[Dovecot] [BUG?] LDAP authentication with aliases issues

Paweł Lęcznar maillistpld at gmail.com
Thu Aug 4 22:23:17 EEST 2011 

W dniu 31.07.2011 22:48, Paweł Lęcznar pisze:
> Hello,
>
> I am trying to configure Dovecot with LDAP authentication. My LDAP 
> tree structure is as following:
>     dc=root,dc=pl
>      \_ ou=Users
>         \_ uid=test
>      \_ ou=Mail
>         \_ ou=domain.pl
>            \_ uid=alias_to_test
>
> I cannot authenticate using 
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to 
> authenticate using 
> 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following 
> entry appears in the Dovecot's log file:
>
> #v+
> auth: Debug: client in: AUTH    1       PLAIN   service=imap    
> secured lip=127.0.0.1   rip=127.0.0.1   lport=993       
> rport=59818     
> resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA==
> auth: Debug: ldap(alias_to_test at domain.pl,127.0.0.1): pass search: 
> base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base 
> filter=(&(objectClass=posixAccount)) fields=uid,userPassword
> auth: Debug: auth(alias_to_test at domain.pl,127.0.0.1): username changed 
> alias_to_test at domain.pl -> test
> auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test 
> userPassword(password)={CRYPT}ACnZvF4.K46UI
> auth: Debug: client out: OK     1       user=test
> auth: Debug: ldap(test,127.0.0.1): user search: 
> base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base 
> filter=(&(objectClass=posixAccount)(uid=test)) 
> fields=homeDirectory,uidNumber,gidNumber
> auth: Debug: master out: FAIL   2551840769
> #v-
>
>
> In the LDAP server log file, following entries appear during 
> authentication attempt
>
> #v+
> ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
> method=128
> ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" 
> mech=SIMPLE ssf=0
> ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text=
> ldap slapd[11729]: conn=1125 op=1 SRCH 
> base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 
> deref=3 filter="(&(objectClass=posixAccount))"
> ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
> ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 
> nentries=1 text=
> ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: 
> "uid=test,ou=,ou=Mail,dc=root,dc=pl"
> ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 
> nentries=0 text=invalid DN
> #v-
>
> It seems that LDAP AuthDatabase doesn't change the context when 
> looking up for the target object, to which the alias points. 
> Futhermore, the filter for the target object 
> '(&(objectClass=posixAccount)(uid=test))' was not defined by me 
> anywhere in the configuration file 'dovecot-ldap.ext'.
> I have tried both authentication ways: 'password lookups' and 
> 'authentication binding' with the same result. However, There is no 
> problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of 
> cource after modifying the configuration file listed at the end).
>
> I suppose that it can be a bug in LDAP AuthDatabase, so I am writing 
> this post as a potential bug report.
>
>
> Below are my configuration data:
> ***************
> # dovecot -n
> # 2.0.13: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.38.8-1 x86_64
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_verbose = yes
> auth_verbose_passwords = plain
> listen = *
> mail_debug = yes
> mail_gid = 2000
> mail_uid = 2000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
> }
> postmaster_address = postmaster at domain.pl
> protocols = imap pop3 sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0600
>     user = vmail
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 143
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     port = 110
>   }
>   inet_listener pop3s {
>     port = 995
>     ssl = yes
>   }
> }
> ssl = required
> ssl_cert = </etc/openssl/certs/vmail.pem
> ssl_key = </etc/openssl/private/vmail.key
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> verbose_ssl = yes
>
> ***************
> # cat /etc/dovecot/dovecot-ldap.ext
> uris = ldap://X.Y.Z.V/
> dn = cn=Manager,dc=root,dc=pl
> dnpass = password
> auth_bind = no
> ldap_version = 3
> base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
> deref = always
> scope = base
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectClass=posixAccount))
> default_pass_scheme = CRYPT

nobody? nothing? is there any chance that author of authentication ldap 
module will fix this problem?

More information about the dovecot mailing list