dovecot - Nov 2016 - LDAP auth problems "unknown user"

Hi,

I am setting up a dovecot instance to host a bunch of virtual domains,
with ldap backing for auth. I am using a single hostname for test
purposes, with a couple of entries in the diectory. If I use auth binds
I get a result, but this does not suit the end purpose of the server.

If I use ldapsearch with the same base, search filter, and credentials
as the ldap auth config I get the correct attributes returned, and I
have bit of perl that verifies the password hash matches the password
provided.

I am running out of ideas here, I had thought of putting in a custom
bit of perl and using the checkpassword method, but this is sub
optimal. If anyone can help with this I'd be grateful.




# dovecot --version
2.2.26.0 (23d1de6)

# dovecot -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.8.0-1-amd64 x86_64 Debian stretch/sid ext3
auth_cache_size = 2 M
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = maliuta.org
auth_master_user_separator = *
auth_mechanisms = plain login
auth_realms = maliuta.org
auth_verbose = yes
auth_verbose_passwords = yes
first_valid_uid = 117
last_valid_uid = 117
lda_mailbox_autocreate = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
%c
mail_gid = vmail
mail_location = maildir:/var/spool/vmail/%d/%n/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-
character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment
mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
? inbox = yes
? list = yes
? location =?
? mailbox Drafts {
????special_use = \Drafts
? }
? mailbox Junk {
????special_use = \Junk
? }
? mailbox Sent {
????special_use = \Sent
? }
? mailbox "Sent Messages" {
????special_use = \Sent
? }
? mailbox Trash {
????special_use = \Trash
? }
? prefix =?
}
passdb {
? args = /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
? driver = ldap
}
plugin {
? sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve"
service auth-worker {
? user = $default_internal_user
}
service auth {
? unix_listener /var/spool/postfix/private/auth {
????group = postfix
????mode = 0660
????user = postfix
? }
? unix_listener auth-userdb {
????group = vmail
????mode = 0660
????user = vmail
? }
? user = $default_internal_user
}
service dict {
? unix_listener dict {
????group = vmail
????mode = 0660
????user = vmail
? }
}
service imap-login {
? inet_listener imap {
????port = 143
? }
? inet_listener imaps {
????port = 0
? }
}
service lmtp {
? unix_listener /var/spool/postfix/private/dovecot-lmtp {
????group = postfix
????mode = 0660
????user = postfix
? }
}
ssl_cert =?

# grep -v '^ *\(#.*\)\?$' /etc/dovecot/ldap/maliuta.org-ldap.conf.ext
uris = ldap://localhost
dn = cn=admin,dc=maliuta,dc=org
dnpass = <secret>
tls = yes
tls_ca_cert_dir = /etc/ssl/certs
auth_bind = no
ldap_version = 3
base = ou=mail,dc=mailuta,dc=org
scope = subtree
default_pass_scheme = SSHA
deref = never
user_attrs = postfixDeliveryAddress=user
user_filter (&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
pass_attrs = postfixDeliveryAddress=user,userPassword=password
pass_filter
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD
eliveryAddress=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=postfixMailPerson)


# ldapsearch -H ldap://localhost:389 -x -D 'cn=admin,dc=maliuta,dc=org'
-W -b "ou=mail,dc=maliuta,dc=org" -s sub -LLL -ZZ 
'(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai
at test.maliuta.org))' uid userPassword
Enter LDAP Password: 
dn: mail=nikolai at test.maliuta.org,ou=mail,dc=maliuta,dc=org
uid: nikolai
userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY
## From /var/log/mail.log
Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected (pid=27086)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=<local_ip>#011rip=<remote_ip>#011lport=143#011rport=36116#011local_name=<hostname>#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0
(previous base64 data may contain sensitive data)
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at
test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): cache miss
Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at
test.maliuta.org,<remote_ip,<1kW2C65BFI2WZbl8>): pass search:
base=ou=mail,dc=mailuta,dc=org scope=subtree
filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai
at test.maliuta.org)) fields=postfixDeliveryAddress,userPassword
Nov 20 07:24:20 kiliya dovecot: auth: ldap(nikolai at
test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): unknown user
(given password: <correct_password>)
Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=nikolai at test.maliuta.org

