Niols
2016-Mar-30 19:45 UTC
Dovecot-LMTP and LDAP: passdb doesn't support credential lookups
Hello, Sorry, this might be a newbish question, but I really can't get the answer by myself. I'm trying to setup a mail server using LDAP to authenticate users, and I keep receiving the errors: passdb doesn't support credential lookups passdb doesn't support lookups, can't verify user's existence when I send test mails to (existing) users. I'm already using the LDAP server for other purposes, and it's working fine. I can't (or I don't want to) give read access to the userPassword attribute, so I want to use a authentication bind: http://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds I've already managed to have postfix working with this LDAP server, the users (and their aliases) are correctly recognized. Postfix then sends the mails to Dovecot (2.2.13, Debian Jessie's version) with dovecot-lmtp. Here is my /etc/dovecot/conf.d/auth-ldap.conf.ext. I use the static driver for userdb, and the LDAP driver for passdb. passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = static args = uid=mail gid=mail home=/var/mail/%u } Here is my /etc/dovecot/dovecot-ldap.conf.ext file. hosts = localhost ldap_version = 3 dn = cn=dovecot,ou=services,dc=niols,dc=fr dnpass = a-random-password auth_bind = yes base = ou=people,dc=niols,dc=fr pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)) I haven't set the user_filter and user_attrs values, since I thought these would only be usefull for userdb. I haven't set the pass_attrs value, since I don't see why it would be needed (I just need to be able to bind my user, right?). I can't auth_bind_userdn since the e-mail address aren't necessarily related in any way to the user dn. I assumed %u was going to be replaced by the user's full e-mail address. I tried to play a bit with these values to find a working configuration, without success. I tried to search myself on the LDAP server, using the provided dn and dnpass, and I succeeded. I tried to activate debug logs, but that didn't give me much more information (full debug log at the end of this e-mail). I think the problem is that passdb cannot find the user on the LDAP server, but I don't know why. I believe the problem is lying in my non-comprehension of what userdb and passdb actually do. I tried to find out by myself, and I'm here because I didn't manage to do so. I'm sorry if this post looks stupid. Any help and any comments of any kind would be greatly appreciated. Regards, Niols PS: Here is the full debug log that I get after sending a test message to test at niols.net (.net vs. .fr: this is not a mistake, I use my .net domain for testing purposes while I use my .fr domain for eveyday life) with swaks: lmtp(3208): Connect from local auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat auth: Debug: LDAP initialization took 0 msecs auth: Debug: master in: USER 1 test at niols.net service=lmtp auth: Debug: ldap(test at niols.net): passdb doesn't support credential lookups auth: Error: static(test at niols.net): passdb doesn't support lookups, can't verify user's existence auth: Debug: userdb out: FAIL 1 lmtp(3208): Error: user test at niols.net: Auth USER lookup failed lmtp(3208): Disconnect from local: Successful quit
Sven Hartge
2016-Mar-30 20:00 UTC
Dovecot-LMTP and LDAP: passdb doesn't support credential lookups
Niols <niols at niols.fr> wrote:> Here is my /etc/dovecot/conf.d/auth-ldap.conf.ext. I use the static > driver for userdb, and the LDAP driver for passdb.> passdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap.conf.ext > }> userdb { > driver = static > args = uid=mail gid=mail home=/var/mail/%u > }My config: passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = uid=virtmail gid=virtmail home=/srv/mail/%2NLn/%2.256NLn/%Ln/ quota_rule2=Trash:ignore driver = ldap } I also use ldap for the userdb, because I need to lookup the quota from LDAP.> Here is my /etc/dovecot/dovecot-ldap.conf.ext file.> hosts = localhost > ldap_version = 3 > dn = cn=dovecot,ou=services,dc=niols,dc=fr > dnpass = a-random-password> auth_bind = yes > base = ou=people,dc=niols,dc=fr> pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))Here is my ldap.conf.ext, there is some elaborate filtering going on, but you should get the idea: hosts = ldap.somedomain.de dn = cn=mailsystem,ou=systemuser,dc=somedomain,dc=de dnpass = verySecurePassword tls = yes auth_bind = yes ldap_version = 3 base = dc=somedomain,dc=de deref = always scope = subtree user_attrs = =quota_rule=*:bytes=%{ldap:gifb-mailquota} user_filter = (&(objectClass=gifb-mailperson)(ou=SomeLocation)(uid=%Ln)(!(objectClass=gifb-role))) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=gifb-mailperson)(ou=SomeLocation)(gifb-status=1)(uid=%n)(!(objectClass=gifb-role))) iterate_attrs = uid=user iterate_filter = (&(objectClass=gifb-mailperson)(ou=SomeLocation)) Gr??e, Sven. -- Sigmentation fault. Core dumped.