MD5:!RC4:!SEED+SHA:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!eNULL:!aNULL:@STRENGTH
> ssl_dh_parameters_length = 2048
> ssl_key = </etc/ssl/private/stripped.2015.greenhills-it.co.uk.pem
> ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3
> userdb {
>   args = /etc/dovecot/dovecot-ldap-new.conf.ext
>   driver = ldap
> }
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> protocol lmtp {
>   mail_plugins = " quota sieve"
> }
> protocol imap {
>   mail_plugins = " quota imap_quota"
> }
> 
> 
> # Working LDAP configuration
> # /etc/dovecot/dovecot-ldap.conf.ext
> uris = ldap://he01-auth-01.greenhills-it.co.uk
> dn = uid=dovecot,ou=people,ou=SRV_Accounts,dc=greenhills-it,dc=co,dc=uk
> dnpass = VerySecret
> sasl_bind = no
> auth_bind = yes
> ldap_version = 3
> base = dc=greenhills-it,dc=co,dc=uk
> scope = subtree
> user_attrs =
> homeDirectory=home,uidNumber=uid,gidNumber=gid,gosaMailQuota=quota_rule=*:storage=%$M
> user_filter = (|(uid=%u)(mail=%u)(gosaMailAlternateAddress=%u))
> pass_attrs = uid=user,userPassword=password
> pass_filter = (|(uid=%u)(mail=%u))
> default_pass_scheme = CRYPT
> 
> 
> # Non working LDAP configuration
> # /etc/dovecot/dovecot-ldap-new.conf.ext
> uris = ldap://dir.greenhills-it.co.uk
> dn = "cn=dovecot,ou=search 
> accounts,ou=services,dc=greenhills-it,dc=co,dc=uk"
> dnpass = VerySecret
> sasl_bind = no
> tls = yes
> tls_ca_cert_file = /etc/ssl/certs/GreenhillsCACert.pem
> tls_require_cert = demand
> debug_level = -1
> auth_bind = yes
> ldap_version = 3
> base = ou=customers,dc=greenhills-it,dc=co,dc=uk
> scope = subtree
> user_attrs =
> homeDirectory=home,uidNumber=uid,gidNumber=gid,ukFirmGhITAccMailQuota=quota_rule=*:storage=%$M
> user_filter =
> (&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
> pass_attrs = uidNumber=user
> pass_filter =
> (&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))
> default_pass_scheme = SSHA
> 
> 
> Best Regards

More information about the dovecot mailing list