dovecot - Feb 2014 - Dovecot2 vs. AD, "Inactivity during authentication"

Hi,

I'm trying to setup Dovecot2 for
  o IMAP client access
  o LDA for postfix mail delivery (with SIEVE)
... on a FreeBSD host.

The FreeBSD server has no users (by intention), so I've set up a virtual
mail domain, using LDAP lookups in Postfix.  So far so good.  Mail delivers into
the proper mailbox.

But I'm stuck getting Dovecot to authenticate.  User- and passwd DB's
are set up for LDAP lookups to AD, using an authenticated bind (the AD server
offers no anonymous binds, yet).
I've enabled all the debugging I can find, but my logs have little
information to offer.

Any help in getting me a step further would be much appreciated.  In particular,
I'd like to learn how do diagnose these userdb/passdb issues properly.

Here's what I see in the logs:

Feb 27 12:25:49 <mail.info> ponyboy dovecot: imap-login: Disconnected:
Inactivity during authentication (disconnected while authenticating, waited 172
secs): user=<>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=<r/ERi2HzQAB/AAAB>
Feb 27 12:26:42 <mail.err> ponyboy dovecot: auth: Error:
PLAIN(js,127.0.0.1,<r/ERi2HzQAB/AAAB>): Request 74099.1 timed out after
225 secs, state=1

This logging is related to the folloging IMAP session:

ponyboy% telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login js suppressed
* OK Waiting for authentication process to respond..
	* BYE Disconnected for inactivity during authentication.
Connection closed by foreign host.

Here's my config:

$ dovecot -n
# 2.2.10: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.0-RELEASE amd64  ufs
auth_debug = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
first_valid_gid = 1000
first_valid_uid = 1000
imap_client_workarounds = delay-newmail
last_valid_gid = 1000
last_valid_uid = 1000
mail_gid = 1000
mail_location = maildir:/var/mail/on2it/%Ln
mail_uid = 1000
maildir_very_dirty_syncs = yes
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix }
passdb {
  args = /usr/local/etc/dovecot/on2it-ldap-users.cfg
  driver = ldap
}
protocols = imap
service auth-worker {
  user = root
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
shutdown_clients = no
ssl = no
userdb {
  args = /usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg
  driver = ldap
}
valid_chroot_dirs = /var/mail/on2it

$ cat /usr/local/etc/dovecot/on2it-ldap-users.cfg
hosts = dc2.office.on2it.net
ldap_version = 3
base = dc=office,dc=on2it,dc=net
scope=subtree
auth_bind = yes
dn = [suppressed]
dnpass = [suppressed]

pass_attrs = sAMAccountName=user
user_attrs = \
	=home=/var/mail/on2it/%{ldap:sAMAccountName}, \
	=mail=maildir:/var/mail/on2it/%{ldap:sAMAccountName}

user_filter = (&(ObjectClass=person)(sAMAccountName=%u))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))

iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)

$ ls -l /usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg
lrwxr-xr-x  1 root  wheel  20 Feb 27 12:07
/usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg -> on2it-ldap-users.cfg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140227/f1528e50/attachment-0001.sig>

Quoth Jeroen Scheerder (27 Feb 2014, 12:38):
> Here's what I see in the logs:
>
> Feb 27 12:25:49 <mail.info> ponyboy dovecot: imap-login:
Disconnected: Inactivity during authentication (disconnected while
authenticating, waited 172 secs): user=<>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured, session=<r/ERi2HzQAB/AAAB>
> Feb 27 12:26:42 <mail.err> ponyboy dovecot: auth: Error:
PLAIN(js,127.0.0.1,<r/ERi2HzQAB/AAAB>): Request 74099.1 timed out after
225 secs, state=1
Logging to file instead of syslog, I see a bit more:

Feb 27 12:45:27 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Feb 27 12:45:27 auth: Debug: Wrote new auth token secret to
/var/run/dovecot/auth-token-secret.dat
Feb 27 12:45:27 auth: Debug: auth client connected (pid=74241)
Feb 27 12:45:31 auth: Debug: client in: AUTH    1       PLAIN   service=imap   
secured session=9QHH22HzYgB/AAAB        lip=127.0.0.1   rip=127.0.0.1  
lport=143       rport=64354     resp=<hidden>
Feb 27 12:45:31 auth: Debug: ldap(js,127.0.0.1,<9QHH22HzYgB/AAAB>): bind
search: base=dc=office,dc=on2it,dc=net
filter=(&(ObjectClass=person)(sAMAccountName=js))
Feb 27 12:48:27 imap-login: Info: Disconnected: Inactivity during authentication
(disconnected while authenticating, waited 176 secs): user=<>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=<9QHH22HzYgB/AAAB>
Feb 27 12:49:16 auth: Debug: ldap(js,127.0.0.1,<9QHH22HzYgB/AAAB>):
result: sAMAccountName=js; sAMAccountName unused
Feb 27 12:49:16 auth: Debug: ldap(js,127.0.0.1,<9QHH22HzYgB/AAAB>):
result: sAMAccountName=js
Feb 27 12:49:16 auth: Error: PLAIN(js,127.0.0.1,<9QHH22HzYgB/AAAB>):
Request 74241.1 timed out after 225 secs, state=1
Feb 27 12:49:16 auth: Debug: client in: CANCEL  1
Feb 27 12:49:18 auth: Debug: client passdb out: FAIL    1       user=js temp

