LDAP auth problems "unknown user"
Hi, I am setting up a dovecot instance to host a bunch of virtual domains, with ldap backing for auth. I am using a single hostname for test purposes, with a couple of entries in the diectory. If I use auth binds I get a result, but this does not suit the end purpose of the server. If I use ldapsearch with the same base, search filter, and credentials as the ldap auth config I get the correct attributes returned, and I have bit of perl that verifies the password hash matches the password provided. I am running out of ideas here, I had thought of putting in a custom bit of perl and using the checkpassword method, but this is sub optimal. If anyone can help with this I'd be grateful. # dovecot --version 2.2.26.0 (23d1de6) # dovecot -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.8.0-1-amd64 x86_64 Debian stretch/sid ext3 auth_cache_size = 2 M auth_debug = yes auth_debug_passwords = yes auth_default_realm = maliuta.org auth_master_user_separator = * auth_mechanisms = plain login auth_realms = maliuta.org auth_verbose = yes auth_verbose_passwords = yes first_valid_uid = 117 last_valid_uid = 117 lda_mailbox_autocreate = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_gid = vmail mail_location = maildir:/var/spool/vmail/%d/%n/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded- character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/ldap/maliuta.org-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve" service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } user = $default_internal_user } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } ssl_cert = # grep -v '^ *\(#.*\)\?$' /etc/dovecot/ldap/maliuta.org-ldap.conf.ext uris = ldap://localhost dn = cn=admin,dc=maliuta,dc=org dnpass = tls = yes tls_ca_cert_dir = /etc/ssl/certs auth_bind = no ldap_version = 3 base = ou=mail,dc=mailuta,dc=org scope = subtree default_pass_scheme = SSHA deref = never user_attrs = postfixDeliveryAddress=user user_filter = (&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)) pass_attrs = postfixDeliveryAddress=user,userPassword=password pass_filter = (&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD eliveryAddress=%u)) iterate_attrs = uid=user iterate_filter = (objectClass=postfixMailPerson) # ldapsearch -H ldap://localhost:389 -x -D 'cn=admin,dc=maliuta,dc=org' -W -b "ou=mail,dc=maliuta,dc=org" -s sub -LLL -ZZ '(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=niko...@test.maliuta.org))' uid userPassword Enter LDAP Password: dn: mail=niko...@test.maliuta.org,ou=mail,dc=maliuta,dc=org uid: nikolai userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY= ## From /var/log/mail.log Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected (pid=27086) Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=#011rip=#011lport=143#011rport=36116#011local_name=#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0 (previous base64 data may contain sensitive data) Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(niko...@test.maliuta.org,,<1kW2C65BFI2WZbl8>): cache miss Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(niko...@test.maliuta.org,): pass search: base=ou=mail,dc=mailuta,dc=org scope=subtree filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=niko...@test.maliuta.org)) fields=postfixDeliveryAddress,userPassword Nov 20 07:24:20 kiliya dovecot: auth: ldap(niko...@test.maliuta.org,,<1kW2C65BFI2WZbl8>): unknown user (given password: ) Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out: FAIL#0111#011user=niko...@test.maliuta.org -- Nikolai Lusan
Re: Good email client to use with Dovecot?
TB is the closest thing to a functional Outlook replacement for office deployment. I have seen UN staff so distressed by IBM Lotus Notes that would have given someone else's left arm to have TB instead. I have mutt as a lifeboat, but is not good enough for daily use in office. On Mozilla not willing to spend on TB, I think it is a very good thing. I would rather see TB on github with a donation button than see it crippled with Firefox-like spyware. On Sat, Nov 19, 2016 at 4:34 PM, Michael Felt <'mich...@felt.demon.nl'> wrote: These discussions are at a very early stage. Finding the right solution requires some effort. This is Mozilla focusing on a more forward looking path, one aimed at longer term stability rather than continuing the status quo.
Re: Good email client to use with Dovecot?
On 17/11/2016 5:41 AM, Marc Stürmer wrote: What to avoid like the pest is Outlook. Microsoft crippled the IMAP support in it starting with version 2010 on purpose to promote their own server technology on many levels. Using IMAP with Outlook is no fun, so just don't do it and if you need Outlook, you are better off with Microsofts own tech stuff instead of IMAP. I use Thunderbird most of the time but I also have to use Outlook. I have noticed that IMAP support in Outlook 2016 is much better than in previous versions. It was really bad in Outlook 2010 and 2013, having to delete and reconfigure the IMAP account quite often. I haven't had any issues since upgrading to Outlook 2016.
