Laurent Blume
2008-Jan-31 08:58 UTC
[Dovecot] Using Dovecot with nsswitch for LDAP on Solaris
Hello all,
I'm having some issues configuring dovecot 1.0.10 on a Solaris 10 box,
that uses LDAP?for its accounts.
The local accounts (in /etc/passwd) are authenticated properly and work
as expected, but all accounts from the LDAP fail authentication.
Those are declared for the system using PAM and NSS (/etc/pam.conf and
/etc/nsswitch.conf are configured accordingly).
Currently, there are WU-IMAP and Qpopper installed and working, and
neither of them needed any special configuration to use the login,
they're just using Unix auth.
I tried various configurations, based on what I read in the wiki
documentation, but nothing works, even the passwd userdb/passdb, which
*should* if I understand correctly.
Trying to use PAM in dovecot fails, too.
Any idea what I'm doing wrong, or pointers to hints? Google returned
little information about configuring Dovecot on Solaris, and none that
was useful.
TIA,
Laurent
# /opt/csw/sbin/dovecot --version
1.0.10
Sample of failure in the dovecot logs:
Jan 30 18:11:00 balif dovecot: [ID 107833 local1.info] auth(default):
new auth connection: pid=13210
Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info] auth(default):
client in: AUTH 1 PLAIN service=IMAP secured lip=127.0.0.1
rip=127.0.0.1 resp=xxxxx
Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info]
auth-worker(default): pam(lblume,127.0.0.1): lookup service=dovecot
Jan 30 18:11:10 balif dovecot: [ID 107833 local1.info] auth(default):
client out: FAIL 1 user=lblume
Jan 30 18:11:17 balif dovecot: [ID 107833 local1.info] imap-login:
Aborted login (1 authentication attempts): user=<lblume>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, secured
My latest config try:
# /opt/csw/sbin/dovecot -n
# 1.0.10: /opt/csw/etc/dovecot.conf
base_dir: /var/run/dovecot/
syslog_facility: local1
protocols: imap pop3
listen(default): *:60143
listen(imap): *:60143
listen(pop3): *:60110
ssl_disable: yes
disable_plaintext_auth: no
login_dir: /var/run/dovecot//login
login_executable(default): /opt/csw/libexec/dovecot/imap-login
login_executable(imap): /opt/csw/libexec/dovecot/imap-login
login_executable(pop3): /opt/csw/libexec/dovecot/pop3-login
mail_location: mbox:~/:INBOX=/var/mail/%u
mail_executable(default): /opt/csw/libexec/dovecot/imap
mail_executable(imap): /opt/csw/libexec/dovecot/imap
mail_executable(pop3): /opt/csw/libexec/dovecot/pop3
mail_plugin_dir(default): /opt/csw/lib/dovecot/imap
mail_plugin_dir(imap): /opt/csw/lib/dovecot/imap
mail_plugin_dir(pop3): /opt/csw/lib/dovecot/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
auth default:
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: pam
args: blocking=yes setcred=yes dovecot
userdb:
driver: passwd
args: blocking=yes
--
/ Leader de Projet & Communaut? | I'm working, but not speaking for
\ G11N http://fr.opensolaris.org | Bull Services http://www.bull.com
/ FOSUG http://guses.org |
Timo Sirainen
2008-Jan-31 14:41 UTC
[Dovecot] Using Dovecot with nsswitch for LDAP on Solaris
On Thu, 2008-01-31 at 09:58 +0100, Laurent Blume wrote:> Currently, there are WU-IMAP and Qpopper installed and working, and > neither of them needed any special configuration to use the login, > they're just using Unix auth.What service name do they use? If they already work, make Dovecot use the same service name (e.g. passdb pam { args = imap }).> Jan 30 18:11:09 balif dovecot: [ID 107833 local1.info] > auth-worker(default): pam(lblume,127.0.0.1): lookup service=dovecot > Jan 30 18:11:10 balif dovecot: [ID 107833 local1.info] auth(default): > client out: FAIL 1 user=lblumeSee if PAM also logged something (/var/log/authlog?). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080131/725997d1/attachment-0002.bin>
Laurent Blume
2008-Jan-31 15:19 UTC
[Dovecot] Using Dovecot with nsswitch for LDAP on Solaris
Timo Sirainen a ?crit :> What service name do they use? If they already work, make Dovecot use > the same service name (e.g. passdb pam { args = imap }).They're not using PAM directly, only the system login, so they don't have a service name.> See if PAM also logged something (/var/log/authlog?).No, but actually, it seems to be a problem specific to the Blastwave's binary. I decided to build my own, without simple configure options. Using the same startup and configuration files, it works. So I reported the bug on the Blastwave's site. Maybe they somehow disabled PAM, and it seems that Dovecot needs to use it when accessing accounts not in /etc/passwd. Thank you for your answer, and sorry for the inconvenience, I really thought I was doing something wrong. Laurent -- / Leader de Projet & Communaut? | I'm working, but not speaking for \ G11N http://fr.opensolaris.org | Bull Services http://www.bull.com / FOSUG http://guses.org |