On 23/06/15 13:10, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 23 Jun 2015, lejeczek wrote:
>> On 23/06/15 09:32, Steffen Kaiser wrote:
>>> On Mon, 22 Jun 2015, lejeczek wrote:
>>>> On 22/06/15 09:43, Steffen Kaiser wrote:
>>>>> On Mon, 22 Jun 2015, lejeczek wrote:
>>>>>> On 22/06/15 09:16, lejeczek wrote:
>>>>>>>
>>>>>>> to=<me at my.domain>,orig_to=<root at
localhost>,
>>>>>>> relay=dovecot, delay=39296,
delays=39294/2.2/0/0.27,
>>>>>>> dsn=4.3.0, status=deferred (temporary failure)
>>>>>>>
>>>>>>> and dovecot logs no error, despite having debug to
>>>>>>> yes in couple of places,
>>>>>>> it shows:
>>>>>>>
>>>>>>> auth: Debug: master in: USER 1 me at
my.domain
>>>>>>> service=lda
>>>>>>> auth-worker(25343): Debug: passwd(me at my.domain):
lookup
>>>>>>> auth-worker(25343): passwd(me at my.domain):
unknown user
>>>>>>> auth: Debug: ldap(me at my.domain): user search:
>>>>>>> base=ou=People,dc=my,dc=domain scope=subtree
>>>>>>> filter=(&(objectClass=person)(uid=me))
fields>>>>>>> auth: Debug: ldap(me at my.domain): result:
>>>>>>> objectClass=top,top,top,top,
>>>>>>>
>>>>>>> ... here goes the whole lot of ldap atrribs, and
at
>>>>>>> the end:
>>>>>>>
>>>>>>> unused.
>>>>>>>
>>>>>>> For passdb & userdb in the configs I only
configure
>>>>>>> ldap backed, nothing else. Ldap works, I can query
>>>>>>> it without failling.
>>>>>>> I believe it's very simple set up but I must be
>>>>>>> wrong somewhere.
>>>>>>>
>>>>>>> pass_filter =
(&(objectClass=posixAccount)(uid=%n))
>>>>>>> pass_attrs = uid=user=%n,userPassword=password
>>>>>
>>>>> Use either uid=user oder =user=%n but not uid=user=%n.
>>>>> I would use uid=user, so the user cannot specify the
>>>>> case of the username.
>>>>>
>>>>>>> user_attrs =
>>>>>>>
=home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>>>>>> user_filter = (&(objectClass=person)(uid=%n))
>>>>>>>
>>>>>> even stranger, if I use(along with ldap in configs):
>>>>>
>>>>> Please post:
>>>>>
>>>>> complete doveconf -n
>>>>> and the complete LDAP config being referenced by the
>>>>> config.
>>>>>
>>>>>> userdb {
>>>>>> driver = static
>>>>>> args = uid=vmail gid=mail home=/var/spool/mail/%d/%n
>>>>>>
mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>>>>> sieve_storage=/var/spool/mail/%d/%n/SIEVE
>>>>>> sieve=/var/spool/mail/%d/%n/dovecot.sieve
>>>>>> }
>>>>>>
>>>>>> dovecot start to core dump:
>>>>>>
>>>>>> auth: Fatal: master: service(auth): child 9188 killed
>>>>>> with signal 11 (core dumped)
>>>>
>>>> auth_debug = yes
>>>
>>> The first lines should be something like this:
>>>
>>> # 2.2.18 (8906101589f9):
>>> /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.4.8 (3df7e50f986d)
>>> # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
>>>
>>> What version are you using?
