Re: [Dovecot] Using ldap and pam
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 5 Aug 2013, Bo Lynch wrote:
Having some issues with ldap logins. I am using Centos
5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1
Trying to get this to work with the SoGo interface. First I converted all
my standard system users to ldap using the openldap-tools. This worked
fine, however when a user changes there password they can no longer see
there email. If they change it back to the original password mail can be
seen. This has stumped me for a day or so so I was hoping someone could
shed some light.
What are in the logs? http://wiki1.dovecot.org/Logging see auth_debug=yes
/etc/dovecot.conf
protocols = imap imaps
disable_plaintext_auth = no
mbox_read_locks = fcntl
mbox_write_locks = fcntl
protocol imap {
}
protocol pop3 {
}
protocol lda {
postmaster_address = postmas...@example.com
}
auth default {
mechanisms = plain login
passdb pam {
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
You first query PAM then LDAP. If your users are in passwd still, you get
a failed password response.
userdb passwd {
}
You read the user data from passwd? I think you've migrated to LDAP?
user = root
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
dict {
}
plugin {
}
/etc/dovecot-ldap.conf
hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = yes
auth_bind = no
ldap_version = 3
deref = never
dn = cn=sogo,dc=ameliaschools,dc=com
dnpass=password
base = dc=ameliaschools,dc=com
scope = subtree
pass_attrs = uid=user, userPassword=password
pass_filter = (uid=%u)
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUgCatF3r2wJMiz2NAQIbPwf/dv1WYwiUjLH/EXeWnBhan6ygb33Cw9yg
gluh62cH0hr4yJMCYxvbfWqUS+BjtO01x5kXJuNFQf7EyZ9PjRXv5ElyGr7Q8yHo
t4rpVn4s1tDm5xlxcR7HHCh2XUFlUDmA3vrOmn6CeddFUZgfEXXlhjaI9n35Kg/5
yrO71mDi60jhz5FM3MqFskM8cvgmwP/gWiW1fpsPVHXyQcQ/B//jKCMhGaEAwGOw
1ydN7JOwkYrlOnOEoO2OQ8wKHpH5dLXtYa0lt11DaV0CnLsb9784CYAsFrXvJwud
HU8EKDaWDOnqoaBr76dkl+HvhB04MfmJAapyloJa4Qtm+smnH0Md0g==
=dbUQ
-END PGP SIGNATURE-
Re: [Dovecot] Using ldap and pam
On Tue, August 6, 2013 2:41 am, Steffen Kaiser wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 5 Aug 2013, Bo Lynch wrote:
Having some issues with ldap logins. I am using Centos
5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1
Trying to get this to work with the SoGo interface. First I converted
all
my standard system users to ldap using the openldap-tools. This worked
fine, however when a user changes there password they can no longer see
there email. If they change it back to the original password mail can be
seen. This has stumped me for a day or so so I was hoping someone could
shed some light.
What are in the logs? http://wiki1.dovecot.org/Logging see auth_debug=yes
/etc/dovecot.conf
protocols = imap imaps
disable_plaintext_auth = no
mbox_read_locks = fcntl
mbox_write_locks = fcntl
protocol imap {
}
protocol pop3 {
}
protocol lda {
postmaster_address = postmas...@example.com
}
auth default {
mechanisms = plain login
passdb pam {
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
You first query PAM then LDAP. If your users are in passwd still, you get
a failed password response.
userdb passwd {
}
You read the user data from passwd? I think you've migrated to LDAP?
user = root
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
dict {
}
plugin {
}
/etc/dovecot-ldap.conf
hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = yes
auth_bind = no
ldap_version = 3
deref = never
dn = cn=sogo,dc=ameliaschools,dc=com
dnpass=password
base = dc=ameliaschools,dc=com
scope = subtree
pass_attrs = uid=user, userPassword=password
pass_filter = (uid=%u)
Is it possible to have 2 auth methods? Meaning if user and passwd does not
match in pam then go with ldap?
