Hi all, I have an AD testsetup with auth_bind setting auth_bind_userdn = "spdev\\%Ln" I created a testuser "claasc (test)" which works fine in all ldapfilters but not for the auth_bind. the log shows everything correct just "invalid credentials" mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: auth client connected (pid=12202) mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=T6knVtc0wQB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=39873 mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client passdb out: CONT 1 mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client in: CONT<hidden> mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: passwd-file(claasc (test),127.0.0.1,<T6knVtc0wQB/AAAB>): cache miss mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: passwd-file(claasc (test),127.0.0.1,<T6knVtc0wQB/AAAB>): lookup: user=claasc (test) file=/etc/dovecot/passwd.postmaster mail.info: Jun 9 14:12:31 dovecot: auth: passwd-file(claasc (test),127.0.0.1,<T6knVtc0wQB/AAAB>): unknown user (given password: HubertHans99) mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: ldap(claasc (test),127.0.0.1,<T6knVtc0wQB/AAAB>): cache miss mail.info: Jun 9 14:12:31 dovecot: auth: ldap(claasc (test),127.0.0.1,<T6knVtc0wQB/AAAB>): invalid credentials mail.debug: Jun 9 14:12:33 dovecot: auth: Debug: client passdb out: FAIL 1 user=claasc (test) mail.info: Jun 9 14:12:33 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<claasc (test)>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<T6knVtc0wQB/AAAB> So I guess its just a bind problem. strace output from auth process of imap login: write(26, "0-\2\1\4`(\2\1\3\4\25spdev\\claasc \\(test\\)\200\fHubertHans99", 47) = 47 the additional \\ in front of the brackets look strange to me and might be the reason. tested Version is 2.2.18 Greetz Matze
Hi again,
did some more tseting on this.
I think the problem is the ldap userlookup, where "("s are evil and
have to be quoted, but these quotes should be removed for the bind
request.
I get my usernames from ldap with a filter like this
user_filter = (sAMAccountName=%Ln)
so I think in between this to steps is the problem.
For testing I hard coded the username for auth_bind and compared strace
output from the auth process
auth_bind_userdn = "spdev\\claasc (test)"
this works fine. strace output from imap login
write(26, "0+\2\1\2`&\2\1\3\4\23spdev\\claasc
(test)\200\fHubertHans99", 45)
compared to
auth_bind_userdn = "spdev\\%Ln"
which gives
write(26, "0-\2\1\2`(\2\1\3\4\25spdev\\claasc
\\(test\\)\200\fHubertHans99", 47)
and wrong credentials
nobody else encountering similar problems? maybe the "()" are the only
chars making problems at this point
Greetz Matze
Hi guys,
I had a look in the sources about this problem.
the problem seems to be the ldap_escape function that is called from
ldap_verify_plain_auth_bind_userdn(..)
I dont really know if this escaping is needed at this point, but with
this change it works for me. No other problems discovered so far.
could somebody, who is deeper in the sources give me a hint if
this will make some troubles?
Patch for 2.2.16:
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index c1c2544..10bfe20 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -367,7 +367,7 @@ ldap_verify_plain_auth_bind_userdn(struct
auth_request *auth_request,
brequest->request.type = LDAP_REQUEST_TYPE_BIND;
- vars = auth_request_get_var_expand_table(auth_request,
ldap_escape);
+ vars = auth_request_get_var_expand_table(auth_request, NULL);
dn = t_str_new(512);
var_expand(dn, conn->set.auth_bind_userdn, vars);
Possibly Parallel Threads
- auth_bind with "()" in username not working
- Auth checking also the service
- %{orig_user} missing in checkpassword-Script
- critical feature from version 1 not migrated to version 2 = authentication configuration database per IP
- Request for variable unique to each server?