>>>
>>>> auth_mechanisms = login
>>>> auth_verbose = yes
>>>> first_valid_uid = 999
>>>> mail_debug = yes
>>>> mail_location =
>>>> maildir:/var/spool/mail/my.domain/%u/Maildir
>>>> mail_uid = vmail
>>>> managesieve_notify_capability = mailto
>>>> managesieve_sieve_capability = fileinto reject envelope
>>>> encoded-character vacation subaddress
>>>> comparator-i;ascii-numeric relational regex imap4flags
>>>> copy include variables body enotify environment mailbox
>>>> date ihave
>>>> mbox_write_locks = fcntl
>>>> namespace inbox {
>>>> inbox = yes
>>>> location >>>> mailbox Drafts {
>>>> special_use = \Drafts
>>>> }
>>>> mailbox Junk {
>>>> special_use = \Junk
>>>> }
>>>> mailbox Sent {
>>>> special_use = \Sent
>>>> }
>>>> mailbox "Sent Messages" {
>>>> special_use = \Sent
>>>> }
>>>> mailbox Trash {
>>>> special_use = \Trash
>>>> }
>>>> prefix >>>> }
>>>> passdb {
>>>> driver = pam
>>>> }
>>>
>>> Did you've removed or commented the line :
>>>
>>> 10-auth.conf:#!include auth-system.conf.ext
>>>
>>> ?
>>>
>>>> passdb {
>>>> args = /etc/dovecot/ldap-passdb-my.domain.conf
>>>> driver = ldap
>>>> }
>>>> plugin {
>>>> sieve = ~/.dovecot.sieve
>>>> sieve_dir = ~/sieve
>>>> sieve_storage = SIEVE
>>>> }
>>>> protocols = imap sieve
>>>> service auth {
>>>> unix_listener /var/spool/postfix/private/auth {
>>>> group = mail
>>>> mode = 0660
>>>> user = vmail
>>>> }
>>>> unix_listener auth-userdb {
>>>> group = mail
>>>> mode = 0660
>>>> user = vmail
>>>> }
>>>> }
>>>> service imap-login {
>>>> inet_listener imap {
>>>> port = 143
>>>> }
>>>> inet_listener imaps {
>>>> port = 993
>>>> }
>>>> }
>>>> ssl = required
>>>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
>>>> ssl_key = </etc/pki/dovecot/private/dovecot.pem
>>>> userdb {
>>>> driver = passwd
>>>> }
>>>> userdb {
>>>> args = /etc/dovecot/ldap-userdb-my.domain.conf
>>>> driver = ldap
>>>> }
>>>> protocol lmtp {
>>>> mail_plugins = " sieve"
>>>> }
>>>> protocol lda {
>>>> mail_plugins = " sieve"
>>>> }
>>>>
>>>> #ldap-passdb
>>>> hosts = localhost
>>>> uris = ldap://localhost:389/
>>>> ldap_version = 3
>>>> base = ou=People,dc=my,dc=domain
>>>> dn = cn=Manager,dc=my,dc=domain
>>>> dnpass = my.pass
>>>> auth_bind = no
>>>> pass_attrs = uid=%n,userPassword=password
>>>
>>> uid=%n makes no sense. Please use just:
>>>
>>> pass_attrs = userPassword=password
>>>
>>>> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>>>>
>>>>
>>>> #ldap-userdb
>>>> hosts = localhost
>>>> uris = ldap://localhost:389/
>>>> ldap_version = 3
>>>> base = ou=People,dc=my,dc=domain
>>>> dn = cn=Manager,dc=my,dc=domain
>>>> dnpass = my.pass
>>>> auth_bind = no
>>>> user_attrs =
>>>>
=home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>>> user_filter = (&(objectClass=person)(uid=%n))
>>>> default_pass_scheme = SSHA
>>>>
>>>> It cannot be postfix if it relays and dovecots gets
>>>> these relays. Can it be?
>>>
>>> I have tried your config with above mentioned version,
>>> with LDAP as only passdb and userdb and these
>>> LDAP-settings:
>>>
>>> hosts = localhost
>>> auth_bind = yes
>>> base = <baseDN>
>>> deref = searching
>>> user_attrs =
>>>
=home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>> user_filter = (&(objectClass=fhMailAlias)(uid=%n))
>>> pass_attrs = userPassword=password
>>> pass_filter =
>>> (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls)))
>>> iterate_filter = (objectClass=fhMailAlias)
>>>
>>> Note the pass_attrs. Then I submitted a new message with:
>>>
>>> socat stdin UNIX:/var/run/dovecot2.2/lmtp
>>> LHLO loc
>>> mail from:<me at example.com>
>>> rcpt to:<other at example.com>
>>> data
>>> Subject: 1
>>>
>>> 1
>>> .
