Hi mailing list,
I'm currently running dovecot 2.2.13 from Debian Jessie, all is running
fine. However I am attempting to merge 2 LDAP authentication sources.
I would like to attempt to authenticate against the first authentication
source, if that fails either by password fail or user not found,
then attempt the next LDAP server.
I've added the a passdb and userdb entry for the new ldap server. As you
can see from the log below the user isn't found in the first LDAP query,
but
is in the second one. However the authentication fails:
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=WTLjLuRB9QBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=56821#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
(previous base64 data may contain sensitive data)
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Error: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>):
ldap_search(base=dc=greenhills-it,dc=co,dc=uk
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))))
failed: No such object
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result:
uid=00000001; uid unused
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): username
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug:
ldap(00000001,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: uid=00000001
Nov 22 13:59:40 he01-imap-01 dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=00000001#011temp#011original_user=martin.wheldon at
greenhills-it.co.uk
I know that the password was entered correctly because if I disable the
new ldap config and login I get authenticated properly.
Nov 22 14:00:38 he01-imap-01 dovecot: auth: Debug: auth client connected
(pid=2626)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=ipKBMuRBBQBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=38149#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
(previous base64 data may contain sensitive data)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result:
uid=00000001; uid unused
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): username
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug:
ldap(00000001,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: uid=00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client passdb out:
OK#0111#011user=00000001#011original_user=martin.wheldon at
greenhills-it.co.uk
I've done loads of googling and I believe that this is possible so I
must either have misread the documentation or am triggering a bug.
Neither of which I seem to be able to confirm.
Any help would be much appreciated.
My broken configuration is below:
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
default_vsz_limit = 512 M
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
args = /etc/dovecot/dovecot-ldap-new.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
skip = authenticated
}
plugin {
antispam_backend = pipe
antispam_pipe_program = /usr/sbin/sendmail
antispam_pipe_program_args = -f;%{auth_user};-r;%{auth_user}
antispam_pipe_program_notspam_arg = retrain-as-ham at greenhills-it.co.uk
antispam_pipe_program_spam_arg = retrain-as-spam at greenhills-it.co.uk
antispam_spam = Spam
antispam_trash = Trash
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:ignore
quota_rule3 = Spam:ignore
sieve = ~/.dovecot.sieve
sieve_before = /var/lib/dovecot/sieve/move-spam.sieve
sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve pop3"
service imap-login {
process_min_avail = 20
service_count = 1
}
service imap {
process_min_avail = 20
}
service lmtp {
inet_listener lmtp {
address = he01-imap-01.greenhills-it.co.uk 127.0.0.1
port = 2003
}
}
service pop3 {
process_min_avail = 20
}
ssl = required
ssl_cert = </etc/ssl/certs/combined_2015_greenhills-it.co.uk.cert
ssl_cipher_list =
ALL:HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:!PSK:!DES:!3DES:!MD5:!DES+MD5:!RC4:!SEED+SHA:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!eNULL:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/stripped.2015.greenhills-it.co.uk.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = /etc/dovecot/dovecot-ldap-new.conf.ext
driver = ldap
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lmtp {
mail_plugins = " quota sieve"
}
protocol imap {
mail_plugins = " quota imap_quota"
}
# Working LDAP configuration
# /etc/dovecot/dovecot-ldap.conf.ext
uris = ldap://he01-auth-01.greenhills-it.co.uk
dn = uid=dovecot,ou=people,ou=SRV_Accounts,dc=greenhills-it,dc=co,dc=uk
dnpass = VerySecret
sasl_bind = no
auth_bind = yes
ldap_version = 3
base = dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs =
homeDirectory=home,uidNumber=uid,gidNumber=gid,gosaMailQuota=quota_rule=*:storage=%$M
user_filter = (|(uid=%u)(mail=%u)(gosaMailAlternateAddress=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (|(uid=%u)(mail=%u))
default_pass_scheme = CRYPT
# Non working LDAP configuration
# /etc/dovecot/dovecot-ldap-new.conf.ext
uris = ldap://dir.greenhills-it.co.uk
dn = "cn=dovecot,ou=search
accounts,ou=services,dc=greenhills-it,dc=co,dc=uk"
dnpass = VerySecret
sasl_bind = no
tls = yes
tls_ca_cert_file = /etc/ssl/certs/GreenhillsCACert.pem
tls_require_cert = demand
debug_level = -1
auth_bind = yes
ldap_version = 3
base = ou=customers,dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs =
homeDirectory=home,uidNumber=uid,gidNumber=gid,ukFirmGhITAccMailQuota=quota_rule=*:storage=%$M
user_filter =
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
pass_attrs = uidNumber=user
pass_filter =
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))
default_pass_scheme = SSHA
Best Regards
--
Martin Wheldon
Greenhills IT Ltd.
