On Monday 02 March 2015 11:14:03 David Scheele wrote: > Ok I played around a bit and activated debugging correctly (Thanks to > Steffen) >
> > Now I try to log in with the user johndoe (that is his cn and his uid) and > i get the following message in syslog: > Mar 2 11:03:32 mailserver dovecot: auth: Debug: master in: > REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89 > Mar 2 11:03:32 mailserver dovecot: auth: Debug: > ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search: > base=ou=People,dc=[domainname],dc=de scope=subtree > filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber > Mar 2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn) > not indexed > Mar 2 11:03:32 mailserver dovecot: auth: Debug: > ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result: uidNumber missing There are two strategies: put the uid of each user in ldap or use the same uid for all accounts. for the second choice, you need to put something like mail_uid = 10000 mail_gid = 10000 in 10-mail.conf This user need some rights on dovecot storage folder. When using the first choice, you will need a mechanism to generate those uid's ( this should be implemented in the ldap management tool) > Mar 2 11:03:32 mailserver dovecot: auth: Debug: master out: > USER#0111283457025#011johndoe > Mar 2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>, > method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured, > session=<EYmiVEsQSgB/AAAB> > Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe: > Couldn't drop privileges: User is missing UID (see mail_uid setting) > Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error > occurred. Refer to server log for more information. > > > I am confused what the line Mar 2 11:03:32 mailserver dovecot: > imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is > missing UID (see mail_uid setting) is trying to tell me. > > doveconf -n: > > # 2.1.7: /etc/dovecot/dovecot.conf > # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4 > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > default_login_user = vmail > disable_plaintext_auth = no > first_valid_gid = 2222 > first_valid_uid = 2222 > listen = * > mail_access_groups = vmail > mail_debug = yes > mail_location = maildir:/var/vmail/%n > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocols = imap > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > user = root > } > service imap-login { > process_min_avail = 1 > user = vmail > } > ssl = no > userdb { > args = /etc/dovecot/dovecot-ldap-userdb.conf.ext > driver = ldap > } > grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext : > > hosts = mailserver.[domainname].de > debug_level = 0 > auth_bind = yes > auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de > base = ou=People,dc=[domainname],dc=de > user_attrs = uidNumber=uid > user_filter = (&(objectClass=inetOrgPerson)(cn=%u)) > pass_attrs = userPassword=password > pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)) > iterate_attrs = uid=user > iterate_filter = (objectClass=inetOrgPerson) > > 2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.crav...@csi.it>: > > This is the user DN: > > > cn=Klara Fall,ou=People,dc=[domainname],dc=de > > > > According to your Dovecot configuration > > > > > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de > > > > if you login with "klarafall" it will be expanded into > > > > cn=klarafall,ou=People,dc=[domainname],dc=de > > > > which is not the correct DN for Mrs Klara. > > > > So if you login with "Klara Fall" it should work, but that will probably > > mess up the things on Dovecot filesystem. > > > > > > I am strongly against setting a static DN when dealing with LDAP > > authentication. LDAP servers are optimized to serve search requests, so > > let > > yours do the job. Allow Dovecot to lookup the correct DN based on the > > attribute you supply (uid) and then authenticate. > > > > This should be achieved if you comment out the auth_bind_userdn line. > > > > Paolo Cravero -- Mihai Bădici http://mihai.badici.ro