Re: [Dovecot] Using ldap and pam
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 6 Aug 2013, Bo Lynch wrote:
passdb pam {
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
Is it possible to have 2 auth methods? Meaning if user and passwd does not
match in pam then go with ldap?
as far as I know, if PAM returns no such user, the next passdb is tried.
If PAM returns password mismatch, it chains to next passdb.
BTW: Dovecot also caches passwords, maybe you are hit by it?
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUgD0TV3r2wJMiz2NAQJtgggAqyRK7O1kiACDo5LQLw0jTEIoDreRY4mu
rn3air51MP1+JEhVdLyf7hajiC86L3pTdjJcoxPygHhEph1Aj1QHLXgFebFzPsN9
PNdfolRF1uDAl0E2y4A0+Ko6YeSekg9wprRgoDN8eF3NXpBX3GXIsML69wuZQmCm
MkdtK3Go6knfZKNCMJiSCierE0fj7RLwBnmKaC03mZFmNx4dsQGnJGGId03BPnLK
JAI49NKnmAsxXA+NCGW8ohqtjg/lxxYt7hU1INxdo3fp3Mnw64JRFCem8amlzEbz
jqam7BaVYIVmu4JGyPk250HQVYnFnnPRkMHCEfoaHMvUuCy4DZAm7Q==
=eZUc
-END PGP SIGNATURE-
Re: [Dovecot] Using ldap and pam
On Tue, August 6, 2013 9:04 am, Steffen Kaiser wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 6 Aug 2013, Bo Lynch wrote:
passdb pam {
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
Is it possible to have 2 auth methods? Meaning if user and passwd does
not
match in pam then go with ldap?
as far as I know, if PAM returns no such user, the next passdb is tried.
If PAM returns password mismatch, it chains to next passdb.
BTW: Dovecot also caches passwords, maybe you are hit by it?
- --
In the logs I am seeing
dovecot: Aug 06 09:08:45 Info: auth(default): ldap(blynch,69.21.103.133):
pass search: base=dc=ameliaschools,dc=com scope=subtree
filter=((objectClass=posixAccount)(uid=blynch)) fields=uid, userPassword
dovecot: Aug 06 09:08:45 Info: auth(default): ldap(blynch,69.21.103.133):
result: uid(user)=blynch
dovecot: Aug 06 09:08:46 Info: auth(default): client out: FAIL 1
user=blynch temp
and
dovecot: Aug 06 09:08:48 Error: auth(default): ldap(blynch,69.21.103.133):
No password in reply
Re: [Dovecot] Using ldap and pam
On 6.8.2013, at 16.11, Bo Lynch bly...@ameliaschools.com wrote: dovecot: Aug 06 09:08:48 Error: auth(default): ldap(blynch,69.21.103.133): No password in reply LDAP isn't returning a password field. Probably because the dn doesn't have access to that field. Either give it access, or switch to auth_bind=yes
[Dovecot] Using ldap and pam
Having some issues with ldap logins. I am using Centos
5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1
Trying to get this to work with the SoGo interface. First I converted all
my standard system users to ldap using the openldap-tools. This worked
fine, however when a user changes there password they can no longer see
there email. If they change it back to the original password mail can be
seen. This has stumped me for a day or so so I was hoping someone could
shed some light.
/etc/dovecot.conf
protocols = imap imaps
disable_plaintext_auth = no
mbox_read_locks = fcntl
mbox_write_locks = fcntl
protocol imap {
}
protocol pop3 {
}
protocol lda {
postmaster_address = postmas...@example.com
}
auth default {
mechanisms = plain login
passdb pam {
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
userdb passwd {
}
user = root
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
dict {
}
plugin {
}
/etc/dovecot-ldap.conf
hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = yes
auth_bind = no
ldap_version = 3
deref = never
dn = cn=sogo,dc=ameliaschools,dc=com
dnpass=password
base = dc=ameliaschools,dc=com
scope = subtree
pass_attrs = uid=user, userPassword=password
pass_filter = (uid=%u)
