Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
On Fri, 2008-04-18 at 08:12 -0500, Jack McKinney wrote: > > BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, > > dns or ldap server? Did you disabled it? > > LDAP and IMAP are on the same server. Since the query and the result > both show up in the LDAP logs, it couldn't be a firewall issue. But last I asked Dovecot didn't log it with i_info(), meaning Dovecot probably didn't receive the reply. So verifying with Wireshark that the reply was really sent would get you further.. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
On Fri, 2008-04-18 at 10:10 +0200, Steffen Kaiser wrote: > I got the impression that this is problem, see the Doc: > http://wiki.dovecot.org/AuthDatabase/LDAP > > pass_attrs = uid=user,userPassword=password > > This is the default, please add "mail=user" to your pass_attrs and re-add > auth_bind. Also, kill all dovecot processes (well, you know: make sure it > is correct confuig that is used, e.g. add a syntax error, so you see it is > even the correct file you're editing) I did try it with mail=user; same failure mode. Since I also get this failure mode with auth_bind = no, I don't think this is the issue. > Rob had this in his conf: > > user_attrs = mail=user > user_filter = (&(objectClass=user)(mail=%u)) > pass_attrs = mail=user,userPassword=password,mail=userdb_user > pass_filter = (&(objectClass=user)(mail=%u)) > Note the two mail=user settings, I have them, too. Drop > the mail=userdb_user, as you use another userdb. > Problematic, since my userdb is static. > Rob also have > > user_global_uid = dovecot > user_global_gid = dovecot > > "If you're using a single UID and GID for all the users, you can use > user_global_uid and user_global_gid settings instead of of returning them > from LDAP." Which seems to apply to userdb only, but who knows? > > Also, could you please drop the TLS/SSL on the connection, if any, and > sniff the connection? > > To sniff, use wireshark (ethereal) or tshark (tethereal) "port 389" as > capture filter. > wireshark understands the LDAP protocol und decodes it. Moreover, you see > _what_ is returned in detail. I am not using TLS/SSL for the LDAP connection. > > BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, > dns or ldap server? Did you disabled it? LDAP and IMAP are on the same server. Since the query and the result both show up in the LDAP logs, it couldn't be a firewall issue. -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 17 Apr 2008, Gavin Henry wrote: So why is dovecot searching for uid? I am not asking it to; in fact, my pass_attrs field is empty. Im' no tsure, I was hoping someone else would know why. Is it a hard coded default? Also, I have switched around my setup to not use auth_bind: hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = *** ldap_version = 3 auth_bind = no pass_attrs = userPassword=password I got the impression that this is problem, see the Doc: http://wiki.dovecot.org/AuthDatabase/LDAP pass_attrs = uid=user,userPassword=password This is the default, please add "mail=user" to your pass_attrs and re-add auth_bind. Also, kill all dovecot processes (well, you know: make sure it is correct confuig that is used, e.g. add a syntax error, so you see it is even the correct file you're editing) Rob had this in his conf: user_attrs = mail=user user_filter = (&(objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = (&(objectClass=user)(mail=%u)) Note the two mail=user settings, I have them, too. Drop the mail=userdb_user, as you use another userdb. Rob also have user_global_uid = dovecot user_global_gid = dovecot "If you're using a single UID and GID for all the users, you can use user_global_uid and user_global_gid settings instead of of returning them from LDAP." Which seems to apply to userdb only, but who knows? Also, could you please drop the TLS/SSL on the connection, if any, and sniff the connection? To sniff, use wireshark (ethereal) or tshark (tethereal) "port 389" as capture filter. wireshark understands the LDAP protocol und decodes it. Moreover, you see _what_ is returned in detail. BTW: Do you use any sort of firewall, iptables or whatsoever on the mail, dns or ldap server? Did you disabled it? BTW: I didn't know you can use dn/dnbpass for the initial lookup, now I know. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFICFdqVJMDrex4hCIRAsWKAJ9SgI3ldlcd+gTuWIT6v7JZtYqkAwCeKAO7 ciaWVAteW3Lcx3hApX9VZsc= =Sy5f -END PGP SIGNATURE-
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
