8

I'm hoping I can use some help.

I'm configuring dovecot_ldap, but I can't seem to be able to get dovecot to authenticate the ldap user.

Below is my config and log info:

hosts = 192.168.128.45:3268
dn = cn=Administrator,cn=Users,dc=company,dc=example,dc=com
dnpass = "passwd"
auth_bind = yes
ldap_version = 3
base = dc=company, dc=example, dc=com
user_attrs = sAMAccountName=home=/var/vmail/example.com/%$,uid=1001,gid=1001
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))

dovecot.conf

# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-33-generic x86_64 Ubuntu 12.04 LTS
auth_mechanisms = plain login
auth_realms = example.com
auth_verbose = yes
disable_plaintext_auth = no
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
passdb {
  driver = pam
}
passdb {
  driver = passwd
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  imap_logout_format = bytes=%i/%o
  mail_plugins =
}

mail.log

Nov 29 10:51:44 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:44 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1892, TLS
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:46 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:46 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1894, TLS
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:48 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:48 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:54 mail postfix/smtpd[1880]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1879]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1887]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1886]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: idle timeout -- exiting
Nov 29 10:51:56 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:56 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:52:04 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:06 mail dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<charyorde@example.com>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, TLS

Thank you for looking into this.

drecute
  • 191
  • 1
  • 3
  • 9
  • 1
    Well, so what *is* `mail_uid` set to, and what does that value map to? – user Nov 29 '12 at 10:45
  • Probably I don't know where to set that. I know that `/var/vmail/` uid and gid is set to 1001. I don't know what setting `mail_uid` means. – drecute Nov 29 '12 at 11:04
  • Okay I see what you mean. i think I need to set `first_valid_uid` and `first_valid_gid` in dovecot.conf and also add `virtual_uid_maps` and `virtual_gid_maps` in postfix.conf. I'll post back if this works. Thanks for the pointers. – drecute Nov 29 '12 at 11:45
  • 1
    Sorry. That was a stupid response from me. If authenticating via ldap, do I still need `mail_uid`. At the moment `mail_uid` is not set. And I'm not expecting dovecot to use it. I'm expecting it to use ldap. – drecute Nov 29 '12 at 12:31
  • 2
    Well, the error message specifically refers to `mail_uid`, so whether you expect dovecot to use it or not, it obviously wants something. – user Nov 29 '12 at 12:32
  • I added `mail_uid = 1001` and `mail_gid = 1001`. The specific error `Couldn't drop privileges: User is missing UID (see mail_uid setting)` now seem to go away. But i still can't authenticate. Dovecot still returns unknown user for the ldap user. – drecute Nov 29 '12 at 13:18

1 Answers1

2

If you don't need dovecot to know anything special about your users beyond the meta data of a normal unix system user (i.e. home dir, gid, etc), then it is much simpler to configure dovecot to do pam authentication and use pam to communicate with ldap.

Your dovecot.conf would look something like this:

passdb {
        driver = pam
        args = %s
}
userdb {
        driver = passwd
}

Then you have to put something in /etc/pam.d/dovecot. If you are already using LDAP athentication for your system users, you can probably just include the appropriate context like so:

auth      include   system-remote-login
password  include   system-remote-login

On the other hand if you have not setup pam_ldap to authenticate your users on the system, you probably need a custom scheme that does just that:

auth      sufficient pam_ldap.so     minimum_uid=1000
auth      required   pam_unix.so     try_first_pass nullok
auth      required   pam_env.so
password  sufficient pam_ldap.so     minimum_uid=1000
password  required   pam_unix.so     try_first_pass nullok

And you'll need to tell your system NSS how to talk to ldap, usually via /etc/nslcd.conf and something like the following:

uri ldap://localhost/
base dc=example,dc=com
base   group  ou=Groups,dc=example,dc=com
base   passwd ou=People,dc=example,dc=com
base   shadow ou=People,dc=example,dc=com
nss_min_uid 1000

Incidentally, if you leave out the userdb { driver = password } bit from the dovecot.conf file, you will get the same error you were getting from dovecot's LDAP lookup.

Caleb
  • 11,583
  • 4
  • 35
  • 49