[Dovecot] LDAP authentication blank password

Rob Coward rob.coward at game.co.uk
Tue Oct 24 14:29:42 UTC 2006


I reported this a month or two back as well but got no responses. It
happens for us when the user enters an incorrect password.

I am using "auth_bind = yes" in my config and summized that the ldap
code in dovecot may be caching the previous user's credentials for use
in subsequent bind lookups instead of using the credentials specified by
dn / dnpass. That would explain why a failed authentication might result
in all subsequent ldap_search() calls failing.

Our production server is currently running dovecot-1.0-0.beta8.2.fc5
from the Fedora 5 distribution, but I have tested that the problem still
exists up to the rc9 release. I have not tried it with rc10 yet.

These are the typical messages I get in the logs:

Oct 22 09:50:35 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
1       PLAIN   service=POP3    lip=::ffff:10.1.101.10
rip=::ffff:10.0.25.193  resp=
Oct 22 09:50:35 gm-ho-lin-06 dovecot: auth(default): client out: CONT
1
Oct 22 09:50:35 gm-ho-lin-06 dovecot: auth(default): client in: CONT
1       ADAyMDdAc3RvcmVzLmdhbWUuY28udWsAMDcwMg==
Oct 22 09:50:35 gm-ho-lin-06 dovecot: auth(default):
ldap(0207 at stores.game.co.uk,::ffff:10.0.25.193): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0207 at stores.game.co.uk))
Oct 22 09:50:36 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
1       user=0207 at stores.game.co.uk
Oct 22 09:50:36 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
2       PLAIN   service=POP3    lip=::ffff:10.1.101.10
rip=::ffff:10.0.25.193  resp=ADAyMDdAc3RvcmVzLmdhbWUuY28udWsAMDcwMg==
Oct 22 09:50:36 gm-ho-lin-06 dovecot: auth(default):
ldap(0207 at stores.game.co.uk,::ffff:10.0.25.193): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0207 at stores.game.co.uk))
Oct 22 09:50:36 gm-ho-lin-06 dovecot: auth(default):
ldap(0207 at stores.game.co.uk,::ffff:10.0.25.193): ldap_search() failed:
Operations error
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
1       PLAIN   service=POP3    lip=::ffff:10.1.101.10
rip=::ffff:10.0.70.193  resp=
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client out: CONT
1
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client in: CONT
1       ADA1NjdAc3RvcmVzLmdhbWUuY28udWsANzY1MA==
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default):
ldap(0567 at stores.game.co.uk,::ffff:10.0.70.193): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0567 at stores.game.co.uk))
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default):
ldap(0567 at stores.game.co.uk,::ffff:10.0.70.193): ldap_search() failed:
Operations error
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
2       user=0207 at stores.game.co.uk     temp
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
1       user=0567 at stores.game.co.uk     temp
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
2       PLAIN   service=POP3    lip=::ffff:10.1.101.10
rip=::ffff:10.0.70.193  resp=ADA1NjdAc3RvcmVzLmdhbWUuY28udWsANzY1MA==
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default):
ldap(0567 at stores.game.co.uk,::ffff:10.0.70.193): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0567 at stores.game.co.uk))
Oct 22 09:50:38 gm-ho-lin-06 dovecot: auth(default):
ldap(0567 at stores.game.co.uk,::ffff:10.0.70.193): ldap_search() failed:
Operations error
Oct 22 09:50:40 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
2       user=0567 at stores.game.co.uk     temp

Regards,
Rob Coward

On Tue, 2006-10-24 at 14:28 +0300, Timo Sirainen wrote:

> On Mon, 2006-10-23 at 12:07 -0200, Matheus Antonio Oliveira wrote:
> > People,
> > 
> > I have a situation: when use a passwd LDAP module against "microsoft 
> > active directory" and one user send a blank password the authentication 
> > module returns: "ERR [IN-USE] Internal login failure. Refer to server 
> > log for more information."; after this the authentication module never 
> > authenticate again "ERR Temporary authentication failure."
> ..
> > -ERR [IN-USE] Internal login failure. Refer to server log for more 
> > information.
> 
> Could you also show what error message it wrote to the log file?
> 





This e-mail and any files transmitted with it are confidential and intended solely  
for the use of the individual or entity to whom they are addressed. If you have  
received this e-mail in error please notify the system manager at:  
 
        mailto:postmaster at game.net
 
The recipient acknowledges that the transmissions made via the Internet  
can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries  
do not give any warranty as to the quality or accuracy of any information  
contained in the message or assume any liability for it or for its transmission,  
reception or storage.  

This footnote also confirms that this e-mail message has been swept by  
anti-virus software for the presence of computer viruses.
 
http://www.game.co.uk
http://www.gamegroup.plc.uk 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20061024/3e5fecc8/attachment.htm 


More information about the dovecot mailing list