Hi
Recently enabled support for encrypted passwords on my proxies -
CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most
users are working perfectly though every so often I see this happening
in the logs:
Jul 09 06:32:51 auth: Error:
ldap(user at domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple
password values not supported
Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99
(ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL)
Jul 09 06:32:51 auth: Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] ->
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] ->
/usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] ->
/usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c)
[0x7ff4db0a338c] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff)
[0x7ff4db0a47ef] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25)
[0x7ff4db0a3415] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38)
[0x7ff4db0a35c8] ->
/usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7ff4db03a033] -> dovecot/auth [13 wait, 1 passdb, 0
userdb](main+0x39c) [0x7ff4db5454ac] ->
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] ->
dovecot/auth [13 wait, 1 passdb, 0 userdb](+0xf6a1) [0x7ff4db5456a1]
Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=8759, EOF)
Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1
pending requests (max 1 secs, pid=8764, EOF)
Password debug shows:
Jul 09 06:38:25 auth: Debug:
ldap(user at domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials:
4b616e6761733138
Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541
user=user at domain.com pass=NotPassword original_user=user
Jul 09 06:38:37 auth: Debug:
passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username
changed user -> user at domain.com
Jul 09 06:38:37 auth: Debug:
passwd-file(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): Allowing
any password
Jul 09 06:38:37 auth: Debug:
ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search:
base=o=domains,dc=mail,dc=com scope=subtree
filter=(&(objectClass=mail)(status=active)(|(|(mail=user at
domain.com)(&(uid=user at
domain.com)))(&(enabledService=shadowaddress)(shadowAddress
user at domain.com))))
fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost
Jul 09 06:38:37 auth: Debug:
ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result:
mail=user at domain.com userPlaintextPassword=NotPassword;
mail,userPlaintextPassword unused
Jul 09 06:38:37 auth: Debug:
ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result:
mail=user at domain.com userPlaintextPassword=NotPassword; mailstoreHost
missing
Jul 09 06:38:37 auth: Debug:
ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni)
!=
'NotPassword'
Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826
user=user at domain.com original_user=user
This particular user has a space in their password.. some other users do
not when seeing this error.
I run multiple passdb and config is:
passdb {
args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext
default_fields = nopassword=y password driver = ldap
result_failure = continue-fail
result_internalfail = continue-fail
result_success = continue-ok
}
passdb {
args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains
default_fields = nopassword=y password driver = passwd-file
result_success = continue-fail
}
passdb {
args = /etc/dovecot/dovecot-ldap-proxy.conf.ext
driver = ldap
}
LDAP passdb specifies 'PLAIN' as default_pass_scheme.
[root at S605 dovecot]# dovecot --version
2.2.24 (a82c823)
Any ideas what's going on here?
This turned into quite a large problem for me but think I have resolved it. After toying this a few settings I ended up (out of sheer desperation) setting "blocking = yes" in my LDAP configuration. Is this a logical thing to do? I couldn't find much on it other than i'm guessing queries are no long async. I don't really see the downside given the upside is auth is not crashing and causing password prompts for all my customers... On 09/07/16 15:26, Leon Kyneur wrote:> Hi > > Recently enabled support for encrypted passwords on my proxies - > CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most > users are working perfectly though every so often I see this happening > in the logs: > > Jul 09 06:32:51 auth: Error: > ldap(user at domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple > password values not supported > Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 > (ldap_lookup_finish): assertion failed: (password == NULL || scheme != > NULL) > Jul 09 06:32:51 auth: Error: Raw backtrace: > /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> > /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> > /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> > /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> > /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) > [0x7ff4db0a338c] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) > [0x7ff4db0a47ef] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) > [0x7ff4db0a3415] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] > -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) > [0x7ff4db03a033] -> dovecot/auth [13 wait, 1 passdb, 0 > userdb](main+0x39c) [0x7ff4db5454ac] -> > /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> > dovecot/auth [13 wait, 1 passdb, 0 userdb](+0xf6a1) [0x7ff4db5456a1] > Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 > pending requests (max 0 secs, pid=8759, EOF) > Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 > pending requests (max 1 secs, pid=8764, EOF) > > Password debug shows: > Jul 09 06:38:25 auth: Debug: > ldap(user at domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: > 4b616e6761733138 > Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541 > user=user at domain.com pass=NotPassword original_user=user > Jul 09 06:38:37 auth: Debug: > passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username > changed user -> user at domain.com > Jul 09 06:38:37 auth: Debug: > passwd-file(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): > Allowing any password > Jul 09 06:38:37 auth: Debug: > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: > base=o=domains,dc=mail,dc=com scope=subtree > filter=(&(objectClass=mail)(status=active)(|(|(mail=user at domain.com)(&(uid=user at domain.com)))(&(enabledService=shadowaddress)(shadowAddress > user at domain.com)))) > fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost > Jul 09 06:38:37 auth: Debug: > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: > mail=user at domain.com userPlaintextPassword=NotPassword; > mail,userPlaintextPassword unused > Jul 09 06:38:37 auth: Debug: > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: > mail=user at domain.com userPlaintextPassword=NotPassword; mailstoreHost > missing > Jul 09 06:38:37 auth: Debug: > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) > != 'NotPassword' > Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826 > user=user at domain.com original_user=user > > > This particular user has a space in their password.. some other users > do not when seeing this error. > > I run multiple passdb and config is: > passdb { > args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext > default_fields = nopassword=y password> driver = ldap > result_failure = continue-fail > result_internalfail = continue-fail > result_success = continue-ok > } > passdb { > args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains > default_fields = nopassword=y password> driver = passwd-file > result_success = continue-fail > } > passdb { > args = /etc/dovecot/dovecot-ldap-proxy.conf.ext > driver = ldap > } > > LDAP passdb specifies 'PLAIN' as default_pass_scheme. > > [root at S605 dovecot]# dovecot --version > 2.2.24 (a82c823) > > Any ideas what's going on here?
