<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<div class="moz-text-html" lang="x-unicode"> On 2005-02-03 23:59, Alan
Tam wrote:
<blockquote cite="mid42024A66.8090605@SiuLung.com" type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-size: 16px;" lang="x-western">
<pre wrap="">Hi dovecot,
I am using the debian dovecot packages on a system running LDAP.
My /etc/pam.d/common-* looks like this, which simply means try /etc/passwd first, and try LDAP using the same password if it is failed.
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so use_first_pass
account required pam_permit.so
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
session [success=1 default=ignore] pam_unix.so
session required pam_ldap.so use_first_pass
session required pam_mkhomedir.so skel=/etc/skel umask=0002
session required pam_permit.so
When many LDAP users login, /var/log/auth.log shows many (expected) error like: (note "pam_unix")
Feb 3 18:16:15 eta dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1
Feb 3 18:16:19 eta dovecot-auth: (pam_unix) check pass; user unknown
After recent upgrades from probably 0.99.10 to 0.99.13, these lines begin to appear in /var/log/mail.log:
Feb 3 16:31:00 eta dovecot-auth: Login process has too old (123s) requests, killing it.
Feb 3 16:31:00 eta dovecot-auth: Login process has too old (124s) requests, killing it.
And some more like this, which shows the problem:
Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (13)
Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (14)
Feb 3 16:45:23 eta dovecot-auth: I/O leak: 0x8054940 (15)
The problem can be solved by changing /etc/pam.d/dovecot to:
auth required pam_ldap.so
account required pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0002
session required pam_ldap.so
This change means PAM not fail auth for /etc/passwd again.
I think dovecot has some problem dealing with the pam_unix + pam_ldap configuration. Do you have any idea?
I am Cc-ing this message to the corresponding bug in Debian BTS.
</pre>
</div>
</blockquote>
Solved by configuring dovecot to directly authenticate from LDAP.
I still think it is your bug though.<br>
<br>
It is not a good solution anyway, since your LDAP authenticator doesn't
support auth-bind. So I've to convert all userPassword into {CRYPT}
format for it to work.<br>
<br>
<pre class="moz-signature" cols="70">--
Regards,
Alan
Answer: Because we read from top to bottom, from left to right.
Question: Why should we put replies after the original text?</pre>
</div>
</body>
</html>