Telephone: 01904 238 454
Website: www.greenhills-it.co.uk
Greenhills IT Ltd. is a limited company registered in England and Wales.
Company Registration No: 06387214
Registered Offices: 2 Greenhills, Claxton, YORK, North Yorkshire, YO60
7SA
Hi, In case anyone is experiencing the same issue in the future, seems that this probably is a bug. I've upgraded to dovecot 2.2.24 from Jessie backports and it works as documented with no configuration changes. Hope someone else finds this useful. Best Regards Martin On 2016-11-22 16:39, Martin Wheldon wrote:> Hi mailing list, > > I'm currently running dovecot 2.2.13 from Debian Jessie, all is > running fine. However I am attempting to merge 2 LDAP authentication > sources. > > I would like to attempt to authenticate against the first > authentication source, if that fails either by password fail or user > not found, > then attempt the next LDAP server. > > I've added the a passdb and userdb entry for the new ldap server. As > you can see from the log below the user isn't found in the first LDAP > query, but > is in the second one. However the authentication fails: > > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=WTLjLuRB9QBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=56821#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw=> (previous base64 data may contain sensitive data) > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search: > base=dc=greenhills-it,dc=co,dc=uk > filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon > at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))) > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Error: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): > ldap_search(base=dc=greenhills-it,dc=co,dc=uk > filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon > at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))) > failed: No such object > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search: > base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at > greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)) > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: > uid=00000001; uid unused > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): username > changed martin.wheldon at greenhills-it.co.uk -> 00000001 > Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: > ldap(00000001,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: uid=00000001 > Nov 22 13:59:40 he01-imap-01 dovecot: auth: Debug: client passdb out: > FAIL#0111#011user=00000001#011temp#011original_user=martin.wheldon at > greenhills-it.co.uk > > > I know that the password was entered correctly because if I disable > the new ldap config and login I get authenticated properly. > > > Nov 22 14:00:38 he01-imap-01 dovecot: auth: Debug: auth client > connected (pid=2626) > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client in: > AUTH#0111#011PLAIN#011service=imap#011secured#011session=ipKBMuRBBQBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=38149#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw=> (previous base64 data may contain sensitive data) > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): bind search: > base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at > greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)) > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: > uid=00000001; uid unused > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon > at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): username > changed martin.wheldon at greenhills-it.co.uk -> 00000001 > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: > ldap(00000001,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: uid=00000001 > Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client passdb out: > OK#0111#011user=00000001#011original_user=martin.wheldon at > greenhills-it.co.uk > > > I've done loads of googling and I believe that this is possible so I > must either have misread the documentation or am triggering a