> So why is dovecot searching for uid? I am not asking it to; in fact, my > pass_attrs field is empty. Im' no tsure, I was hoping someone else would know why. Is it a hard coded default? > Also, I have switched around my setup to not use auth_bind: > > hosts = ldap.lrtz > dn = cn=varmail,ou=users,dc=lorentz,dc=com > dnpass = *** > ldap_version = 3 > auth_bind = no > pass_attrs = userPassword=password > pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) > base = ou=users, dc=%Dd > scope = onelevel > > With this configuration, it becomes inconsistant. Sometimes my client > authenticates, and sometimes my client goes through the same timeout as > below. > I have not had time to run enough trials to prove this, but it seems > like this new configuration works for the first connection made to > dovecot, and then times out on subsequent connections. If I restart > dovecot, then I get one successful connection again, and then the others > fail. > I am not certain on this, however. I seem to remember the first > connection timing out on one run... > > On Wed, 2008-04-16 at 23:20 +0100, Gavin Henry wrote: >> >> >No, it isn't. I have verified the connection with "openssl s_client". >> > Besides, the server is receiving the username "[EMAIL PROTECTED]", so >> > the connection has already been made by this time. >> >What is happening every time is that dovecot sends the correct query >> to >> > OpenLDAP (as noted in the log below), OpenLDAP receives that query >> > (according to its log) and responds with one match, but dovecot never >> > seems to see that response. 180 seconds after the auth fails, dovecot >> > drops the connection with the IMAP client for inactivity. >> > >> >> I've gone back to your first post, and you slapd logs show: >> >> Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH >> base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 >> filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" >> Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid >> Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 >> err=0 nentries=1 text= >> >> Which shows the correct filter, but the requested attribute to return is >> "uid", which is _not_ in your entry: >> >> # Jack McKinney, users, lorentz.com >> dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> cn: Jack McKinney >> givenName: Jack McKinney >> sn: McKinney >> mail: jackmc at lorentz.com >> >> Try the same search again, but using (note uid on end): >> >> ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D >> 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel >> '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid >> >> It should be empty, hence why dovecot isn't getting anything. >> >> >> > -- > Jack McKinney > GPG 1024D/99C6A174 > [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz > Beware geeks bearing diffs >
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
So why is dovecot searching for uid? I am not asking it to; in fact, my pass_attrs field is empty. Also, I have switched around my setup to not use auth_bind: hosts = ldap.lrtz dn = cn=varmail,ou=users,dc=lorentz,dc=com dnpass = *** ldap_version = 3 auth_bind = no pass_attrs = userPassword=password pass_filter = (&(objectClass=inetOrgPerson)(mail=%Lu)) base = ou=users, dc=%Dd scope = onelevel With this configuration, it becomes inconsistant. Sometimes my client authenticates, and sometimes my client goes through the same timeout as below. I have not had time to run enough trials to prove this, but it seems like this new configuration works for the first connection made to dovecot, and then times out on subsequent connections. If I restart dovecot, then I get one successful connection again, and then the others fail. I am not certain on this, however. I seem to remember the first connection timing out on one run... On Wed, 2008-04-16 at 23:20 +0100, Gavin Henry wrote: > > > No, it isn't. I have verified the connection with "openssl s_client". > > Besides, the server is receiving the username "[EMAIL PROTECTED]", so > > the connection has already been made by this time. > > What is happening every time is that dovecot sends the correct query to > > OpenLDAP (as noted in the log below), OpenLDAP receives that query > > (according to its log) and responds with one match, but dovecot never > > seems to see that response. 180 seconds after the auth fails, dovecot > > drops the connection with the IMAP client for inactivity. > > > > I've gone back to your first post, and you slapd logs show: > > Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH > base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 > filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" > Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid > Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 > err=0 nentries=1 text= > > Which shows the correct filter, but the requested attribute to return is > "uid", which is _not_ in your entry: > > # Jack McKinney, users, lorentz.com > dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > cn: Jack McKinney > givenName: Jack McKinney > sn: McKinney > mail: jackmc at lorentz.com > > Try the same search again, but using (note uid on end): > > ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D > 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel > '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid > > It should be empty, hence why dovecot isn't getting anything. > > > -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
