[Dovecot] Using ldap and pam

Bo Lynch blynch at ameliaschools.com
Tue Aug 6 15:16:31 EEST 2013 

On Tue, August 6, 2013 2:41 am, Steffen Kaiser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 5 Aug 2013, Bo Lynch wrote:
>
>> Having some issues with ldap logins. I am using Centos
>> 5,dovecot-1.0.13-1.el5.rfx and openldap-servers-2.3.43-25.el5_8.1
>> Trying to get this to work with the SoGo interface. First I converted
>> all
>> my standard system users to ldap using the openldap-tools. This worked
>> fine, however when a user changes there password they can no longer see
>> there email. If they change it back to the original password mail can be
>> seen. This has stumped me for a day or so so I was hoping someone could
>> shed some light.
>
> What are in the logs? http://wiki1.dovecot.org/Logging see auth_debug=yes
>
>> /etc/dovecot.conf
>> protocols = imap imaps
>> disable_plaintext_auth = no
>> mbox_read_locks = fcntl
>> mbox_write_locks = fcntl
>> protocol imap {
>> }
>> protocol pop3 {
>> }
>> protocol lda {
>>  postmaster_address = postmaster at example.com
>> }
>> auth default {
>> mechanisms = plain login
>>  passdb pam {
>>  }
>>  passdb ldap {
>>    args = /etc/dovecot-ldap.pass
>>  }
>
> You first query PAM then LDAP. If your users are in passwd still, you get
> a failed password response.
>
>>  userdb passwd {
>>  }
>
> You read the user data from passwd? I think you've migrated to LDAP?
>
>>  user = root
>>  user = root
>>  socket listen {
>>    client {
>>      path = /var/spool/postfix/private/auth
>>      mode = 0660
>>      user = postfix
>>      group = postfix
>>    }
>>  }
>> }
>> dict {
>> }
>> plugin {
>> }
>>
>> /etc/dovecot-ldap.conf
>> hosts = 127.0.0.1:389
>> sasl_bind = no
>> auth_bind = yes
>> auth_bind = no
>> ldap_version = 3
>> deref = never
>> dn = cn=sogo,dc=ameliaschools,dc=com
>> dnpass=password
>> base = dc=ameliaschools,dc=com
>> scope = subtree
>> pass_attrs = uid=user, userPassword=password
>> pass_filter = (uid=%u)
>>
Is it possible to have 2 auth methods? Meaning if user and passwd does not
match in pam then go with ldap?

More information about the dovecot mailing list