dovecot - Jul 2011 - [BUG?] LDAP authentication with aliases issues

Hello,

I am trying to configure Dovecot with LDAP authentication. My LDAP tree 
structure is as following:
     dc=root,dc=pl
      \_ ou=Users
         \_ uid=test
      \_ ou=Mail
         \_ ou=domain.pl
            \_ uid=alias_to_test

I cannot authenticate using 
'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to 
authenticate using 
'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following entry 
appears in the Dovecot's log file:

#v+
auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured 
lip=127.0.0.1   rip=127.0.0.1   lport=993       rport=59818     
resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA=auth: Debug:
ldap(alias_to_test at domain.pl,127.0.0.1): pass search:
base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base 
filter=(&(objectClass=posixAccount)) fields=uid,userPassword
auth: Debug: auth(alias_to_test at domain.pl,127.0.0.1): username changed 
alias_to_test at domain.pl -> test
auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test 
userPassword(password)={CRYPT}ACnZvF4.K46UI
auth: Debug: client out: OK     1       user=test
auth: Debug: ldap(test,127.0.0.1): user search: 
base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base 
filter=(&(objectClass=posixAccount)(uid=test)) 
fields=homeDirectory,uidNumber,gidNumber
auth: Debug: master out: FAIL   2551840769
#v-


In the LDAP server log file, following entries appear during 
authentication attempt

#v+
ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
method=128
ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
mech=SIMPLE ssf=0
ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 textldap slapd[11729]:
conn=1125 op=1 SRCH
base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 
deref=3 filter="(&(objectClass=posixAccount))"
ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 nentries=1 
textldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: 
"uid=test,ou=,ou=Mail,dc=root,dc=pl"
ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 
nentries=0 text=invalid DN
#v-

It seems that LDAP AuthDatabase doesn't change the context when looking 
up for the target object, to which the alias points. Futhermore, the 
filter for the target object
'(&(objectClass=posixAccount)(uid=test))'
was not defined by me anywhere in the configuration file
'dovecot-ldap.ext'.
I have tried both authentication ways: 'password lookups' and 
'authentication binding' with the same result. However, There is no 
problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of cource 
after modifying the configuration file listed at the end).

I suppose that it can be a bug in LDAP AuthDatabase, so I am writing 
this post as a potential bug report.


Below are my configuration data:
***************
# dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.38.8-1 x86_64
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_verbose_passwords = plain
listen = *
mail_debug = yes
mail_gid = 2000
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date
passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
plugin {
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
}
postmaster_address = postmaster at domain.pl
protocols = imap pop3 sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     mode = 0666
   }
   unix_listener auth-userdb {
     group = vmail
     mode = 0600
     user = vmail
   }
}
service imap-login {
   inet_listener imap {
     port = 143
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service pop3-login {
   inet_listener pop3 {
     port = 110
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
}
ssl = required
ssl_cert = </etc/openssl/certs/vmail.pem
ssl_key = </etc/openssl/private/vmail.key
userdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
verbose_ssl = yes

***************
# cat /etc/dovecot/dovecot-ldap.ext
uris = ldap://X.Y.Z.V/
dn = cn=Manager,dc=root,dc=pl
dnpass = password
auth_bind = no
ldap_version = 3
base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
deref = always
scope = base
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount))
default_pass_scheme = CRYPT

W dniu 31.07.2011 22:48, Pawe? L?cznar pisze:
> Hello,
>
> I am trying to configure Dovecot with LDAP authentication. My LDAP 
> tree structure is as following:
>     dc=root,dc=pl
>      \_ ou=Users
>         \_ uid=test
>      \_ ou=Mail
>         \_ ou=domain.pl
>            \_ uid=alias_to_test
>
> I cannot authenticate using 
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to
> authenticate using 
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following 
> entry appears in the Dovecot's log file:
>
> #v+
> auth: Debug: client in: AUTH    1       PLAIN   service=imap    
> secured lip=127.0.0.1   rip=127.0.0.1   lport=993       
> rport=59818     
> resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA=> auth:
Debug: ldap(alias_to_test at domain.pl,127.0.0.1): pass search:
> base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base 
> filter=(&(objectClass=posixAccount)) fields=uid,userPassword
> auth: Debug: auth(alias_to_test at domain.pl,127.0.0.1): username changed 
> alias_to_test at domain.pl -> test
> auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test 
> userPassword(password)={CRYPT}ACnZvF4.K46UI
> auth: Debug: client out: OK     1       user=test
> auth: Debug: ldap(test,127.0.0.1): user search: 
> base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base 
> filter=(&(objectClass=posixAccount)(uid=test)) 
> fields=homeDirectory,uidNumber,gidNumber
> auth: Debug: master out: FAIL   2551840769
> #v-
>
>
> In the LDAP server log file, following entries appear during 
> authentication attempt
>
> #v+
> ldap slapd[11729]: conn=1125 op=0 BIND
dn="cn=Manager,dc=root,dc=pl"
> method=128
> ldap slapd[11729]: conn=1125 op=0 BIND
dn="cn=Manager,dc=root,dc=pl"
> mech=SIMPLE ssf=0
> ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text> ldap
slapd[11729]: conn=1125 op=1 SRCH
> base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl"
scope=0
> deref=3 filter="(&(objectClass=posixAccount))"
> ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
> ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 
> nentries=1 text> ldap slapd[11729]: conn=1125 op=2 do_search: invalid
dn:
> "uid=test,ou=,ou=Mail,dc=root,dc=pl"
> ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 
> nentries=0 text=invalid DN
> #v-
>
> It seems that LDAP AuthDatabase doesn't change the context when 
> looking up for the target object, to which the alias points. 
> Futhermore, the filter for the target object 
> '(&(objectClass=posixAccount)(uid=test))' was not defined by me
> anywhere in the configuration file 'dovecot-ldap.ext'.
> I have tried both authentication ways: 'password lookups' and 
> 'authentication binding' with the same result. However, There is no
> problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of 
> cource after modifying the configuration file listed at the end).
>
> I suppose that it can be a bug in LDAP AuthDatabase, so I am writing 
> this post as a potential bug report.
>
>
> Below are my configuration data:
> ***************
> # dovecot -n
> # 2.0.13: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.38.8-1 x86_64
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_verbose = yes
> auth_verbose_passwords = plain
> listen = *
> mail_debug = yes
> mail_gid = 2000
> mail_uid = 2000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
> }
> postmaster_address = postmaster at domain.pl
> protocols = imap pop3 sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0600
>     user = vmail
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 143
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     port = 110
>   }
>   inet_listener pop3s {
>     port = 995
>     ssl = yes
>   }
> }
> ssl = required
> ssl_cert = </etc/openssl/certs/vmail.pem
> ssl_key = </etc/openssl/private/vmail.key
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> verbose_ssl = yes
>
> ***************
> # cat /etc/dovecot/dovecot-ldap.ext
> uris = ldap://X.Y.Z.V/
> dn = cn=Manager,dc=root,dc=pl
> dnpass = password
> auth_bind = no
> ldap_version = 3
> base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
> deref = always
> scope = base
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectClass=posixAccount))
> default_pass_scheme = CRYPT
nobody? nothing? is there any chance that author of authentication ldap 
module will fix this problem?