> No, it isn't. I have verified the connection with "openssl s_client". > Besides, the server is receiving the username "[EMAIL PROTECTED]", so > the connection has already been made by this time. > What is happening every time is that dovecot sends the correct query to > OpenLDAP (as noted in the log below), OpenLDAP receives that query > (according to its log) and responds with one match, but dovecot never > seems to see that response. 180 seconds after the auth fails, dovecot > drops the connection with the IMAP client for inactivity. > I've gone back to your first post, and you slapd logs show: Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base="ou=users,dc=lorentz,dc=com" scope=1 deref=0 filter="(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))" Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Which shows the correct filter, but the requested attribute to return is "uid", which is _not_ in your entry: # Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc at lorentz.com Try the same search again, but using (note uid on end): ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel '(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid It should be empty, hence why dovecot isn't getting anything.
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
No, it isn't. I have verified the connection with "openssl s_client". Besides, the server is receiving the username "[EMAIL PROTECTED]", so the connection has already been made by this time. What is happening every time is that dovecot sends the correct query to OpenLDAP (as noted in the log below), OpenLDAP receives that query (according to its log) and responds with one match, but dovecot never seems to see that response. 180 seconds after the auth fails, dovecot drops the connection with the IMAP client for inactivity. On Wed, 2008-04-16 at 19:41 +0100, Gavin Henry wrote: > > > Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: > > pid=15774 > > Apr 3 08:13:30 fourier dovecot: auth(default): client in: > > AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp= > > Apr 3 08:13:30 fourier dovecot: auth(default): > > ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, > > dc=lorentz,dc=com > > filter=(&(objectClass=inetOrgPerson)([EMAIL PROTECTED])) > > Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: > > method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS > > > > This isn't a TLS mismatch kidn of thing is it? -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
> Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: > pid=15774 > Apr 3 08:13:30 fourier dovecot: auth(default): client in: > AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp= > Apr 3 08:13:30 fourier dovecot: auth(default): > ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, > dc=lorentz,dc=com > filter=(&(objectClass=inetOrgPerson)([EMAIL PROTECTED])) > Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: > method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS > This isn't a TLS mismatch kidn of thing is it?
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp= Apr 3 08:13:30 fourier dovecot: auth(default): ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=(&(objectClass=inetOrgPerson)([EMAIL PROTECTED])) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS For full details, see the original email. It would appear from the OpenLDAP logs that OpenLDAP is sending the match, but that dovecot is not receiving it. On Wed, 2008-04-16 at 15:31 +0100, Gavin Henry wrote: > > My config is almost exactly the same as yours, except that I use static > > userdb and I do not have (nor do I understand the need for; see my > > previous post) pass_attrs. I tried putting them in matching yours, but > > it still fails the same way: OpenLDAP receives the query and (according > > to its logs) responds with nentries=1 (i.e., exactly one match, as > > expected). However, dovecot never sees the response from OpenLDAP. > > What do you see in the dovecot logs with auth debug on? -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
> My config is almost exactly the same as yours, except that I use static > userdb and I do not have (nor do I understand the need for; see my > previous post) pass_attrs. I tried putting them in matching yours, but > it still fails the same way: OpenLDAP receives the query and (according > to its logs) responds with nentries=1 (i.e., exactly one match, as > expected). However, dovecot never sees the response from OpenLDAP. What do you see in the dovecot logs with auth debug on?
[Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
It seems that Rob and I are doing almost exactly the same thing except: - He uses AD, I use OpenLDAP - His works, mine doesn't. I have: - Red Hat Linux release 7.2 (Enigma) - OpenLDAP 2.3.38 - Dovecot 1.0.12, 1.0.13, and 1.1.rc4 (they all fail the same way). Sigh... Rob, It sounds like you are trying to do EXACTLY what I am trying to do: 1. My users login with their email address. 2a. My users are all over the tree in the sense that you cannot determine the DN from the email alone. E.g., I am [EMAIL PROTECTED], but my DN is "cn=Jack McKinney, ou=users, dc=lorentz, dc=com". Thus, I need to do a lookup to get the DN to use for auth_bind. However, 2b. My users have contact databases under their DNs. For example, all of my contacts are in ou=AddressBook,cn=Jack McKinney, ou=users, dc=lorentz, dc=com. If I did a subtree search, then [EMAIL PROTECTED] would pick up my DN, plus the DN of any entry in anyone's addressbook for me. I.e., if [EMAIL PROTECTED] had an account on my system, and they had an entry in their addressbook, then the subtree query for [EMAIL PROTECTED] would turn up two entries: dn: cn=Jack McKinney, ou=users, dc=lorentz, dc=com dn: cn=Jack McKinney, ou=AddressBook, cn=Foo Bar, ou=users, dc=example, dc=com Thus, I do a query with base "ou=users, dc=%Dd" and scope = onelevel, so that only the real users are matched. 3. My users do not have any logins on the system. Just like a web server is just a web server and not a login system, the same with my email: all mail lives under the same username and group (varmail/varmail), and everyone's maildir is /var/mail/domain/user/Maildir/ My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP. On Wed, 2008-04-16 at 11:17 +, Rob Coward wrote: > On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote: > > dear Rob, thank you for support! > > there are small differences in mine and yours config, like: > > > > - you do not have auth_bind_userdn defined. if i comment my out i cannot > > authenticate at all - log file: > > auth(default): ldap(wojtek,192.168.0.200): unknown user > > dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek > > Our initial connection is made using the "dn" and "dnpass" settings. > This looks up the user's dn based on the "(&(objectClass=user)(mail=% > u))" search criteria. > > My understanding of the auth_bind_userdn setting is that it is only > useful if all your users are in a specific tree in the ldap, so that you > can specify (from > http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% > 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% > u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy > > This I believe saves the first lookup to find the dn of the user trying > to login. Our users are spread throughout our tree, hence using the > initial lookup as the 'dn'/'dnpass' user to find our user's dn. > > If you remove auth_bind_userdn, do you have 'dn' & 'dnpass' setup with a > suitable unprivileged user to allow the initial lookup of the logging-in > user's dn ? > > > > > - you have user_attrs = mail=user, me: user_attrs = > > homeDirectory=home,uidNumber=uid. but i do not think it make any difference. > > > > Our users login with their email address as the userid - hence > "mail=user" telling dovecot that the userid is stored in the 'mail' > attribute in the ldap results. We dont bother with 'home' or 'uid' as > they are all virtual users, using a fixed uid set by "user_global_uid = > dovecot" and "mail_location: maildir:/data/shared/mailstore/%d/%n" > > > - i did not have deref = never. do you know what does it do? i do not > > understand man ldapsearch explanation :( > > something to do with following links to other ldap servers I think. Dont > think its strictly necessary in a single server setup. > > > > > Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? > > maybe i am making some simple mistake with my ldap config... > > As I said, we use Active Directory (running on Win2k3 servers I > believe), not slapd. > > Regards, > Rob > > > > Rob Coward wrote: > > > I cant help you with what is going wrong for you, but we use dovecot > > > very successfully with ldap lookups against Active Directory, using > > > auth_bind=yes, and it does not require anonymous connections. The > > > initial connection is by an un-privileged user that searches for the > > > user, then a 2nd connection is used, authenticating against AD as the > > > looked up user using the password supplied to dovecot. > > > > > > Our setup looks like this: > > > > > > # rpm -q dovecot > > > dovecot-1.0-1.2.0.el5 > >