We are using now dovecot 2.0.21 with open-ldap, but this situations has already
taken a quite long time. When user changes the password, we have to reload
dovecot every time, otherwise the change is ignored and dovecot sees only the
old password. Any ideas where the problem might exist?
Conf:
# 2.0.21: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.24.1.el5 i686 CentOS release 5.9 (Final) auth_cache_size
= 100 M auth_mechanisms = plain login auth_verbose = yes default_process_limit =
5000 disable_plaintext_auth = no info_log_path = /var/log/dovecot.log
mail_location = maildir:~/Maildir:INDEX=/var/spool/indexes/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave mbox_write_locks =
fcntl passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
quota = maildir:User Quota
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster at artio.net service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
service imap-login {
service_count = 0
}
service imap-postlogin {
executable = script-login /usr/local/sbin/dovecot-postscript-imap
user = root
}
service imap {
executable = imap imap-postlogin
}
service pop3-postlogin {
executable = script-login /usr/local/sbin/dovecot-postscript-pop3
user = root
}
service pop3 {
executable = pop3 pop3-postlogin
}
ssl_ca = </usr/share/ssl/certs/mail_artio_net-2012-geotrust.ca
ssl_cert = </usr/share/ssl/certs/mail_artio_net-2012-geotrust.crt
ssl_key = </usr/share/ssl/private/mail_artio_net-2012-geotrust.key
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lda {
mail_plugins = sieve quota
}
protocol imap {
mail_max_userip_connections = 50
mail_plugins = quota imap_quota
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = %08Xu%08Xv
}
Dovecot-ldap.conf:
# NOTE: We don't support "authentication binds", so you'll
have to give # dovecot-auth read access to userPassword field in LDAP server.
With OpenLDAP # this is done by modifying /etc/ldap/slapd.conf. There should
already be # something like this:
# access to attribute=userPassword
# by dn="<dovecot's dn>" read # add this
# by anonymous auth
# by self write
# by * none
# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts =
hosts = 123.123.123.123 123.123.123.124
# Distinguished Name - the username used to login to the LDAP server #dn =
# Password for LDAP server
#dnpass =
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base
#base = uid=someone, dc=foo, dc=bar, dc=org base = dc=artio,dc=net
# Dereference: never, searching, finding, always deref = never
# Search scope: base, onelevel, subtree
scope = subtree
# User attributes in order:
# Virtual user name (user at domain)
# Home directory
# MAIL environment
# System user name (for getting user's groups from /etc/group)
# - For virtual users you don't want to use this, so this defaults to
none.
# System UID
# System GID
#user_attrs = uid,homeDirectory,,,uidNumber,gidNumber
# user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# user_attrs = cn,homeDirectory,,uid,uidNumber,gidNumber
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs =
homeDirectory=home,uidNumber=uid,gidNumber=gid,artioMailQuotaSize=quota_rule=*:storage=%$M
# Filter for user lookup. Some variables can be used:
# %u - username
# %n - user part in user at domain, same as %u if there's no domain
# %d - domain part in user at domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
user_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))
# Password checking attributes in order:
# Virtual user name (user at domain)
# Password, may optionally start with {type}, eg. {crypt} #pass_attrs =
uid,userPassword # pass_attrs = cn,userPassword pass_attrs = uid=user,
userPassword=password
# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=posixAccount)(|(uid=%u)(mail=%u)))
# Default password scheme. "{scheme}" before password overrides this.
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, CRYPT
#default_pass_scheme = CRYPT default_pass_scheme = CRYPT
# You can use same UID and GID for all user accounts if you really want to.
# If the UID/GID is still found from LDAP reply, it overrides these values.
#user_global_uid #user_global_gid =
Pam:
/etc/pam.d/dovecot
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth