I've configured dovecot to authenticate against a Fedora Directory Server. The mail server on which dovecot is installed has the nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the following two lines: auth_userdb = ldap /etc/dovecot-ldap.conf auth_passdb = pam In other words, I want dovecot to use LDAP to access the user database, but PAM for authentication. This part is working, since users authenticate and get their mails correctly through dovecot. /etc/dovecot-ldap.conf contains the following: hosts = 192.168.0.2 ldap_version = 3 base = ou=People, dc=duraflex, dc=com, dc=sv deref = never scope = subtree user_attrs = uid,homeDirectory,,,uidNumber,gidNumber user_filter = (&(objectClass=posixAccount)(uid=%u)) I haven't specified a dn or dnpass, since all I need is that dovecot perform an anonymous query for the uid, homeDirectory, uidNumber and gidNumber fields of its users, which are publically viewable. However, my FDS server's access log has entries like these: conn=3266227 fd=138 slot=138 connection from 192.168.0.100 to 192.168.0.2 conn=3266227 op=0 BIND dn="" method=128 version=3 conn=3266227 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" conn=3266227 op=1 SRCH base="ou=People,dc=duraflex,dc=com,dc=sv" scope=1 filter="(&(objectClass=posixAccount)(uid=dovecot))" attrs=ALL conn=3266227 op=1 RESULT err=0 tag=101 nentries=0 etime=0 conn=3266227 op=2 SRCH base="ou=Groups,dc=duraflex,dc=com,dc=sv" scope=1 filter="(&(objectClass=posixGroup)(memberUid=dovecot))" attrs="gidNumber" conn=3266227 op=2 RESULT err=0 tag=101 nentries=0 etime=0 conn=3266227 op=-1 fd=138 closed - B1 Dovecot binds anonimously with an empty dn, then queries FDS for a user and a group called dovecot (which don't exist on the DS), and finds 0 entries. Is it possible to access the user database through PAM (auth_userdb pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really be an LDAP query for users, and a query in /etc/passwd and /etc/group for dovecot (since it's a local user and group on the mail server). -- Oscar A. Valdez
Oscar A. Valdez wrote:> I've configured dovecot to authenticate against a Fedora Directory > Server. The mail server on which dovecot is installed has the > nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the > following two lines: > > auth_userdb = ldap /etc/dovecot-ldap.conf > auth_passdb = pam > ... > Is it possible to access the user database through PAM (auth_userdb > pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really > be an LDAP query for users, and a query in /etc/passwd and /etc/group > for dovecot (since it's a local user and group on the mail server).If you are using nss_ldap and have edited /etc/nsswitch.conf accordingly, you should get it done with: auth_userdb = passwd It doesn't mean to use /etc/passwd, but the O.S. nss mechanism. Regards. -- +----------------------------------------------^-----------------------+ | Luis Mel?ndez Aganzo ^ Email: luism at uco.es | | Servicio de Inform?tica ^ Tlf: 34-(9)57-211022 | | ?rea de Sistemas ^ Fax: 34-(9)57-218116 | | Universidad de C?rdoba (SPAIN) ^ http://www.uco.es | +----------------------------------------------^-----------------------+
Luis Mel?ndez escribi?:> Oscar A. Valdez wrote: > > I've configured dovecot to authenticate against a Fedora Directory > > Server. The mail server on which dovecot is installed has the > > nss_ldap and pam_ldap packages installed, and /etc/dovecot.conf has the > > following two lines: > > > > auth_userdb = ldap /etc/dovecot-ldap.conf > > auth_passdb = pam > > ... > > Is it possible to access the user database through PAM (auth_userdb > > pam)? Since I'm running the nss_ldap and pam_ldap modules, it'd really > > be an LDAP query for users, and a query in /etc/passwd and /etc/group > > for dovecot (since it's a local user and group on the mail server). > > If you are using nss_ldap and have edited /etc/nsswitch.conf > accordingly, you should get it done with: > > auth_userdb = passwd > > It doesn't mean to use /etc/passwd, but the O.S. nss mechanism.Before trying to Luis' suggestion, I had the following in /var/log/messages: dovecot(pam_unix)[4691]: check pass; user unknown dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhostdovecot-auth[4691]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) I suppose the first two entries are the lookup for the dovecot user in the DS, where it doesn't exist. And since I want anonymous binds to the DS, I haven't created file /etc/ldap.secret. Users were able to authenticate and get their mail. After changing to auth_userdb = passwd, all the messages went away, but the users weren't able to get their mail: Evolution gave me the following error: "Unable to get a valid greeting" from the mailserver. I went back to auth_userdb = ldap /etc/dovecot-ldap.conf, and then back to auth_userdb = passwd. Users can get their mail, but the messages are back in the log file. I'd appreciate help in understanding this behavior. -- Oscar A. Valdez
Oscar A. Valdez wrote:> El lun, 10-04-2006 a las 11:17 -0600, Stephen Warren escribi?: >> Oscar A. Valdez wrote: >>> Before trying Luis' suggestion, I had the following in /var/log/messages: >>> >>> dovecot(pam_unix)[4691]: check pass; user unknown >>> dovecot(pam_unix)[4691]: authentication failure; logname= uid=0 euid=0 >>> tty= ruser= rhost>> >> I believe this is because your PAM configuration checks both local files >> (pam_unix: /etc/passwd) and pam_ldap: LDAP. The pam_unix module can't >> find the user in the local database, and complains, then LDAP finds the >> user information, and allows the login/whatever. >> >> The solution is probably to create a /etc/pam.d/system-auth-ldap-only >> file that doesn't reference pam_unix, and use that pam configuration for >> network services such as Dovecot. >> >> Or, possible, check pam_ldap first with a "sufficient" setting; perhaps >> this will stop pam_unix being tried at all? >> >> I keep meaning to try this, since I'm seeing those messages from a >> number of network services, but have never gotten around to it! > > They tend to fill up the message log quickly, so if you get around to > it, I'm interested in your fix.Well, I finally got around to fiddling with this, and I now have created a /etc/pam.d/system-auth that doesn't trigger the annoying authentication failure messages in syslog. The file is shown below. I've tested this by connecting in using SSH (setup for PAM) both as a user in the local /etc/passwd and as a user in LDAP. Also, I tested /etc/passwd users with the LDAP server stopped, and that worked too. Finally, I tested connecting to Dovecot as an LDAP user. Note: The only section that references LDAP is the auth section. That's because account and session rely on pam_unix to pick up the information using nss_ldap (i.e. /etc/nsswitch.conf says "files ldap" for passwd, group, etc.) This seems to work for me... Also, note that my LDAP server stores Samba passwords too, so that's why the password section uses pam_smbpass (which in turn is setup to access LDAP via /etc/samba/smb.conf) rather than pam_ldap. This is so both the Unix and SMB passwords are updated in LDAP. Anyway, here's my file. Anyone want to pick holes in it? Indented lines are just mail formatting... #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_ldap.so debug auth sufficient /lib/security/$ISA/pam_unix.so use_first_pass likeauth auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_smbpass.so use_authtok password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20060827/3a47e49f/attachment.bin>