>>>
>>> successfully. Maildir was created and message spooled to
>>> /var/spool/mail/example.com/other/Maildir. Then I logged
>>> in via IMAP successfully as well.
>>>
>>> I also tried the other order: reload Dovecot to flush
>>> any caches, log in via IMAP and submit via LMTP.
>>>
>>> You should however note the following:
>>>
>>> Both filters treat users "me at example.com" and
>>> "me at localhost.localdomain" as the same user, because
>>> they match the same LDAP item (uid=%n), however the
>>> directories of the users _should_ differ, but they won't
>>> as long as the user's information is cached in the auth
>>> cache.
>>>
>>> That means:
>>>
>>> doveadm auch cache flush
>>> doveadm user me at example.net
>>> doveadm user me at example.com
>>>
>>> returns the date for me at example.net in both cases and
>>>
>>> doveadm auch cache flush
>>> doveadm user me at example.com
>>> doveadm user me at example.net
>>>
>>> returns the data for me at example.com in both cases.
>> it's weird I know, I do:
>>
>> # doveadm auth test -x service=smtp -x rip=172.25.12.214
>> me at my.domain
>> Password:
>> passdb: me at my.domain auth succeeded
>> extra fields:
>> user=me at my.domain
>>
>> and in the logs:
>>
>> auth-worker(32531): Debug:
>> pam(me at my.domain,172.25.12.214): lookup service=dovecot
>> auth-worker(32531): Debug:
>> pam(me at my.domain,172.25.12.214): #1/1 style=1 msg=Password:
>> pam_unix(dovecot:auth): check pass; user unknown
>> pam_unix(dovecot:auth): authentication failure; logname=
>> uid=0 euid=0 tty=dovecot ruser=me at my.domain
>> rhost=172.25.12.214
>> auth-worker(32531): pam(me at my.domain,172.25.12.214):
>> unknown user
>> auth: Debug: ldap(me at my.domain,172.25.12.214): pass
>> search:
>> base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting
>> scope=subtree
>> filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain)))
>> fields=uid,userPassword
>> auth: Debug: ldap(me at my.domain,172.25.12.214): result:
>> uid=info userPassword=<hidden>; uid,userPassword unused
>> auth: Debug: ldap(me at my.domain,172.25.12.214): result:
>> uid=info userPassword=<hidden>
>> auth: Debug: client passdb out: OK 1 user=me at my.domain
>>
>> so it seems fine, right?
>> only I do simple test on that dovecot locally
>>
>> echo repli_test | mail -s "repl test" my at my.domain
>>
>> to get:
>>
>> auth-worker(365): Debug: passwd(me at my.domain): lookup
>> auth-worker(365): passwd(me at my.domain): unknown user
>> auth: Debug: password(me at my.domain): passdb doesn't
>> support credential lookups
>> auth: Debug: ldap(me at my.domain): pass search:
>> base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting
>> scope=subtree
>> filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain)))
>> fields=uid,userPassword
>> auth: Debug: ldap(me at my.domain): result: uid=info
>> userPassword=<hidden>; uid,userPassword unused
>> auth: Debug: ldap(me at my.domain): result: uid=info
>> userPassword=<hidden>
>> auth: Fatal: master: service(auth): child 364 killed with
>> signal 11 (core dumped)
>>
>> the same error with:
>> doveadm user me at my.domain
>>
>> so it's must be userdb, right?
>
> No, you've authentificated before and some data are now in
> the auth cache, which are used by the userdb, too.
>
> 1) You do not have no system users, right?
> Then remove the passwd userdb and pam passdb.
>
> 2) Did you removed the "uid=user=%n" from pass_attr?
>
this is freaking weird, and wrong! If I do no configure pam
nor passwd and no userdb+static then! ...ldap works.
I do use, well I'm trying, pam for system users which are
not in passwd. PAM gets those system users from LDAP, uid >
1000.
I wonder if its possible to have pam auth+lookup for users
constructed this way: systemuser at local.domain ?
