me at electronico.nc
2013-Oct-30 08:00 UTC
[Dovecot] dovecot-ldap : can't find user in OU subtree
Hi all, Well, I've compiled and installed dovecot 2.2.6 with following options:> ./configure --prefix=/usr/ --sysconfdir=/etc/ --with-mysql > --libexecdir=/usr/lib/ --localstatedir=/var > --with-moduledir=/usr/lib/dovecot/modules --disable-rpath > --disable-static --with-zlib --with-bzlib --with-solr --with-ldap > --with-gssapi --with-nssdoveconf -n:> # 2.2.6: /etc/dovecot/dovecot.conf > # OS: Linux 3.8.0-32-generic x86_64 Ubuntu 12.04.3 LTS ext4 > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > first_valid_gid = 20001 > first_valid_uid = 20001 > log_timestamp = %Y-%m-%d %H:%M:%S > mail_debug = yes > mail_gid = 20001 > mail_home = /media/data/email/%n > mail_location = maildir:/media/data/email/%n/mail > mail_plugins = fts fts_solr acl zlib mail_log notify > mail_uid = 20001 > managesieve_notify_capability = mailto > managesieve_sieve_capability = comparator-i;octet > comparator-i;ascii-casemap fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex > imap4flags copy include variables body enotify environment mailbox > date spamtest spamtestplus virustest > namespace { > list = no > location = > maildir:/media/data/email/%%n/mail:INDEX=/media/data/email/%n/mail/shared/%%n > prefix = shared/%%n/ > separator = / > subscriptions = no > type = shared > } > namespace inbox { > inbox = yes > location = maildir:/media/data/email/%n/mail > mailbox Sent { > auto = subscribe > } > mailbox Spam { > auto = subscribe > } > mailbox SpamFalse { > auto = subscribe > } > mailbox SpamToLearn { > auto = subscribe > } > prefix > separator = / > type = private > } > passdb { > args = /etc/dovecot/dovecot-ldap-passdb.conf.ext > driver = ldap > } > plugin { > acl = vfile > mail_log_events = delete undelete expunge copy mailbox_delete > mailbox_rename save mailbox_create > mail_log_fields = uid box msgid size > sieve = /media/data/email/%n/dovecot.sieve > sieve_after = /media/data/email/sieve/global.sieve > sieve_dir = /media/data/email/%n/sieve > zlib_save = bz2 > zlib_save_level = 9 > } > protocols = imap pop3 sieve lmtp > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-master { > group = vmail > mode = 0660 > user = vmail > } > unix_listener auth-userdb { > group = vmail > mode = 0640 > user = vmail > } > } > service imap-login { > inet_listener imap { > address = * > port = 143 > } > inet_listener imaps { > address = * > port = 993 > ssl = yes > } > process_limit = 256 > } > service lmtp { > inet_listener lmtp { > address = * > port = 24 > } > user = vmail > } > service managesieve-login { > inet_listener sieve { > address = * > port = 4190 > } > process_limit = 256 > vsz_limit = 64 M > } > service pop3-login { > inet_listener pop3 { > address = * > port = 110 > } > inet_listener pop3s { > address = * > port = 995 > ssl = yes > } > } > ssl = required > ssl_ca = </etc/postfix/tls/cacert.pem > ssl_cert = </etc/postfix/tls/radiodjiido-cert.pem > ssl_key = </etc/postfix/tls/radiodjiido-key.pem > ssl_verify_client_cert = yes > userdb { > args = /etc/dovecot/dovecot-ldap-userdb.conf.ext > driver = ldap > } > protocol imap { > imap_client_workarounds = delay-newmail > imap_max_line_length = 64 k > mail_max_userip_connections = 20 > mail_plugins = acl imap_acl mail_log notify zlib > } > protocol pop3 { > mail_plugins = zlib mail_log notify > pop3_client_workarounds = outlook-no-nuls oe-ns-eoh > pop3_uidl_format = %08Xu%08Xv > } > protocol sieve { > managesieve_logout_format = bytes ( in=%i : out=%o ) > } > protocol lda { > info_log_path > log_path > mail_plugins = sieve zlib mail_log notify > quota_full_tempfail = yes > syslog_facility = mail > } > protocol lmtp { > info_log_path > log_path > mail_plugins = sieve fts zlib mail_log notify > quota_full_tempfail = yes > }/etc/dovecot/dovecot-ldap-passdb.conf.ext:> hosts = localhost > auth_bind = yes > auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan > ldap_version = 3 > base = ou=users,dc=domain,dc=lan > scope = subtree > pass_filter = (&(objectClass=person)(cn=%u)(mail=*))/etc/dovecot/dovecot-ldap-userdb.conf.ext:> hosts = localhost > dn = cn=ldap,cn=Users,DC=domain,DC=lan > dnpass = My_secret_pass > ldap_version = 3 > base = OU=users,DC=domain,DC=lan > scope = subtree > user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, > mail=/media/data/email/%n/mail > user_filter = (&(objectClass=person)(cn=%n)(mail=*)) > iterate_attrs = cn=user > iterate_filter = (objectClass=person)All seems to work as expected up-to-now, but : If I move a user from OU 'users' to a sub-OU 'administrative' on Active Directory : -> The user can't login anymore to Dovecot I have added the "scope = subtree" to the userdb and passdb files but it doesn't change anything. Here is the debug part when user test3 (located in ou=users, ou=administrative) tries to login:> Oct 30 18:49:12 serveur dovecot: auth: Debug: auth client connected > (pid=4292) > Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=L6uskfDpKwAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54827 > Oct 30 18:49:12 serveur dovecot: auth: Debug: client passdb out: > CONT#0111#011 > Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: CONT<hidden> > Oct 30 18:49:12 serveur dovecot: auth: > ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials > Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: > FAIL#0111#011user=test3As soon as I move user 'test3' back to ou=users, it can login ...> Oct 30 18:53:57 serveur dovecot: auth: Debug: Loading modules from > directory: /usr/lib/dovecot/modules/auth > Oct 30 18:53:57 serveur dovecot: auth: Debug: Read auth token secret > from /var/run/dovecot/auth-token-secret.dat > Oct 30 18:53:57 serveur dovecot: auth: Debug: auth client connected > (pid=4303) > Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=h+ypovDpUAAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54864 > Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: > CONT#0111#011 > Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: CONT<hidden> > Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: > OK#0111#011user=test3Thanks in advance for your time and lights. Nicolas
Steffen Kaiser
2013-Oct-30 08:32 UTC
[Dovecot] dovecot-ldap : can't find user in OU subtree
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 30 Oct 2013, me at electronico.nc wrote:>> passdb { >> args = /etc/dovecot/dovecot-ldap-passdb.conf.ext >> driver = ldap >> } > > /etc/dovecot/dovecot-ldap-passdb.conf.ext: >> hosts = localhost >> auth_bind = yes >> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lanYou define your bind DN as cn=%u,OU=users,dc=domain,dc=lan>> ldap_version = 3 >> base = ou=users,dc=domain,dc=lan >> scope = subtree >> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))>> user_attrs = uid=20001, gid=20001, home=/media/data/email/%n,mail=/media/data/email/%n/mail>> user_filter = (&(objectClass=person)(cn=%n)(mail=*))pass_filter and user_filter differ in %u vs. %n.> Here is the debug part when user test3 (located in ou=users, > ou=administrative) tries to login:The auth_bind_userdn does not match the ou=administrative location. Drop the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter to search for the DN of the user.>> Oct 30 18:49:12 serveur dovecot: auth: >> ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials >> Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: >> FAIL#0111#011user=test3> As soon as I move user 'test3' back to ou=users, it can login ... >> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: >> OK#0111#011user=test3- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM 2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH 9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+ kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw==mGae -----END PGP SIGNATURE-----