auth debug log entry incorrect

Tomas Habarta lists+dovecot at tocc.cz
Wed Aug 12 16:28:33 EEST 2020 

Hello,

just want to report a slightly confusing log entry on auth-debug level I have encountered while setting up Kerberos auth.
Users are stored in ldap, Kerberos makes use of the same ldap as its backend, goal was to enable users to use their principals in addition to simple login with mailAddress/userPassword combination.

Sample entry relevant attrs:
---
mailAddress: sn.gn at example.com
mailDeliveryAddress: 123456 at example.com
uid: u123456
krbPrincipalName: u123456 at REALM
krbPrincipalName: user123456 at REALM
krbPrincipalName: alias at REALM
---

with
pass_attrs = =user=%{ldap:mailDeliveryAddress},=password=%{ldap:userPassword},=k5principals=%{ldap:krbPrincipalName}

I can see incorrectly logged ldap search result for krbPrincipalName attr as it is written 3 times with the same value -- number is correct, values should differ.
All is working ok as expected, but was a bit confusing while tuning /etc/krb5.conf on non-working remote client whilst local client had no issues (mutt).
Anyway, to eventually save someone's time, this seems to be easy enough to be fixed.


Thanks for this great software,
Tomas



dovecot[13337]: auth: Debug: ldap(sn.gn at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): result: mailDeliveryAddress=123456 at example.com krbPrincipalName=u123456 at REALM,u123456 at REALM,u123456 at REALM; krbPrincipalName,mailDeliveryAddress unused
dovecot[13337]: auth: Debug: ldap(sn.gn at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): username changed sn.gn at example.com -> 123456 at example.com
dovecot[13337]: auth: Warning: ldap(123456 at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Multiple values found for 'krbPrincipalName', using value 'u123456 at REALM'
dovecot[13337]: auth: Debug: ldap(123456 at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Finished passdb lookup
dovecot[13337]: auth: Debug: gssapi(123456 at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): authorized by k5principals field: u123456 at REALM
dovecot[13337]: auth: Debug: auth(123456 at example.com,10.0.9.14,<6xHsI62sJoWT+2C4>): Auth request finished
dovecot[13337]: auth: Debug: client passdb out: OK        1        user=123456 at example.com        k5principals=u123456 at REALM        original_user=u123456 at REALM
dovecot[13337]: auth: Debug: master in: REQUEST        3251372033        13340        1        3bbd5f6931fe4e949e7822657da9e33b        session_pid=13343        request_auth_token


# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.8 (b7b03ba2)
# OS: Linux 4.18.0-193.14.2.el8_2.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core)

More information about the dovecot mailing list