dovecot - Nov 2006 - LDAP authentication windows 2003

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Tahoma">People,<br>
<br>
</font><font face="Tahoma">Almost resolved, but with
"blank password"
against a "active directory - ldap - windows 2003 sp1" the user was
logged in. See following logs.</font><br>
<br>
<font face="Tahoma">Good notice: the situation doesn't
happen in
"active directory - ldap - windows 2000 sp4"<br>
<br>
</font><font face="Tahoma">Thanks.<br>
<br>
</font><font face="Tahoma">[root@mail etc]# telnet 0
110</font><br>
<font face="Tahoma">Trying 0.0.0.0...</font><br>
<font face="Tahoma">Connected to 0
(0.0.0.0).</font><br>
<font face="Tahoma">Escape character is
'^]'.</font><br>
<font face="Tahoma">+OK Dovecot ready.</font><br>
<font face="Tahoma">user user@domain</font><br>
<font face="Tahoma">+OK</font><br>
<font face="Tahoma">pass <blank
password></font><br>
<font face="Tahoma">+OK Logged in.<br>
<br>
</font><font face="Tahoma">--->>>
dovecot-ldap.conf<br>
<br>
</font><font face="Tahoma"># Arquivo Configuracao Servidor
LDAP</font><br>
<font face="Tahoma">hosts = servidor2k3</font><br>
<font face="Tahoma">scope = subtree</font><br>
<font face="Tahoma">ldap_version = 3</font><br>
<font face="Tahoma">dn =
cn=binduser,ou=domain,dc=br</font><br>
<font face="Tahoma">dnpass = bindpass</font><br>
<font face="Tahoma">auth_bind = yes</font><br>
<font face="Tahoma">deref = never</font><br>
<font face="Tahoma">base =
ou=domain,dc=br</font><br>
<font face="Tahoma">default_pass_scheme =
CRYPT</font><br>
<font face="Tahoma">user_attrs =
uid=mail,,,,,</font><br>
<font face="Tahoma">user_filter =
(&(objectClass=person)(mail=%u))</font><br>
<font face="Tahoma">pass_filter =
(&(objectClass=person)(mail=%u))</font><br>
<font face="Tahoma">user_global_uid =
vmail</font><br>
<font face="Tahoma">user_global_gid = vmail<br>
<br>
</font><font face="Tahoma">--->>> Log
file<br>
<br>
</font><font face="Tahoma">Nov&nbsp; 9 08:09:24
mailsec dovecot: Dovecot
v1.0.rc13 starting up</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
client in: AUTH 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PLAIN&nbsp;&nbsp; service=POP3&nbsp;&nbsp;&nbsp; secured
lip=127.0.0.1&nbsp;&nbsp;
rip=127.0.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
resp=AHNwZEBhbHVuby51bmlmcmFuLmJyAA==</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
ldap(<a class="moz-txt-link-abbreviated"
href="mailto:user@domain,127.0.0.1">user@domain,127.0.0.1</a>):
bind search: base=ou=domain,dc=br
filter=(&(objectClass=person)(mail=user@domain))</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
ldap(<a class="moz-txt-link-abbreviated"
href="mailto:user@domain,127.0.0.1">user@domain,127.0.0.1</a>):
bind: dn=CN=user,ou=domain,dc=br</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
client out: OK&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
user=user@domain</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
master in: REQUEST&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
8348&nbsp;&nbsp;&nbsp; 1</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
ldap(<a class="moz-txt-link-abbreviated"
href="mailto:user@domain,127.0.0.1">user@domain,127.0.0.1</a>):
user search: base=ou=domain,dc=br
scope=subtree filter=(&(objectClass=person)(mail=user@domain))
fields=uid</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
auth(default):
master out:
USER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; user@domain
&nbsp;&nbsp;
uid=1001&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
gid=1001</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
pop3-login: Login:
user=<user@domain>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
POP3(user@domain):
Effective uid=1001, gid=1001</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
POP3(user@domain):
mbox:
data=/dados/vhome/user@domain:INBOX=/dados/vmail/user@domain</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:32 mailsec dovecot:
POP3(user@domain):
mbox: root=/dados/vhome/user@domain, index=/dados/vhome/user@domain,
inbox=/dados/vmail/user@domain</font><br>
<font face="Tahoma">Nov&nbsp; 9 08:09:34 mailsec dovecot:
POP3(user@domain):
Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0</font>
</body>
</html>

Matheus Antonio Oliveira wrote:
> People,
> 
> Almost resolved, but with "blank password" against a "active
directory - ldap -
> windows 2003 sp1" the user was logged in. See following logs.
> 
> Good notice: the situation doesn't happen in "active directory -
ldap - windows
> 2000 sp4"
> 
Oh dear - you're right! We're using 2003 Active Directory (but in
"2000
mode") and I can repeat the behaviour with my test rc12 server ...

* OK University of Reading IMAP test ready.
. LOGIN <username> ""
. OK Logged in.
. SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
Flags permitted.
* 815 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1130319036] UIDs valid
* OK [UIDNEXT 816] Predicted next UID
. OK [READ-WRITE] Select completed.

and also with rc10.

Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<pre>Congratulations,

Your solution has worked with six w2k3 domain controllers and 20.000 accounts
!!!!


RedHat Enterprise Linux 4.0 UP 2
Dovecot: dovecot-1.0-0_33.rc15.el4.at.i386.rpm <a
 href="http://dl.atrpms.net/all/dovecot-1.0-0_33.rc15.el4.at.i386.rpm"></a>


Thanks



On Thu, 2006-11-09 at 10:47 +0000, Chris Wakelin wrote:
><i> 
</i>><i> Matheus Antonio Oliveira wrote:
</i>><i> > People,
</i>><i> > 
</i>><i> > Almost resolved, but with "blank
password" against a "active directory - ldap -
</i>><i> > windows 2003 sp1" the user was logged in. See
following logs.
</i>><i> > 
</i>><i> > Good notice: the situation doesn't happen in
"active directory - ldap - windows
</i>><i> > 2000 sp4"
</i>><i> > 
</i>><i> 
</i>><i> Oh dear - you're right! We're using 2003 Active
Directory (but in "2000
</i>><i> mode") and I can repeat the behaviour with my test
rc12 server ...
</i>><i> 
</i>><i> * OK University of Reading IMAP test ready.
</i>><i> . LOGIN <username> ""
</i>><i> . OK Logged in.
</i>
Umm.. The auth bind succeeds with the empty password?

So should I just add a check that empty password will always fail if
auth_bind=yes? This prevents having users who don't have a password (eg.
they'd be proxied elsewhere), but I guess it's not that
important.</pre>
</body>
</html>