Using ldapsearch on this very host, I have verified that this particular ldap
query, with the same authenticated bind, actually works:

ponyboy% time ldapsearch -o ldif-wrap=no -x -LLL -E pr=200/noprompt -w
suppressed \
	-H ldap://dc2.office.on2it.net -b dc=office,dc=on2it,dc=net -D suppressed -s
sub \
	'(&(ObjectClass=person)(sAMAccountName=js))' sAMAccountName
dn: CN=Jeroen
Scheerder,OU=Users,OU=Netherlands,OU=ON2IT,DC=office,DC=on2it,DC=net
sAMAccountName: js

#
refldap://DomainDnsZones.office.on2it.net/DC=DomainDnsZones,DC=office,DC=on2it,DC=net

#
refldap://ForestDnsZones.office.on2it.net/DC=ForestDnsZones,DC=office,DC=on2it,DC=net

# refldap://office.on2it.net/CN=Configuration,DC=office,DC=on2it,DC=net

# pagedresults: cookieldapsearch -o ldif-wrap=no -x -LLL -E pr=200/noprompt -w
[...] -H    0.00s user 0.00s system 19% cpu 0.019 total
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140227/e09b7ce2/attachment.sig>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 27 Feb 2014, Jeroen Scheerder wrote:
> passdb {
>  args = /usr/local/etc/dovecot/on2it-ldap-users.cfg
>  driver = ldap
> }
> userdb {
>  args = /usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg
>  driver = ldap
> }
> $ cat /usr/local/etc/dovecot/on2it-ldap-users.cfg
> hosts = dc2.office.on2it.net
> ldap_version = 3
> base = dc=office,dc=on2it,dc=net
> scope=subtree
> auth_bind = yes
> dn = [suppressed]
> dnpass = [suppressed]
>
> pass_attrs = sAMAccountName=user
> user_attrs = \
> 	=home=/var/mail/on2it/%{ldap:sAMAccountName}, \
> 	=mail=maildir:/var/mail/on2it/%{ldap:sAMAccountName}
you must not use home dir == mail dir, search list about what wired 
things can happen, if you do. But this has nothing to do with your auth 
problem.
> user_filter = (&(ObjectClass=person)(sAMAccountName=%u))
> pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))
>
> iterate_attrs = sAMAccountName=user
> iterate_filter = (objectClass=person)
>
> $ ls -l /usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg
> lrwxr-xr-x  1 root  wheel  20 Feb 27 12:07
/usr/local/etc/dovecot/on2it-ldap-users-userdb.cfg -> on2it-ldap-users.cfg
> Feb 27 12:49:16 auth: Debug: ldap(js,127.0.0.1,<9QHH22HzYgB/AAAB>):
result: sAMAccountName=js; sAMAccountName unused
> Feb 27 12:49:16 auth: Debug: ldap(js,127.0.0.1,<9QHH22HzYgB/AAAB>):
result: sAMAccountName=js
This puzzles me, "sAMAccountName unused" should mean that Dovecot does
not
use the attribute, which contradicts the definition of pass_attrs. Do you 
have wiered characters in/around the line "pass_attrs = 
sAMAccountName=user"? Maybe a Windows linebreak ^M / \r or something? A 
Unicode non-breakable space? Did you stopped, killed any remaining Dovecot 
processes and restarted Dovecot - just to be sure?

Maybe, add sAMAccountName=user to user_attrs, too.

- -- 
Steffen Kaiser

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUxA7WXD1/YhP6VMHAQKX4ggA1Zn7M3ADyVmqxtYT3aiNW429RiFLnKrX
ql8YZUS+ZPAKP7aBzEFZqUFKc3UkP9yR6QfZPoJC/x3DJqnKZZTW6dJl2vDkXVth
KUA1OotQVE21E85mbZR8zUYwKGl05saYwJb/4HpfP56xX8PbaItAUPISwPa5LAYK
aShfHZ/dD0Qq49eEMqa/ErG/3ntUQfD162UCiKMspUh91i4enEt1WQ2j4cSRN3BV
iSwx3U337uFYyUCqAhiUG7dtHU8CH2GD6RNFM/m3JXYZWg91zgKveBNJ4pGzV8mU
bb5pJ2KAhUQIjXnCgZrSSVIkgUr6KOMr0gkztACNvwhm78TF45WAbg==Y/0n
-----END PGP SIGNATURE-----