Re: [Dovecot] Fw: Cannot Authenticate via LDAP

Tue, 04 Jun 2013 11:08:07 -0700 

Hi Ron,

TBH you were doing most things right anyway, I misread your pastebin stuff.

But I'm glad the details helped you, and you're welcome!

Cheers

Alex

On 04/06/13 19:04, Ron Scott-Adams wrote:
Hi Alex, thanks for your input. As you might have surmised from my doveconf output, I had things horribly misconfigured. :) Everything is dandy now, I just had to RTFM and understand userdb/passdb and the ldap settings better. My new configuration follows: 

BEGIN DOVECONF:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-45-generic x86_64 Ubuntu 12.04.2 LTS
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_location = maildir:~/.maildir
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = " imap pop3"
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.key
ssl_parameters_regenerate = 0
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
verbose_ssl = yes

END DOVECONF
-----------------------------------------------------------
BEGIN DOVECOT-LDAP.CONF.EXT

uris = ldap://localhost:389
dn = uid=dovecot,ou=Services,dc=tohuw,dc=net
dnpass = [redacted]
debug_level = -1
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=tohuw,dc=net
base = dc=tohuw,dc=net
user_filter = (uid=%u)
pass_filter = (uid=%u)
iterate_attrs = uid=user
default_pass_scheme = SSHA

END DOVECOT-LDAP.CONF.EXT
-----------------------------------------------------------
The dovecot-ldap-userdb.conf.ext is a symlink, as the documentation suggests I do.
On Tue, Jun 4, 2013 at 1:43 PM, Alex Crow <[email protected] <mailto:[email protected]>> wrote: 

    Forgot to say that the lines below would be part of a file
    included thusly:

    passdb {
      driver = ldap

      # Path for LDAP configuration file, see
    example-config/dovecot-ldap.conf.ext
      args = /etc/dovecot/dovecot-ldap.conf.ext
    }

    userdb {
      driver = prefetch
    }

    userdb {
      driver = ldap
      args = /etc/dovecot/dovecot-ldap.conf.ext
    }

    And in the /ettc/dovecot-ldap.conf.ext as well as the examples I
    gave you'll also need a line like:

    uris =  ldap://myldapserver1 ldap://myldapserver2

    (I use 2 servers with referrals to the master)

    Also look up iterate_attrs and iterate_filter to let doveadm and
    other things iterate over accounts.

    Cheers

    Alex


    On 04/06/13 18:34, Alex Crow wrote:

        Hi,

        That can't be the full output of doveconf -n can it?

        You need to define (examples from my configs using qmail
        schema; your values will probably be different if you are
        using AD or openLDAP with a different mail schema)

        user_attrs = homeDirectory=home,mailMessageStore=mail
        user_filter = (&(objectClass=qmailUser)(mail=%u))
        pass_attrs =
        
userPassword=password,homeDirectory=userdb_home,mailMessageStore=userdb_mail
        pass_filter = (&(objectClass=qmailUser)(mail=%u))

        Also look at the auth_bind parameter. Mine is "yes" because
        I'm using userdb prefetch as you can see from the pass_attrs
        param.

        And you probably need to set up virtual users as well!

        Cheers

        Alex


        On 04/06/13 17:44, Christian Wiese wrote:

            Hello Christian,
            I tried what you suggested by adding "REFERALS off"
            to /etc/ldap/ldap.conf and restarting slapd and dovecot,
            but the error
            persists.


            On Tue, Jun 4, 2013 at 7:56 AM, Christian Wiese <
            [email protected]
            <mailto:[email protected]>> wrote:

                Hi Ron,

                I didn't had the time to check all logs but the error log.
                First thing you should check if there are LDAP
                REFFERALS enabled in
                the systems ldap.conf.
                I had a similar looking issue and it took me a good
                amount of time to
                figure out that I had to disable LDAP REFFERALS globally.
                This happened when using an AD as LDAP backend, but
                also applies to
                Samba4 as you can see in the following mailing list
                thread:


                
http://dovecot.markmail.org/message/mjurv4fp4w65u2ib?q=Dovecot+LDA+LDAP+lookups+on+samba4+server+ends+very+often+in+timeouts


                The settings within the systems ldap.conf might
                influence dovecot,
                because libldap (openldap) functions might read the
                global ldap.conf
                settings.

                Hope that helps.

                Cheers,
                Chris

                Am Tue, 4 Jun 2013 05:50:16 -0400
                schrieb Ron Scott-Adams <[email protected]
                <mailto:[email protected]>>:

                    a login tohuw [myPassword] returns "NO
                    [AUTHENTICATIONFAILED]
                    Authentication failed." I believe I'm missing a
                    configuration
                    detail, but what?


                    info.log: http://pastebin.ca/2388873

                    debug.log: http://pastebin.ca/2388872

                    error.log: http://pastebin.ca/2388871

                    dovecot -n: http://pastebin.ca/2388870

                    dovecot-ldap.conf.ext summary:
                    http://pastebin.ca/2388867







--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.

Reply via email to