dovecot - Mar 2015 - Dovecot & LDAP Take #2: Authentication failed and logging

This is the user DN:
> cn=Klara Fall,ou=People,dc=[domainname],dc=de

According to your Dovecot configuration
> auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
if you login with "klarafall" it will be expanded into

cn=klarafall,ou=People,dc=[domainname],dc=de

which is not the correct DN for Mrs Klara.

So if you login with "Klara Fall" it should work, but that will
probably
mess up the things on Dovecot filesystem.


I am strongly against setting a static DN when dealing with LDAP
authentication. LDAP servers are optimized to serve search requests, so let
yours do the job. Allow Dovecot to lookup the correct DN based on the
attribute you supply (uid) and then authenticate.

This should be achieved if you comment out the auth_bind_userdn line.

Paolo Cravero

Ok I played around a bit and activated debugging correctly (Thanks to
Steffen)


Now I try to log in with the user johndoe (that is his cn and his uid) and
i get the following message in syslog:
Mar  2 11:03:32 mailserver dovecot: auth: Debug: master in:
REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
Mar  2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search:
base=ou=People,dc=[domainname],dc=de scope=subtree
filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
Mar  2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
not indexed
Mar  2 11:03:32 mailserver dovecot: auth: Debug:
ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result:  uidNumber missing
Mar  2 11:03:32 mailserver dovecot: auth: Debug: master out:
USER#0111283457025#011johndoe
Mar  2 11:03:32 mailserver dovecot: imap-login: Login: user=<johndoe>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
session=<EYmiVEsQSgB/AAAB>
Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
Couldn't drop privileges: User is missing UID (see mail_uid setting)
Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
occurred. Refer to server log for more information.


I am confused what the line Mar  2 11:03:32 mailserver dovecot:
imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
missing UID (see mail_uid setting) is trying to tell me.

doveconf -n:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_login_user = vmail
disable_plaintext_auth = no
first_valid_gid = 2222
first_valid_uid = 2222
listen = *
mail_access_groups = vmail
mail_debug = yes
mail_location = maildir:/var/vmail/%n
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  process_min_avail = 1
  user = vmail
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :

hosts = mailserver.[domainname].de
debug_level = 0
auth_bind = yes
auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
base = ou=People,dc=[domainname],dc=de
user_attrs = uidNumber=uid
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
pass_attrs = userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=inetOrgPerson)


2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero at csi.it>:
>
> This is the user DN:
>
> > cn=Klara Fall,ou=People,dc=[domainname],dc=de
>
>
> According to your Dovecot configuration
>
> > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
>
> if you login with "klarafall" it will be expanded into
>
> cn=klarafall,ou=People,dc=[domainname],dc=de
>
> which is not the correct DN for Mrs Klara.
>
> So if you login with "Klara Fall" it should work, but that will
probably
> mess up the things on Dovecot filesystem.
>
>
> I am strongly against setting a static DN when dealing with LDAP
> authentication. LDAP servers are optimized to serve search requests, so let
> yours do the job. Allow Dovecot to lookup the correct DN based on the
> attribute you supply (uid) and then authenticate.
>
> This should be achieved if you comment out the auth_bind_userdn line.
>
> Paolo Cravero
>

On Monday 02 March 2015 11:14:03 David Scheele wrote:
> Ok I played around a bit and activated debugging correctly (Thanks to
> Steffen)
> 
> 
> Now I try to log in with the user johndoe (that is his cn and his uid) and
> i get the following message in syslog:
> Mar  2 11:03:32 mailserver dovecot: auth: Debug: master in:
> REQUEST#0111283457025#0117428#0111#011d139b5d372d882643bc995003c615c89
> Mar  2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): user search:
> base=ou=People,dc=[domainname],dc=de scope=subtree
> filter=(&(objectClass=inetOrgPerson)(cn=johndoe)) fields=uidNumber
> Mar  2 11:03:32 mailserver slapd[2465]: <= bdb_equality_candidates: (cn)
> not indexed
> Mar  2 11:03:32 mailserver dovecot: auth: Debug:
> ldap(johndoe,127.0.0.1,<EYmiVEsQSgB/AAAB>): result:  uidNumber
missing

There are two strategies: put the uid of each user in ldap or use the same uid 
for all accounts.
for the second choice, you need to put something like
mail_uid = 10000
mail_gid = 10000

in 10-mail.conf
This user need some rights on dovecot storage folder.

When using the first choice, you will need a mechanism to generate those
uid's
( this should be implemented in the ldap management tool)

> Mar  2 11:03:32 mailserver dovecot: auth: Debug: master out:
> USER#0111283457025#011johndoe
> Mar  2 11:03:32 mailserver dovecot: imap-login: Login:
user=<johndoe>,
> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=7450, secured,
> session=<EYmiVEsQSgB/AAAB>
> Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: user johndoe:
> Couldn't drop privileges: User is missing UID (see mail_uid setting)
> Mar  2 11:03:32 mailserver dovecot: imap(johndoe): Error: Internal error
> occurred. Refer to server log for more information.
> 
> 
> I am confused what the line Mar  2 11:03:32 mailserver dovecot:
> imap(johndoe): Error: user johndoe: Couldn't drop privileges: User is
> missing UID (see mail_uid setting) is trying to tell me.
> 
> doveconf -n:
> 
> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> default_login_user = vmail
> disable_plaintext_auth = no
> first_valid_gid = 2222
> first_valid_uid = 2222
> listen = *
> mail_access_groups = vmail
> mail_debug = yes
> mail_location = maildir:/var/vmail/%n
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> protocols = imap
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   user = root
> }
> service imap-login {
>   process_min_avail = 1
>   user = vmail
> }
> ssl = no
> userdb {
>   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
>   driver = ldap
> }
> grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext :
> 
> hosts = mailserver.[domainname].de
> debug_level = 0
> auth_bind = yes
> auth_bind_userdn = cn=%u,ou=People,dc=[domainname],dc=de
> base = ou=People,dc=[domainname],dc=de
> user_attrs = uidNumber=uid
> user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
> pass_attrs = userPassword=password
> pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
> iterate_attrs = uid=user
> iterate_filter = (objectClass=inetOrgPerson)
> 
> 2015-02-27 16:00 GMT+01:00 Paolo Cravero <paolo.cravero at csi.it>:
> > This is the user DN:
> > > cn=Klara Fall,ou=People,dc=[domainname],dc=de
> > 
> > According to your Dovecot configuration
> > 
> > > auth_bind_userdn = cn=%u,ou=People,dc=**[domainname]**,dc=de
> > 
> > if you login with "klarafall" it will be expanded into
> > 
> > cn=klarafall,ou=People,dc=[domainname],dc=de
> > 
> > which is not the correct DN for Mrs Klara.
> > 
> > So if you login with "Klara Fall" it should work, but that
will probably
> > mess up the things on Dovecot filesystem.
> > 
> > 
> > I am strongly against setting a static DN when dealing with LDAP
> > authentication. LDAP servers are optimized to serve search requests,
so
> > let
> > yours do the job. Allow Dovecot to lookup the correct DN based on the
> > attribute you supply (uid) and then authenticate.
> > 
> > This should be achieved if you comment out the auth_bind_userdn line.
> > 
> > Paolo Cravero
-- 
Mihai B?dici
http://mihai.badici.ro