Re: Dovecot & LDAP Take #2: Authentication failed and logging
On Monday 02 March 2015 11:14:03 David Scheele wrote:
> Ok I played around a bit and activated debugging correctly (Thanks to
> Steffen)
>
>
> Now I try to log in with the user johndoe (that is his cn and his uid) and
> i get the following message in syslog:
> Mar 2 11:03:32 mailserver dovecot: auth: Debug: master in:
> REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
> Mar 2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,): user search:
> base=ou=People,dc=[domainname],dc=de scope=subtree
> filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
> Mar 2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
> not indexed
> Mar 2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,): result: uidNumber missing
There are two strategies: put the uid of each user in ldap or use the same uid
for all accounts.
for the second choice, you need to put something like
mail_uid = 1
mail_gid = 1
in 10-mail.conf
This user need some rights on dovecot storage folder.
When using the first choice, you will need a mechanism to generate those uid's
( this should be implemented in the ldap management tool)
> Mar 2 11:03:32 mailserver dovecot: auth: Debug: master out:
> USER#0111283457025#011johndoe
> Mar 2 11:03:32 mailserver dovecot: imap-login: Login: user=,
> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
> session=
> Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
> Couldn't drop privileges: User is missing UID (see mail_uid setting)
> Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
> occurred. Refer to server log for more information.
>
>
> I am confused what the line Mar 2 11:03:32 mailserver dovecot:
> imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
> missing UID (see mail_uid setting) is trying to tell me.
>
> doveconf -n:
>
> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> default_login_user = vmail
> disable_plaintext_auth = no
> first_valid_gid =
> first_valid_uid =
> listen = *
> mail_access_groups = vmail
> mail_debug = yes
> mail_location = maildir:/var/vmail/%n
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> protocols = imap
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> user = root
> }
> service imap-login {
> process_min_avail = 1
> user = vmail
> }
> ssl = no
> userdb {
> args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
> driver = ldap
> }
> grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
>
> hosts = mailserver.[domainname].de
> debug_level = 0
> auth_bind = yes
> auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
> base = ou=People,dc=[domainname],dc=de
> user_attrs = uidNumber=uid
> user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
> pass_attrs = userPassword=password
> pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
> iterate_attrs = uid=user
> iterate_filter = (objectClass=inetOrgPerson)
>
> 2015-02-27 16:00 GMT+01:00 Paolo Cravero :
> > This is the user DN:
> > > cn=Klara Fall,ou=People,dc=[domainname],dc=de
> >
> > According to your Dovecot configuration
> >
> > > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
> >
> > if you login with "klarafall" it will be expanded into
> >
> > cn=klarafall,ou=People,dc=[domainname],dc=de
> >
> > which is not the correct DN for Mrs Klara.
> >
> > So if you login with "Klara Fall" it should work, but that will probably
> > mess up the things on Dovecot filesystem.
> >
> >
> > I am strongly against setting a static DN when dealing with LDAP
> > authentication. LDAP servers are optimized to serve search requests, so
> > let
> > yours do the job. Allow Dovecot to lookup the correct DN based on the
> > attribute you supply (uid) and then authenticate.
> >
> > This should be achieved if you comment out the auth_bind_userdn line.
> >
> > Paolo Cravero
--
Mihai Bădici
http://mihai.badici.ro
Re: Dovecot & LDAP Take #2: Authentication failed and logging
Ok I played around a bit and activated debugging correctly (Thanks to
Steffen)
Now I try to log in with the user johndoe (that is his cn and his uid) and
i get the following message in syslog:
Mar 2 11:03:32 mailserver dovecot: auth: Debug: master in:
REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
Mar 2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,): user search:
base=ou=People,dc=[domainname],dc=de scope=subtree
filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
Mar 2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
not indexed
Mar 2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,): result: uidNumber missing
Mar 2 11:03:32 mailserver dovecot: auth: Debug: master out:
USER#0111283457025#011johndoe
Mar 2 11:03:32 mailserver dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
session=
Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
Couldn't drop privileges: User is missing UID (see mail_uid setting)
Mar 2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
occurred. Refer to server log for more information.
