Hi mailing list,
I'm currently running dovecot 2.2.13 from Debian Jessie, all is
running fine. However I am attempting to merge 2 LDAP authentication
sources.
I would like to attempt to authenticate against the first
authentication source, if that fails either by password fail or user
not found,
then attempt the next LDAP server.
I've added the a passdb and userdb entry for the new ldap server. As
you can see from the log below the user isn't found in the first LDAP
query, but
is in the second one. However the authentication fails:
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=WTLjLuRB9QBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=56821#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
(previous base64 data may contain sensitive data)
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk)))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Error: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>):
ldap_search(base=dc=greenhills-it,dc=co,dc=uk
filter=(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=martin.wheldon
at greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))))
failed: No such object
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result:
uid=00000001; uid unused
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<WTLjLuRB9QBRlIlQ>): username
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 13:59:38 he01-imap-01 dovecot: auth: Debug:
ldap(00000001,81.148.137.80,<WTLjLuRB9QBRlIlQ>): result: uid=00000001
Nov 22 13:59:40 he01-imap-01 dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=00000001#011temp#011original_user=martin.wheldon at
greenhills-it.co.uk
I know that the password was entered correctly because if I disable
the new ldap config and login I get authenticated properly.
Nov 22 14:00:38 he01-imap-01 dovecot: auth: Debug: auth client
connected (pid=2626)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=ipKBMuRBBQBRlIlQ#011lip=51.254.222.112#011rip=81.148.137.80#011lport=143#011rport=38149#011resp=AG1hcnRpbi53aGVsZG9uQGdyXWVuaGlsbHMtaXQuY28udWsAQ3JhY2spbk4wdw==
(previous base64 data may contain sensitive data)
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): bind search:
base=dc=greenhills-it,dc=co,dc=uk filter=(|(uid=martin.wheldon at
greenhills-it.co.uk)(mail=martin.wheldon at greenhills-it.co.uk))
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result:
uid=00000001; uid unused
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: ldap(martin.wheldon
at greenhills-it.co.uk,81.148.137.80,<ipKBMuRBBQBRlIlQ>): username
changed martin.wheldon at greenhills-it.co.uk -> 00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug:
ldap(00000001,81.148.137.80,<ipKBMuRBBQBRlIlQ>): result: uid=00000001
Nov 22 14:00:39 he01-imap-01 dovecot: auth: Debug: client passdb out:
OK#0111#011user=00000001#011original_user=martin.wheldon at
greenhills-it.co.uk
I've done loads of googling and I believe that this is possible so I
must either have misread the documentation or am triggering a bug.
Neither of which I seem to be able to confirm.
Any help would be much appreciated.
My broken configuration is below:
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
default_vsz_limit = 512 M
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap-new.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
skip = authenticated
}
plugin {
antispam_backend = pipe
antispam_pipe_program = /usr/sbin/sendmail
antispam_pipe_program_args = -f;%{auth_user};-r;%{auth_user}
antispam_pipe_program_notspam_arg =
[email protected]
antispam_pipe_program_spam_arg = [email protected]
antispam_spam = Spam
antispam_trash = Trash
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:ignore
quota_rule3 = Spam:ignore
sieve = ~/.dovecot.sieve
sieve_before = /var/lib/dovecot/sieve/move-spam.sieve
sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve pop3"
service imap-login {
process_min_avail = 20
service_count = 1
}
service imap {
process_min_avail = 20
}
service lmtp {
inet_listener lmtp {
address = he01-imap-01.greenhills-it.co.uk 127.0.0.1
port = 2003
}
}
service pop3 {
process_min_avail = 20
}
ssl = required
ssl_cert = </etc/ssl/certs/combined_2015_greenhills-it.co.uk.cert
ssl_cipher_list =
ALL:HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:!PSK:!DES:!3DES:!MD5:!DES+MD5:!RC4:!SEED+SHA:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!eNULL:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/stripped.2015.greenhills-it.co.uk.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = /etc/dovecot/dovecot-ldap-new.conf.ext
driver = ldap
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lmtp {
mail_plugins = " quota sieve"
}
protocol imap {
mail_plugins = " quota imap_quota"
}
# Working LDAP configuration
# /etc/dovecot/dovecot-ldap.conf.ext
uris = ldap://he01-auth-01.greenhills-it.co.uk
dn = uid=dovecot,ou=people,ou=SRV_Accounts,dc=greenhills-it,dc=co,dc=uk
dnpass = VerySecret
sasl_bind = no
auth_bind = yes
ldap_version = 3
base = dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs =
homeDirectory=home,uidNumber=uid,gidNumber=gid,gosaMailQuota=quota_rule=*:storage=%$M
user_filter = (|(uid=%u)(mail=%u)(gosaMailAlternateAddress=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (|(uid=%u)(mail=%u))
default_pass_scheme = CRYPT
# Non working LDAP configuration
# /etc/dovecot/dovecot-ldap-new.conf.ext
uris = ldap://dir.greenhills-it.co.uk
dn = "cn=dovecot,ou=search
accounts,ou=services,dc=greenhills-it,dc=co,dc=uk"
dnpass = VerySecret
sasl_bind = no
tls = yes
tls_ca_cert_file = /etc/ssl/certs/GreenhillsCACert.pem
tls_require_cert = demand
debug_level = -1
auth_bind = yes
ldap_version = 3
base = ou=customers,dc=greenhills-it,dc=co,dc=uk
scope = subtree
user_attrs =
homeDirectory=home,uidNumber=uid,gidNumber=gid,ukFirmGhITAccMailQuota=quota_rule=*:storage=%$M
user_filter =
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
pass_attrs = uidNumber=user
pass_filter =
(&(&(ukFirmGhITAccSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))
default_pass_scheme = SSHA
Best Regards
