[Dovecot] LDAP Authorising users from Active Directory

Rob Coward rob.coward at game.co.uk
Wed Aug 16 12:30:12 EEST 2006


Hi,
I am having stability problems setting up dovecot to authenticate
virtual users against Active Directory on Win2k3. If the correct userid
and password are used, everything works fine, see first logfile snippet
below. If an unknown userid is used, again everything works fine. If I
try logging in with a valid userid but get the password wrong, that
connection is rejected (see second logfile snippet), and all subsequent
connection even with correct userid/password are rejected with
thunderbird getting a temporary auth failure (see third logfile snippet
below).

I am using auth_bind = yes and it seems as though after the failed login
with an incorrect password, dovecot is loosing the dn & dnpass settings
for the initial user lookup.

I have found numerous references to PHP and ActiveDirectory on Win2k3
getting a similar "ldap_search() failed: Operations error" error and
they suggested ensuring LDAP Version 3 is used and the Deref is set to
'never'. I am already using these setting to no avail.

Has anyone else experience these problems, or have any suggestions on
how to overcome it ? 

Many thanks,
Rob Coward


Normal Login with correct password

Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default): client in: AUTH
1       PLAIN   service=IMAP    secured lip=127.0.0.1    rip=127.0.0.1
resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==
Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,127.0.0.1): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))
Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default): client out: OK
1       user=0999 at stores.game.co.uk
Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default): master in: REQUEST
6       20765   1
Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,127.0.0.1):
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net scope=subtree
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))
fields=uid,,,uid,,
Aug 16 10:08:52 gm-ho-lin-05 dovecot: auth(default): master out: USER
6       0999 at stores.game.co.uk  uid=12367       gid=12367
Aug 16 10:08:52 gm-ho-lin-05 dovecot: imap-login: Login:
user=<0999 at stores.game.co.uk>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
Aug 16 10:08:52 gm-ho-lin-05 dovecot: IMAP(0999 at stores.game.co.uk):
Effective uid=12367, gid=12367
Aug 16 10:08:52 gm-ho-lin-05 dovecot: IMAP(0999 at stores.game.co.uk):
maildir: data=/data/mailstore/stores.game.co.uk/0999
Aug 16 10:08:52 gm-ho-lin-05 dovecot: IMAP(0999 at stores.game.co.uk):
maildir: root=/data/mailstore/stores.game.co.uk/0999,
index=/data/mailstore/stores.game.co.uk/0999, control=, inbox=
Aug 16 10:08:52 gm-ho-lin-05 dovecot: IMAP(0999 at stores.game.co.uk):
Disconnected: Logged out


Login with incorrect password

Aug 16 10:09:37 gm-ho-lin-05 dovecot: auth(default): client in: AUTH
1       PLAIN   service=IMAP    secured lip=127.0.0.1    rip=127.0.0.1
resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAMTIzNA==
Aug 16 10:09:37 gm-ho-lin-05 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,127.0.0.1): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))
Aug 16 10:09:39 gm-ho-lin-05 dovecot: auth(default): client out: FAIL
1       user=0999 at stores.game.co.uk
Aug 16 10:09:39 gm-ho-lin-05 dovecot: imap-login: Aborted login:
user=<0999 at stores.game.co.uk>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured


Subsequent logins with correct password

Aug 16 10:09:48 gm-ho-lin-05 dovecot: auth(default): client in: AUTH
1       PLAIN   service=IMAP    secured lip=127.0.0.1    rip=127.0.0.1
resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==
Aug 16 10:09:48 gm-ho-lin-05 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,127.0.0.1): bind search:
base=OU=Stores,OU=UK,DC=group,DC=game,DC=net
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))
Aug 16 10:09:48 gm-ho-lin-05 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,127.0.0.1): ldap_search() failed: Operations
error
Aug 16 10:09:49 gm-ho-lin-05 dovecot: auth(default): client out: FAIL
1       user=0999 at stores.game.co.uk     temp
Aug 16 10:09:49 gm-ho-lin-05 dovecot: imap-login: Aborted login:
user=<0999 at stores.game.co.uk>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured




This e-mail and any files transmitted with it are confidential and intended solely  
for the use of the individual or entity to whom they are addressed. If you have  
received this e-mail in error please notify the system manager at:  
 
        mailto:postmaster at game.net
 
The recipient acknowledges that the transmissions made via the Internet  
can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries  
do not give any warranty as to the quality or accuracy of any information  
contained in the message or assume any liability for it or for its transmission,  
reception or storage.  

This footnote also confirms that this e-mail message has been swept by  
anti-virus software for the presence of computer viruses.
 
http://www.game.co.uk
http://www.gamegroup.plc.uk 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20060816/2eb1a56e/attachment.htm 


More information about the dovecot mailing list