dovecot - Mar 2011 - Dovecot-2.0.11 searches in all LDAP directory

Hello.

I have some users IDs in different OUs with different passwords. Base OU
for mail server is 'ou=Mail, dc=ph, dc=com'

Trying manual search:

# ldapsearch -b 'ou=Mail, dc=ph, dc=com' -D 'cn=bind, ou=Users,
dc=ph,
dc=com' -w XXX -s sub -h mainserv.ph.com
'(&(objectClass=qmailUser)(uid=someuser))' uid mailMessageStore
?

# extended LDIF
?
uid: someuser
mailMessageStore: /var/mail/someuser/Maildir/

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

It works fine.

My dovecot configuration:

# 2.0.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.36-gentoo-r5 x86_64 Gentoo Base System release 2.0.1
base_dir = /var/run/dovecot/
listen = *
login_trusted_networks = 192.168.1.0/24
mail_location = maildir:~/.maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
passdb {
args = *
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin/sieve = ~/.dovecot.sieve
plugin/sieve_dir = ~/sieve
protocols = imap
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
verbose_proctitle = yes
protocol lda {
mail_plugins = sieve
}


My /etc/dovecot/dovecot-ldap.conf.ext:

hosts = mainserv.ph.com
dn = cn=bind, ou=Users, dc=ph, dc=com
dnpass = XXX
debug_level = 255
auth_bind = yes
ldap_version = 3
base = ou=Mail, dc=ph, dc=com
scope = subtree
user_attrs = mailMessageStore=home
user_filter = (&(objectClass=qmailUser)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=qmailUser)(uid=%u))


I tested IMAP over telnet:

$ telnet mainserv.ph.com 143
Trying 192.168.1.252...
Connected to mainserv.ph.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a001 LOGIN someuser password1

Two passwords are tested: for uid from ou=Mail and ou=Users. LDAP logs
of searches:

slapd[1917]:     filter: (&(objectClass=posixAccount)(uid=someuser))
slapd[1917]:     attrs:
slapd[1917]:  uid
slapd[1917]:  userPassword
slapd[1917]:  uidNumber
slapd[1917]:  gidNumber? and etc

after this:

slapd[1917]: => access_allowed: search access to "cn=John
Smith,ou=Mail,dc=ph,dc=com" "objectClass" requested
slapd[1917]: => dn: [2] ou=mail,dc=ph,dc=com
slapd[1917]: => acl_get: [2] matched
slapd[1917]: => acl_get: [2] attr objectClass? and etc

I have some questions:

   1. Why is it searches in another LDAP places, not only ou=Mail,
      dc=ph, dc=com?
   2. It not put mailMessageStore from ou=Mail, dc=ph, dc=com. Why?
   3. How disable lookup in another LDAP places exept ou=Mail, dc=ph,
      dc=com?

Thanks for answers.

> I tested IMAP over telnet:
>
> $ telnet mainserv.ph.com 143
> Trying 192.168.1.252...
> Connected to mainserv.ph.com.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
> a001 LOGIN someuser password1
>
> Two passwords are tested: for uid from ou=Mail and ou=Users.
Dovecot authenticate with password1 for uid from ou=Mail and for some
uid from ou=Users. It should not be.

On Saturday 26 March 2011 20:36:21 ????? ??????? wrote:
> Dovecot authenticate with password1 for uid from ou=Mail and for some
> uid from ou=Users. It should not be.
Maybe the password in the ou=Users matches the pam password? Maybe pam is 
checking ldap? This could also explain why sometimes the home is not set 
correctly.

If not needed, remove the pam passdb and the passwd userdb and check again.

HTH
-- 
Joseba Torre. Vicegerencia de TICs, ?rea de Explotaci?n