LDAP auth problems "unknown user"

2016-11-19 Thread Nikolai Lusan 
Hi,

I am setting up a dovecot instance to host a bunch of virtual domains,
with ldap backing for auth. I am using a single hostname for test
purposes, with a couple of entries in the diectory. If I use auth binds
I get a result, but this does not suit the end purpose of the server.

If I use ldapsearch with the same base, search filter, and credentials
as the ldap auth config I get the correct attributes returned, and I
have bit of perl that verifies the password hash matches the password
provided.

I am running out of ideas here, I had thought of putting in a custom
bit of perl and using the checkpassword method, but this is sub
optimal. If anyone can help with this I'd be grateful.




# dovecot --version
2.2.26.0 (23d1de6)

# dovecot -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.8.0-1-amd64 x86_64 Debian stretch/sid ext3
auth_cache_size = 2 M
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = maliuta.org
auth_master_user_separator = *
auth_mechanisms = plain login
auth_realms = maliuta.org
auth_verbose = yes
auth_verbose_passwords = yes
first_valid_uid = 117
last_valid_uid = 117
lda_mailbox_autocreate = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
%c
mail_gid = vmail
mail_location = maildir:/var/spool/vmail/%d/%n/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-
character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment
mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  list = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve"
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
  }
  user = $default_internal_user
}
service dict {
  unix_listener dict {
group = vmail
mode = 0660
user = vmail
  }
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 0
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
}
ssl_cert = 

# grep -v '^ *\(#.*\)\?$' /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
uris = ldap://localhost
dn = cn=admin,dc=maliuta,dc=org
dnpass = 
tls = yes
tls_ca_cert_dir = /etc/ssl/certs
auth_bind = no
ldap_version = 3
base = ou=mail,dc=mailuta,dc=org
scope = subtree
default_pass_scheme = SSHA
deref = never
user_attrs = postfixDeliveryAddress=user
user_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
pass_attrs = postfixDeliveryAddress=user,userPassword=password
pass_filter =
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD
eliveryAddress=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=postfixMailPerson)


# ldapsearch -H ldap://localhost:389 -x -D 'cn=admin,dc=maliuta,dc=org' -W -b 
"ou=mail,dc=maliuta,dc=org" -s sub -LLL -ZZ  
'(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=niko...@test.maliuta.org))'
 uid userPassword
Enter LDAP Password: 
dn: mail=niko...@test.maliuta.org,ou=mail,dc=maliuta,dc=org
uid: nikolai
userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY=

## From /var/log/mail.log
Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected (pid=27086)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=#011rip=#011lport=143#011rport=36116#011local_name=#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0
 (previous base64 data may contain sensitive data)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: 
ldap(niko...@test.maliuta.org,,<1kW2C65BFI2WZbl8>): cache miss
Nov 20 07:24:20 kiliya dovecot: auth: Debug: 
ldap(niko...@test.maliuta.org,): pass search: 
base=ou=mail,dc=mailuta,dc=org scope=subtree 
filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=niko...@test.maliuta.org))
 fields=postfixDeliveryAddress,userPassword
Nov 20 07:24:20 kiliya dovecot: auth: 
ldap(niko...@test.maliuta.org,,<1kW2C65BFI2WZbl8>): unknown user 
(given password: )
Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out: 
FAIL#0111#011user=niko...@test.maliuta.org

-- 
Nikolai Lusan

Re: Good email client to use with Dovecot?

2016-11-19 Thread Ruga 
TB is the closest thing to a functional Outlook replacement for office 
deployment. I have seen UN staff so distressed by IBM Lotus Notes that would 
have given someone else's left arm to have TB instead. I have mutt as a 
lifeboat, but is not good enough for daily use in office.

On Mozilla not willing to spend on TB, I think it is a very good thing. I would 
rather see TB on github with a donation button than see it crippled with 
Firefox-like spyware.


On Sat, Nov 19, 2016 at 4:34 PM, Michael Felt <'mich...@felt.demon.nl'> wrote:
These discussions are at a very early stage. Finding the right solution
requires some effort. This is Mozilla focusing on a more forward looking
path, one aimed at longer term stability rather than continuing the
status quo.

Re: Good email client to use with Dovecot?

2016-11-19 Thread Oscar del Rio 

On 17/11/2016 5:41 AM, Marc Stürmer wrote:
What to avoid like the pest is Outlook. Microsoft crippled the IMAP 
support in it starting with version 2010 on purpose to promote their 
own server technology on many levels. Using IMAP with Outlook is no 
fun, so just don't do it and if you need Outlook, you are better off 
with Microsofts own tech stuff instead of IMAP.


I use Thunderbird most of the time but I also have to use Outlook. I 
have noticed that IMAP support in Outlook 2016 is much better than in 
previous versions. It was really bad in Outlook 2010 and 2013, having to 
delete and reconfigure the IMAP account quite often. I haven't had any 
issues since upgrading to Outlook 2016.