bug. > Neither of which I seem to be able to confirm. > > Any help would be much appreciated. > > My broken configuration is below: > > # 2.2.13: /etc/dovecot/dovecot.conf > # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 > auth_debug = yes > auth_debug_passwords = yes > auth_mechanisms = plain login > default_vsz_limit = 512 M > lmtp_rcpt_check_quota = yes > lmtp_save_to_detail_mailbox = yes > mail_location = maildir:~/Maildir > mail_plugins = " quota" > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date ihave > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > args = /etc/dovecot/dovecot-ldap-new.conf.ext > driver = ldap > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > skip = authenticated > } > plugin { > antispam_backend = pipe > antispam_pipe_program = /usr/sbin/sendmail > antispam_pipe_program_args = -f;%{auth_user};-r;%{auth_user} > antispam_pipe_program_notspam_arg = > retrain-as-ham at greenhills-it.co.uk > antispam_pipe_program_spam_arg = retrain-as-spam at greenhills-it.co.uk > antispam_spam = Spam > antispam_trash = Trash > quota = maildir:User quota > quota_rule = *:storage=1G > quota_rule2 = Trash:ignore > quota_rule3 = Spam:ignore > sieve = ~/.dovecot.sieve > sieve_before = /var/lib/dovecot/sieve/move-spam.sieve > sieve_dir = ~/sieve > } > protocols = " imap lmtp sieve pop3" > service imap-login { > process_min_avail = 20 > service_count = 1 > } > service imap { > process_min_avail = 20 > } > service lmtp { > inet_listener lmtp { > address = he01-imap-01.greenhills-it.co.uk 127.0.0.1 > port = 2003 > } > } > service pop3 { > process_min_avail = 20 > } > ssl = required > ssl_cert = </etc/ssl/certs/combined_2015_greenhills-it.co.uk.cert > ssl_cipher_list > ALL:HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:!PSK:!DES:!3DES:!MD5:!DES+MD5:!RC4:!SEED+SHA:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!eNULL:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/stripped.2015.greenhills-it.co.uk.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 > userdb { > args = /etc/dovecot/dovecot-ldap-new.conf.ext > driver = ldap > } > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocol lmtp { > mail_plugins = " quota sieve" > } > protocol imap { > mail_plugins = " quota imap_quota" > } > > > # Working LDAP configuration > # /etc/dovecot/dovecot-ldap.conf.ext > uris = ldap://he01-auth-01.greenhills-it.co.uk > dn = uid=dovecot,ou=people,ou=SRV_Accounts,dc=greenhills-it,dc=co,dc=uk > dnpass = VerySecret > sasl_bind = no > auth_bind = yes > ldap_version = 3 > base = dc=greenhills-it,dc=co,dc=uk > scope = subtree > user_attrs > homeDirectory=home,uidNumber=uid,gidNumber=gid,gosaMailQuota=quota_rule=*:storage=%$M > user_filter = (|(uid=%u)(mail=%u)(gosaMailAlternateAddress=%u)) > pass_attrs = uid=user,userPassword=password > pass_filter = (|(uid=%u)(mail=%u)) > default_pass_scheme = CRYPT > > > # Non working LDAP configuration > # /etc/dovecot/dovecot-ldap-new.conf.ext > uris = ldap://dir.greenhills-it.co.uk > dn = "cn=dovecot,ou=search > accounts,ou=services,dc=greenhills-it,dc=co,dc=uk" > dnpass = VerySecret > sasl_bind = no > tls = yes > tls_ca_cert_file = /etc/ssl/certs/GreenhillsCACert.pem > tls_require_cert = demand > debug_level = -1 > auth_bind = yes > ldap_version = 3 > base = ou=customers,dc=greenhills-it,dc=co,dc=uk > scope = subtree > user_attrs > homeDirectory=home,uidNumber=uid,gidNumber=gid,ukFirmGhITAccMailQuota=quota_rule=*:storage=%$M > user_filter > (&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u))) > pass_attrs = uidNumber=user > pass_filter > (&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u))) > default_pass_scheme = SSHA > > > Best Regards
Maybe Matching Threads
- Dovecot LDAP using custom field to allow users to connect
- Sieve script won't compile. Compiler output isn't helpful.
- [Bug 1129] sshd hangs for command-only invocations due to fork/child signals
- Sieve script won't compile. Compiler output isn't helpful.
- [LLVMdev] optimizing references within a struct