Re: [Dovecot] Using ldap and pam
On Tue, August 6, 2013 2:41 am, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 5 Aug 2013, Bo Lynch wrote: Having some issues with ldap logins. I am using Centos 5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1 Trying to get this to work with the SoGo interface. First I converted all my standard system users to ldap using the openldap-tools. This worked fine, however when a user changes there password they can no longer see there email. If they change it back to the original password mail can be seen. This has stumped me for a day or so so I was hoping someone could shed some light. What are in the logs? http://wiki1.dovecot.org/Logging see auth_debug=yes /etc/dovecot.conf protocols = imap imaps disable_plaintext_auth = no mbox_read_locks = fcntl mbox_write_locks = fcntl protocol imap { } protocol pop3 { } protocol lda { postmaster_address = postmas...@example.com } auth default { mechanisms = plain login passdb pam { } passdb ldap { args = /etc/dovecot-ldap.pass } You first query PAM then LDAP. If your users are in passwd still, you get a failed password response. userdb passwd { } You read the user data from passwd? I think you've migrated to LDAP? user = root user = root socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { } plugin { } /etc/dovecot-ldap.conf hosts = 127.0.0.1:389 sasl_bind = no auth_bind = yes auth_bind = no ldap_version = 3 deref = never dn = cn=sogo,dc=ameliaschools,dc=com dnpass=password base = dc=ameliaschools,dc=com scope = subtree pass_attrs = uid=user, userPassword=password pass_filter = (uid=%u) Is it possible to have 2 auth methods? Meaning if user and passwd does not match in pam then go with ldap?
Re: [Dovecot] Using ldap and pam
On Tue, August 6, 2013 9:04 am, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 6 Aug 2013, Bo Lynch wrote: passdb pam { } passdb ldap { args = /etc/dovecot-ldap.pass } Is it possible to have 2 auth methods? Meaning if user and passwd does not match in pam then go with ldap? as far as I know, if PAM returns no such user, the next passdb is tried. If PAM returns password mismatch, it chains to next passdb. BTW: Dovecot also caches passwords, maybe you are hit by it? - -- In the logs I am seeing dovecot: Aug 06 09:08:45 Info: auth(default): ldap(blynch,69.21.103.133): pass search: base=dc=ameliaschools,dc=com scope=subtree filter=((objectClass=posixAccount)(uid=blynch)) fields=uid, userPassword dovecot: Aug 06 09:08:45 Info: auth(default): ldap(blynch,69.21.103.133): result: uid(user)=blynch dovecot: Aug 06 09:08:46 Info: auth(default): client out: FAIL 1 user=blynch temp and dovecot: Aug 06 09:08:48 Error: auth(default): ldap(blynch,69.21.103.133): No password in reply
[Dovecot] Using ldap and pam
Having some issues with ldap logins. I am using Centos 5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1 Trying to get this to work with the SoGo interface. First I converted all my standard system users to ldap using the openldap-tools. This worked fine, however when a user changes there password they can no longer see there email. If they change it back to the original password mail can be seen. This has stumped me for a day or so so I was hoping someone could shed some light. /etc/dovecot.conf protocols = imap imaps disable_plaintext_auth = no mbox_read_locks = fcntl mbox_write_locks = fcntl protocol imap { } protocol pop3 { } protocol lda { postmaster_address = postmas...@example.com } auth default { mechanisms = plain login passdb pam { } passdb ldap { args = /etc/dovecot-ldap.pass } userdb passwd { } user = root user = root socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { } plugin { } /etc/dovecot-ldap.conf hosts = 127.0.0.1:389 sasl_bind = no auth_bind = yes auth_bind = no ldap_version = 3 deref = never dn = cn=sogo,dc=ameliaschools,dc=com dnpass=password base = dc=ameliaschools,dc=com scope = subtree pass_attrs = uid=user, userPassword=password pass_filter = (uid=%u)