I am confused what the line Mar 2 11:03:32 mailserver dovecot:
imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
missing UID (see mail_uid setting) is trying to tell me.
doveconf -n:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_login_user = vmail
disable_plaintext_auth = no
first_valid_gid =
first_valid_uid =
listen = *
mail_access_groups = vmail
mail_debug = yes
mail_location = maildir:/var/vmail/%n
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = root
}
service imap-login {
process_min_avail = 1
user = vmail
}
ssl = no
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
driver = ldap
}
grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
hosts = mailserver.[domainname].de
debug_level = 0
auth_bind = yes
auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
base = ou=People,dc=[domainname],dc=de
user_attrs = uidNumber=uid
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
pass_attrs = userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=inetOrgPerson)
2015-02-27 16:00 GMT+01:00 Paolo Cravero :
>
> This is the user DN:
>
> > cn=Klara Fall,ou=People,dc=[domainname],dc=de
>
>
> According to your Dovecot configuration
>
> > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
>
> if you login with "klarafall" it will be expanded into
>
> cn=klarafall,ou=People,dc=[domainname],dc=de
>
> which is not the correct DN for Mrs Klara.
>
> So if you login with "Klara Fall" it should work, but that will probably
> mess up the things on Dovecot filesystem.
>
>
> I am strongly against setting a static DN when dealing with LDAP
> authentication. LDAP servers are optimized to serve search requests, so let
> yours do the job. Allow Dovecot to lookup the correct DN based on the
> attribute you supply (uid) and then authenticate.
>
> This should be achieved if you comment out the auth_bind_userdn line.
>
> Paolo Cravero
>
Re: Dovecot & LDAP Take #2: Authentication failed and logging
This is the user DN: > cn=Klara Fall,ou=People,dc=[domainname],dc=de According to your Dovecot configuration > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de if you login with "klarafall" it will be expanded into cn=klarafall,ou=People,dc=[domainname],dc=de which is not the correct DN for Mrs Klara. So if you login with "Klara Fall" it should work, but that will probably mess up the things on Dovecot filesystem. I am strongly against setting a static DN when dealing with LDAP authentication. LDAP servers are optimized to serve search requests, so let yours do the job. Allow Dovecot to lookup the correct DN based on the attribute you supply (uid) and then authenticate. This should be achieved if you comment out the auth_bind_userdn line. Paolo Cravero
Re: Dovecot & LDAP Take #2: Authentication failed and logging
Thanks for the reply. I did indeed consult the wiki. But most of the time it seems some information is old and/or more confusing then helping. But I'll take another look. 2015-02-27 15:56 GMT+01:00 Steffen Kaiser : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Fri, 27 Feb 2015, David Scheele wrote: > >> But I still have two problems: >> >> 1.) For some reason my dovecot doesnt log correctly. I put debug_log to -1 >> > > ? http://wiki2.dovecot.org/Logging?highlight=%28debug_log%29 > > and expected to see logs flooding in in my syslog. When I try to log in >> via >> telnet over imap and the login succeeds it loggs correctly. But when it >> fails there is no log entry. Any clue what might cause this? >> >> And now the big fish: >> >> 2.) Still hanging to log a user in over telnet via imap. I'm pretty sure i >> have misconfigured something. first of all: >> >> 2a.) Is the *passdb* and *userdb* ind the dovecot.conf still needed in the >> newest version? It appears to me that all authing runs over the >> *10-auth.conf*, *auth-ldap.conf.ext* and *dovecot-ldap.conf.ext *and the >> passdb and userdb settings might just be remnants of the past? or am i >> wrong here? >> > > Did you've consulted the Wiki? > http://wiki2.dovecot.org/Authentication > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEVAwUBVPCFjXz1H7kL/d9rAQLdVgf+MD2W8tx2DgsVy7vXQqcywaOWbGXPdW1o > psRQDaSWf8IlSOZOeYNC0k3AbGSPbb70pYibGDeFo5W8wIdsEyTizEmvZOmKRTnC > Bf6Q3hFPOQ9TUrcGVKwyA5lbR4UkMwLLOUcj1PvFwJ4d3iGx0Rqc4xMFPv79oXDq > H5fiXxDjlJlFcqdE4Z3XedzEUDmTjYihGCr+2Zsa/wKjrEM2PYZn+SZEsv+AZZgL > LcnH2eqVt6CaN44H12H9auvC2KLbVXAPCGHlwnmD1IXfXfK1IsDkH3yzsSPYxtQn > tv0Ps7mSig/8MJrP+17kl42q0P7YsMYFqzlSUK9u/Dkwx7NoMeZd4Q== > =o5Xt > -END PGP SIGNATURE- >
Re: Dovecot & LDAP Take #2: Authentication failed and logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 27 Feb 2015, David Scheele wrote: But I still have two problems: 1.) For some reason my dovecot doesnt log correctly. I put debug_log to -1 ? http://wiki2.dovecot.org/Logging?highlight=%28debug_log%29 and expected to see logs flooding in in my syslog. When I try to log in via telnet over imap and the login succeeds it loggs correctly. But when it fails there is no log entry. Any clue what might cause this? And now the big fish: 2.) Still hanging to log a user in over telnet via imap. I'm pretty sure i have misconfigured something. first of all: 2a.) Is the *passdb* and *userdb* ind the dovecot.conf still needed in the newest version? It appears to me that all authing runs over the *10-auth.conf*, *auth-ldap.conf.ext* and *dovecot-ldap.conf.ext *and the passdb and userdb settings might just be remnants of the past? or am i wrong here? Did you've consulted the Wiki? http://wiki2.dovecot.org/Authentication - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVPCFjXz1H7kL/d9rAQLdVgf+MD2W8tx2DgsVy7vXQqcywaOWbGXPdW1o psRQDaSWf8IlSOZOeYNC0k3AbGSPbb70pYibGDeFo5W8wIdsEyTizEmvZOmKRTnC Bf6Q3hFPOQ9TUrcGVKwyA5lbR4UkMwLLOUcj1PvFwJ4d3iGx0Rqc4xMFPv79oXDq H5fiXxDjlJlFcqdE4Z3XedzEUDmTjYihGCr+2Zsa/wKjrEM2PYZn+SZEsv+AZZgL LcnH2eqVt6CaN44H12H9auvC2KLbVXAPCGHlwnmD1IXfXfK1IsDkH3yzsSPYxtQn tv0Ps7mSig/8MJrP+17kl42q0P7YsMYFqzlSUK9u/Dkwx7NoMeZd4Q== =o5Xt -END PGP SIGNATURE-
Dovecot & LDAP Take #2: Authentication failed and logging
Hi there,
after banging my head against a wall for a bit I got more indepth with
dovecot and am now much more knowledgeable about the system than before.
But I still have two problems:
1.) For some reason my dovecot doesnt log correctly. I put debug_log to -1
and expected to see logs flooding in in my syslog. When I try to log in via
telnet over imap and the login succeeds it loggs correctly. But when it
fails there is no log entry. Any clue what might cause this?
And now the big fish:
2.) Still hanging to log a user in over telnet via imap. I'm pretty sure i
have misconfigured something. first of all:
2a.) Is the *passdb* and *userdb* ind the dovecot.conf still needed in the
newest version? It appears to me that all authing runs over the
*10-auth.conf*, *auth-ldap.conf.ext* and *dovecot-ldap.conf.ext *and the
passdb and userdb settings might just be remnants of the past? or am i
wrong here?
2b.) This is my config:
*# 2.1.7: /etc/dovecot/dovecot.conf# OS: Linux 3.2.0-4-amd64 x86_64 Debian
7.8 ext4auth_mechanisms = plain logindefault_login_user =
vmaildisable_plaintext_auth = nofirst_valid_gid = first_valid_uid =
listen = *mail_access_groups = vmailmail_debug = yesmail_location =
maildir:/var/vmail/%d/%npassdb { args = scheme=SHA1 /etc/dovecot/passwd
driver = passwd-file}protocols = imapservice auth { unix_listener
/var/spool/postfix/private/auth {group = postfixmode = 0660user
= postfix } user = root}service imap-login { process_min_avail = 1 user
= vmail}ssl = nouserdb { args = uid= gid= home=/var/vmail/%d/%n
allow_all_users=yes driver = static}*
*hosts = [