Re: Good email client to use with Dovecot?
On 19/11/2016 16:18, Michael Felt wrote: On 18/11/2016 14:19, Tanstaafl wrote: Comments about the retired TB: >https://blog.mozilla.org/thunderbird/ As far as webmail being the future - imho - I am getting away from it, and that is why dovecot is worth investigating as port to replace the imap program supplied with my server OS. As far as the blog entry above - that is dated 9 december 2015, and nothing newer. An older blog is, imho, more accurate about the relationship and hence status on the relationship of Mozilla as an 'owner' aka 'legal home' and Thunderbird as an 'owned project' - see QUOTE from blog: https://blog.lizardwrangler.com/2015/12/03/thunderbird-update/ I’ve seen some characterize this as Mozilla “dropping” Thunderbird. This is not accurate. We are going to disentangle the technical infrastructure. We are going to assist the Thunderbird community. This includes working with organizations that want to invest in Thunderbird, several of which have stepped forward already. Mozilla Foundation will serve as a fiscal sponsor for Thunderbird donations during this time. I also noted that we should look at whether Mozilla remains the best organizational and legal home for Thunderbird. This is a separate question from the technical infrastructure. This question is much more wide open. I don’t know what the answer will be. It could be that Mozilla remains the best home, based on history, affiliation and shared community. It could also be that a home geared to open source projects of Thunderbird’s size and scope is better suited. I can imagine either being the case. We have decided to separate the technical infrastructure and to explore what is best for Thunderbird and for the Mozilla project as a whole. These discussions are at a very early stage. Finding the right solution requires some effort. This is Mozilla focusing on a more forward looking path, one aimed at longer term stability rather than continuing the status quo. ENDQUOTE Since someone also commented "more fixes than before" - I guess Thunderbird is "blogging" elsewhere - hint to where might be good in this thread. It has certainly been an interesting read. Maybe I should use MUTT - as I have been a happy vi user for nearly 38 years (even coded it a bit in the pre-curses days - to add a new terminal ;) - ah memories :)
Re: Good email client to use with Dovecot?
On 18/11/2016 14:19, Tanstaafl wrote: Comments about the retired TB: >https://blog.mozilla.org/thunderbird/ As far as webmail being the future - imho - I am getting away from it, and that is why dovecot is worth investigating as port to replace the imap program supplied with my server OS. As far as the blog entry above - that is dated 9 december 2015, and nothing newer. Since someone also commented "more fixes than before" - I guess Thunderbird is "blogging" elsewhere - hint to where might be good in this thread. It has certainly been an interesting read. Maybe I should use MUTT - as I have been a happy vi user for nearly 38 years (even coded it a bit in the pre-curses days - to add a new terminal ;) - ah memories :)
Re: dovecot, configure and documentation as hardstop
On 19/11/2016 15:09, Aki Tuomi wrote: Michael At the moment, pandoc is only*required* if you are building from git. And it's not even required then, just do env PANDOC=true ./configure ... Aki Thanks! guess I should have read ./configure --help more closely. So, is there something else I have forgotten - in order to get a good summary of the results of 'make check'? Michael
Re: dovecot, configure and documentation as hardstop
> On November 19, 2016 at 4:01 PM Michael Feltwrote: > > > Hi, > > As preparations for a port to AIX - making sure I can get it to build on > linux with gcc. While it is fairly easy to add the requirements (on GNU > Linux) having pandoc as a configure "hardstop", even with --without-docs > or --with-docs=no is a bit worrisome as I am fearful that I amy not be > able to get pandoc ported as well. > > Hence a request that a missing pandoc become a warnig, and just not done > when pandoc is not available, or at least accept one of --without-docs > and --with-docs=no (or should I be using --with-pandata=no? ) > > Michael At the moment, pandoc is only *required* if you are building from git. And it's not even required then, just do env PANDOC=true ./configure ... Aki
dovecot, configure and documentation as hardstop
Hi, As preparations for a port to AIX - making sure I can get it to build on linux with gcc. While it is fairly easy to add the requirements (on GNU Linux) having pandoc as a configure "hardstop", even with --without-docs or --with-docs=no is a bit worrisome as I am fearful that I amy not be able to get pandoc ported as well. Hence a request that a missing pandoc become a warnig, and just not done when pandoc is not available, or at least accept one of --without-docs and --with-docs=no (or should I be using --with-pandata=no? ) Michael