Re: Good email client to use with Dovecot?

2016-11-19 Thread Michael Felt 

On 19/11/2016 16:18, Michael Felt wrote:

On 18/11/2016 14:19, Tanstaafl wrote:

Comments about the retired TB:
>‎https://blog.mozilla.org/thunderbird/


As far as webmail being the future - imho - I am getting away from it, 
and that is why dovecot is worth investigating as port to replace the 
imap program supplied with my server OS.


As far as the blog entry above - that is dated 9 december 2015, and 
nothing newer.
An older blog is, imho, more accurate about the relationship and hence 
status on the relationship of Mozilla as an 'owner' aka 'legal home' and 
Thunderbird as an 'owned project' - see


QUOTE from blog: 
https://blog.lizardwrangler.com/2015/12/03/thunderbird-update/


I’ve seen some characterize this as Mozilla “dropping” Thunderbird. This 
is not accurate. We are going to disentangle the technical 
infrastructure. We are going to assist the Thunderbird community. This 
includes working with organizations that want to invest in Thunderbird, 
several of which have stepped forward already. Mozilla Foundation will 
serve as a fiscal sponsor for Thunderbird donations during this time.


I also noted that we should look at whether Mozilla remains the best 
organizational and legal home for Thunderbird. This is a separate 
question from the technical infrastructure. This question is much more 
wide open. I don’t know what the answer will be. It could be that 
Mozilla remains the best home, based on history, affiliation and shared 
community. It could also be that a home geared to open source projects 
of Thunderbird’s size and scope is better suited. I can imagine either 
being the case. We have decided to separate the technical infrastructure 
and to explore what is best for Thunderbird and for the Mozilla project 
as a whole.


These discussions are at a very early stage. Finding the right solution 
requires some effort. This is Mozilla focusing on a more forward looking 
path, one aimed at longer term stability rather than continuing the 
status quo.


ENDQUOTE


Since someone also commented "more fixes than before" - I guess 
Thunderbird is "blogging" elsewhere - hint to where might be good in 
this thread.


It has certainly been an interesting read. Maybe I should use MUTT - 
as I have been a happy vi user for nearly 38 years (even coded it a 
bit in the pre-curses days - to add a new terminal ;) - ah memories :)

Re: Good email client to use with Dovecot?

2016-11-19 Thread Michael Felt 

On 18/11/2016 14:19, Tanstaafl wrote:

Comments about the retired TB:
>‎https://blog.mozilla.org/thunderbird/


As far as webmail being the future - imho - I am getting away from it, 
and that is why dovecot is worth investigating as port to replace the 
imap program supplied with my server OS.


As far as the blog entry above - that is dated 9 december 2015, and 
nothing newer.


Since someone also commented "more fixes than before" - I guess 
Thunderbird is "blogging" elsewhere - hint to where might be good in 
this thread.


It has certainly been an interesting read. Maybe I should use MUTT - as 
I have been a happy vi user for nearly 38 years (even coded it a bit in 
the pre-curses days - to add a new terminal ;) - ah memories :)

Re: dovecot, configure and documentation as hardstop

2016-11-19 Thread Michael Felt 

On 19/11/2016 15:09, Aki Tuomi wrote:

Michael

At the moment, pandoc is only*required*  if you are building from git. And it's 
not even required then, just do env PANDOC=true ./configure ...

Aki


Thanks! guess I should have read ./configure --help more closely.

So, is there something else I have forgotten - in order to get a good 
summary

of the results of 'make check'?

Michael

Re: dovecot, configure and documentation as hardstop

2016-11-19 Thread Aki Tuomi 

> On November 19, 2016 at 4:01 PM Michael Felt  wrote:
> 
> 
> Hi,
> 
> As preparations for a port to AIX - making sure I can get it to build on 
> linux with gcc. While it is fairly easy to add the requirements (on GNU 
> Linux) having pandoc as a configure "hardstop", even with --without-docs 
> or --with-docs=no is a bit worrisome as I am fearful that I amy not be 
> able to get pandoc ported as well.
> 
> Hence a request that a missing pandoc become a warnig, and just not done 
> when pandoc is not available, or at least accept one of --without-docs 
> and --with-docs=no (or should I be using --with-pandata=no? )
> 
> Michael

At the moment, pandoc is only *required* if you are building from git. And it's 
not even required then, just do env PANDOC=true ./configure ...

Aki

dovecot, configure and documentation as hardstop

2016-11-19 Thread Michael Felt 

Hi,

As preparations for a port to AIX - making sure I can get it to build on 
linux with gcc. While it is fairly easy to add the requirements (on GNU 
Linux) having pandoc as a configure "hardstop", even with --without-docs 
or --with-docs=no is a bit worrisome as I am fearful that I amy not be 
able to get pandoc ported as well.


Hence a request that a missing pandoc become a warnig, and just not done 
when pandoc is not available, or at least accept one of --without-docs 
and --with-docs=no (or should I be using --with-pandata=no? )


Michael