aki.tuomi at dovecot.fi
2016-Jul-10 12:05 UTC
Raw backtrace multiple passwords not allowed
You sure you're not returning multiple password attributes from LDAP? Aki> On July 10, 2016 at 1:32 PM Leon Kyneur <leon at f-m.fm> wrote: > > > This turned into quite a large problem for me but think I have resolved it. > > After toying this a few settings I ended up (out of sheer desperation) > setting "blocking = yes" in my LDAP configuration. > > Is this a logical thing to do? I couldn't find much on it other than i'm > guessing queries are no long async. > > I don't really see the downside given the upside is auth is not crashing > and causing password prompts for all my customers... > > On 09/07/16 15:26, Leon Kyneur wrote: > > Hi > > > > Recently enabled support for encrypted passwords on my proxies - > > CRAM-MD5, DIGEST-MD5, NTLM and APOP to support some new users. Most > > users are working perfectly though every so often I see this happening > > in the logs: > > > > Jul 09 06:32:51 auth: Error: > > ldap(user at domain.com,192.168.10.90,<mOWiFi431eDKOsBS>): Multiple > > password values not supported > > Jul 09 06:32:51 auth: Panic: file passdb-ldap.c: line 99 > > (ldap_lookup_finish): assertion failed: (password == NULL || scheme != > > NULL) > > Jul 09 06:32:51 auth: Error: Raw backtrace: > > /usr/lib64/dovecot/libdovecot.so.0(+0x86aae) [0x7ff4db08faae] -> > > /usr/lib64/dovecot/libdovecot.so.0(+0x86b8e) [0x7ff4db08fb8e] -> > > /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff4db033b5d] -> > > /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7ff4d967a20b] -> > > /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7ff4d9678e2f] -> > > /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) > > [0x7ff4db0a338c] -> > > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) > > [0x7ff4db0a47ef] -> > > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) > > [0x7ff4db0a3415] -> > > /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff4db0a35c8] > > -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) > > [0x7ff4db03a033] -> dovecot/auth [13 wait, 1 passdb, 0 > > userdb](main+0x39c) [0x7ff4db5454ac] -> > > /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff4da61fb15] -> > > dovecot/auth [13 wait, 1 passdb, 0 userdb](+0xf6a1) [0x7ff4db5456a1] > > Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 > > pending requests (max 0 secs, pid=8759, EOF) > > Jul 09 06:32:51 imap-login: Warning: Auth connection closed with 1 > > pending requests (max 1 secs, pid=8764, EOF) > > > > Password debug shows: > > Jul 09 06:38:25 auth: Debug: > > ldap(user at domain.com,192.168.10.90,<xSSOKi438ODKOsBS>): Credentials: > > 4b616e6761733138 > > Jul 09 06:38:27 auth: Debug: client passdb out: FAIL 2541 > > user=user at domain.com pass=NotPassword original_user=user > > Jul 09 06:38:37 auth: Debug: > > passwd-file(tassiedevil,192.168.10.90,<weQKKy438eDKOsBS>): username > > changed user -> user at domain.com > > Jul 09 06:38:37 auth: Debug: > > passwd-file(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): > > Allowing any password > > Jul 09 06:38:37 auth: Debug: > > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): pass search: > > base=o=domains,dc=mail,dc=com scope=subtree > > filter=(&(objectClass=mail)(status=active)(|(|(mail=user at domain.com)(&(uid=user at domain.com)))(&(enabledService=shadowaddress)(shadowAddress > > user at domain.com)))) > > fields=mail,userPlaintextPassword,userPlaintextPassword,mailstoreHost > > Jul 09 06:38:37 auth: Debug: > > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: > > mail=user at domain.com userPlaintextPassword=NotPassword; > > mail,userPlaintextPassword unused > > Jul 09 06:38:37 auth: Debug: > > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): result: > > mail=user at domain.com userPlaintextPassword=NotPassword; mailstoreHost > > missing > > Jul 09 06:38:37 auth: Debug: > > ldap(user at domain.com,192.168.10.90,<weQKKy438eDKOsBS>): PLAIN( Jenni) > > != 'NotPassword' > > Jul 09 06:38:39 auth: Debug: client passdb out: FAIL 2826 > > user=user at domain.com original_user=user > > > > > > This particular user has a space in their password.. some other users > > do not when seeing this error. > > > > I run multiple passdb and config is: > > passdb { > > args = /etc/dovecot/dovecot-ldap-proxy-alias.conf.ext > > default_fields = nopassword=y password> > driver = ldap > > result_failure = continue-fail > > result_internalfail = continue-fail > > result_success = continue-ok > > } > > passdb { > > args = scheme=plain username_format=%l@%d /etc/dovecot/passwd.domains > > default_fields = nopassword=y password> > driver = passwd-file > > result_success = continue-fail > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap-proxy.conf.ext > > driver = ldap > > } > > > > LDAP passdb specifies 'PLAIN' as default_pass_scheme. > > > > [root at S605 dovecot]# dovecot --version > > 2.2.24 (a82c823) > > > > Any ideas what's going on here?