-- 
Nikolai Lusan <nikolai at lusan.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161120/c53870ff/attachment.sig>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 20 Nov 2016, Nikolai Lusan wrote:
> # grep -v '^ *\(#.*\)\?$'
/etc/dovecot/ldap/maliuta.org-ldap.conf.ext
> uris = ldap://localhost
> dn = cn=admin,dc=maliuta,dc=org
> dnpass = <secret>
> tls = yes
> tls_ca_cert_dir = /etc/ssl/certs
> auth_bind = no
> ldap_version = 3
> base = ou=mail,dc=mailuta,dc=org
> scope = subtree
> default_pass_scheme = SSHA
> deref = never
> user_attrs = postfixDeliveryAddress=user
> user_filter >
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
> pass_attrs = postfixDeliveryAddress=user,userPassword=password
> pass_filter >
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixD
> eliveryAddress=%u))
Your userdb and passdb filter differ, user_filter is missing the (a / 
some) %u part
> iterate_attrs = uid=user
> iterate_filter = (objectClass=postfixMailPerson)
>
>
> # ldapsearch -H ldap://localhost:389 -x -D
'cn=admin,dc=maliuta,dc=org' -W -b "ou=mail,dc=maliuta,dc=org"
-s sub -LLL -ZZ 
'(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai
at test.maliuta.org))' uid userPassword
> Enter LDAP Password:
> dn: mail=nikolai at test.maliuta.org,ou=mail,dc=maliuta,dc=org
> uid: nikolai
> userPassword:: e1NTSEF9QVBZMTlaeGw1cWd0a25XeGxURXdqM2g5Yk5YL3BxOGY>
> ## From /var/log/mail.log
> Nov 20 07:24:20 kiliya dovecot: auth: Debug: auth client connected
(pid=27086)
> Nov 20 07:24:20 kiliya dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=1kW2C65BFI2WZbl8#011lip=<local_ip>#011rip=<remote_ip>#011lport=143#011rport=36116#011local_name=<hostname>#011resp=AG5pa29sYWlAdGVzdC5tYWxpdXRhLm9yZwBmb29iYXIzMzQ0
(previous base64 data may contain sensitive data)
> Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at
test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): cache miss
> Nov 20 07:24:20 kiliya dovecot: auth: Debug: ldap(nikolai at
test.maliuta.org,<remote_ip,<1kW2C65BFI2WZbl8>): pass search:
base=ou=mail,dc=mailuta,dc=org scope=subtree
filter=(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(postfixDeliveryAddress=nikolai
at test.maliuta.org)) fields=postfixDeliveryAddress,userPassword
> Nov 20 07:24:20 kiliya dovecot: auth: ldap(nikolai at
test.maliuta.org,<remote_ip>,<1kW2C65BFI2WZbl8>): unknown user
(given password: <correct_password>)
> Nov 20 07:24:22 kiliya dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=nikolai at test.maliuta.org
>
>
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWDROvHz1H7kL/d9rAQIujAgAumoghZV5Wo7ONK/Uncoa6iVB30NP0D5m
SdU/a++El5bLeiyKcdKoLkIqD74ZcFGjwImhRtd2Y8jroaGA15lK8HRRgJCERBKf
Nr/ZQ5B4Nhbig8ETwYYrJi2KOGkKMGQyXaSHxxlXmVKNFBrWmxo8SRqa0V39KYUB
pH9hVSNheHCkqpV6iS6JXnOmjXvguVtyB8ezA1zdrVfytMLL04oRKmK3Zn5s5JrO
M3mfArDdVitTad5r7stf9QOBR6xMG6rNBs+2WaEuJZV7/Dlln6fcd5IbhO/X0poN
pJIJ42VLirIMqAMLCRA7OWDjQcxbBFEAPAbaDh3O/pPRL/IXPJxjyw==AxPt
-----END PGP SIGNATURE-----

Hi,
Thanks for the response - I had be bashing my head against the wall on
this for a few weeks. I even wrote a perl script to do the job for me
(hours of my life wasted). But I did get it to work with LDAP using a
corrected version of this config.

On Tue, 2016-11-22 at 14:57 +0100, Steffen Kaiser wrote:
> On Sun, 20 Nov 2016, Nikolai Lusan wrote:
> 
> > dn = cn=admin,dc=maliuta,dc=org
> > base = ou=mail,dc=mailuta,dc=org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Spot the problem ... one misplaced character, and enough alike that
only a second, third, or nth pair of eyes would have picked it up.

> > user_attrs = postfixDeliveryAddress=user
> > user_filter > >
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson))
> > pass_attrs = postfixDeliveryAddress=user,userPassword=password
> > pass_filter > >
(&(postfixDeliveryEnabled=TRUE)(objectClass=postfixMailPerson)(post
> > fixD
> > eliveryAddress=%u))
> 
> Your userdb and passdb filter differ, user_filter is missing the (a
> /?
> some) %u part
Yeah, I am aware of that. I think I have it fixed in the final config -
once I turn on a heavy slapd debug load to see what dovecot was
actually sending to the LDAP server. :)

Now that the testing is over with a dummy host name I just have to go
back to fighting with LDAP to get my main domain working before
transferring all my mail to the new server, then setting up other
domains for clients.

This was not a real problem - it was a PEBKAC error. One that any
programmer/sysadmin is familiar with and suffers from at some point :)
-- 
Nikolai Lusan <nikolai at lusan.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161123/ce20c82f/attachment.sig>