> There might be fixes since 2.2.10:
>
> changeset: 18538:d3332ee1d26a
> user: Timo Sirainen <tss at iki.fi>
> date: Thu May 07 17:18:44 2015 +0300
> files: src/auth/auth-worker-client.c
> description:
> auth: Added assert to make sure previous change is correct.
>
>
> changeset: 18537:8a3da4ef590f
> user: Timo Sirainen <tss at iki.fi>
> date: Thu May 07 11:27:55 2015 +0300
> files: src/auth/auth-worker-client.c
> description:
> auth: Fixed credentials lookups via auth-workers when no
> actual password was returned.
> For example LDAP lookup with auth_bind=yes should still
> return any extra
> fields.
>
>
> changeset: 18536:5dc00179dd60
> user: Timo Sirainen <tss at iki.fi>
> date: Thu May 07 11:21:33 2015 +0300
> files: src/auth/passdb-ldap.c
> description:
> ldap auth: If password is already verified (e.g. master
> user login), skip LDAP auth binding.
> This happens only if auth_bind_userdn isn't set, i.e. it
> only makes sense if
> the LDAP DN lookup also returns some extra fields.
>
>
> changeset: 18402:635f9c7d5991
> user: Timo Sirainen <tss at iki.fi>
> date: Mon Apr 13 20:38:10 2015 +0300
> files: src/auth/auth-request.c
> description:
> auth: If passdb/userdb changes the username, add the
> changed username also to the cache.
>
>
> changeset: 18401:08b2f79e8212
> user: Timo Sirainen <tss at iki.fi>
> date: Mon Apr 13 20:37:48 2015 +0300
> files: src/auth/auth-request.c
> description:
> auth: Setting userdb fields from cache didn't set handle
> any special fields.
> The special fields were relatively rarely used though.
>
>
> changeset: 18364:3546457ae3fb
> user: Timo Sirainen <tss at iki.fi>
> date: Tue Mar 17 17:30:33 2015 +0200
> files: src/auth/db-ldap.c
> description:
> auth ldap: Crashfixes for earlier changes.
> Hopefully works correctly now
>
>
> changeset: 18363:a4acf88b0c91
> user: Timo Sirainen <tss at iki.fi>
> date: Tue Mar 17 10:49:20 2015 +0200
> files: src/auth/db-ldap.c
> description:
> auth ldap: Fixed crash when handling invalid SSL option.
>
>
> changeset: 18362:870cb73e5960
> user: Timo Sirainen <tss at iki.fi>
> date: Tue Mar 17 09:58:03 2015 +0200
> files: src/auth/db-ldap.c src/auth/db-ldap.h
> description:
> auth ldap: Fixed assert-crash when both passdb ldap and
> userdb ldap was used
>
>
> changeset: 18361:0a17875f0ece
> user: Timo Sirainen <tss at iki.fi>
> date: Mon Mar 16 23:25:34 2015 +0200
> files: src/auth/db-ldap.c src/auth/db-ldap.h
> src/auth/passdb-ldap.c src/auth/userdb-ldap.c
> description:
> auth ldap: Start LDAP connection only after auth process
> initialization is finished.
> This way even if connecting to LDAP takes a while it won't
> cause the master
> process to kill the auth process due to it not sending the
> startup "I'm ok"
> notification early enough.
>
>
> changeset: 18360:d9a0d4f4f4b6
> user: Timo Sirainen <tss at iki.fi>
> date: Mon Mar 16 23:21:05 2015 +0200
> files: src/auth/db-ldap.c
> description:
> auth ldap: Make sure config file path is included in all
> fatal error messages.
>
>
> changeset: 18359:ec2e7ae958c5
> user: Timo Sirainen <tss at iki.fi>
> date: Mon Mar 16 23:17:39 2015 +0200
> files: src/auth/db-ldap.c
> description:
> auth ldap: If any tls_* settings are given when they're
> not supported, fail with fatal instead of just warning.
> These may be important for intended security, especially
> tls_cipher_suite.
> We shouldn't allow setting them and then somewhat silently
> just ignore them.
>
> ....
>
> - -- Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu
>
> bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+
>
> ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon
>
> ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky
>
> tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN
>
> pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug=> =wlvQ
> -----END PGP SIGNATURE-----
>