Citerar "A. Schulze via dovecot" <dovecot@dovecot.org>:

Am 08.05.19 um 15:32 schrieb Dag Nygren via dovecot:

...

Now since some update of dovecot it will not be able to authenticate your logins after a restart of the LDAP service is restarted without a reboot of the dovecot server.

Hello,

This sounds more like a configuration glitch. Could you show the ldap related dovecot configuration?

Logs with failure message will also be helpful.

Andreas

Not much in the logs, just:

............... imap-login: Disconnected (auth failed, 2 attempts in 8
secs): ....................

Here the very basic config:

==================================================

This file is opened as root, so it should be owned by root and mode 0600.

http://wiki2.dovecot.org/AuthDatabase/LDAP

NOTE: If you're not using authentication binds, you'll need to give

dovecot-auth read access to userPassword field in the LDAP server.

With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should

already be something like this:

access to attribute=userPassword

by dn="<dovecot's dn>" read # add this

by anonymous auth

by self write

by * none

Space separated list of LDAP hosts to use. host:port is allowed too.

hosts = ns.newtech.fi ns2.newtech.fi

LDAP URIs to use. You can use this instead of hosts list. Note that this

setting isn't supported by all LDAP libraries.

#uris =

Distinguished Name - the username used to login to the LDAP server.

Leave it commented out to bind anonymously (useful with auth_bind=yes).

#dn =

Password for LDAP server, if dn is specified.

#dnpass =

Use SASL binding instead of the simple binding. Note that this changes

ldap_version automatically to be 3 if it's lower. Also note that SASL binds

and auth_bind=yes don't work together.

#sasl_bind = no

SASL mechanism name to use.

#sasl_mech =

SASL realm to use.

#sasl_realm =

SASL authorization ID, ie. the dnpass is for this "master user", but the

dn is still the logged in user. Normally you want to keep this empty.

#sasl_authz_id =

Use TLS to connect to the LDAP server.

#tls = no

TLS options, currently supported only with OpenLDAP:

#tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite =

TLS cert/key is used only if LDAP server requires a client certificate.

#tls_cert_file = #tls_key_file =

Valid values: never, hard, demand, allow, try

#tls_require_cert =

Use the given ldaprc path.

#ldaprc_path =

LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.

-1 = everything. You may need to recompile OpenLDAP with debugging enabled

to get enough output.

#debug_level = 0

Use authentication binding for verifying password's validity. This works by

logging into LDAP server using the username and password given by client.

The pass_filter is used to find the DN for the user. Note that the

pass_attrs

is still used, only the password field is ignored in it. Before doing any

search, the binding is switched back to the default DN.

#auth_bind = no

If authentication binding is used, you can save one LDAP request per login

if users' DN can be specified with a common template. The template can use

the standard %variables (see user_filter). Note that you can't

use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different

dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as

the filename is different in userdb's args). That way one connection is used

only for LDAP binds and another connection is used for user lookups.

Otherwise the binding is changed to the default DN before each user lookup.

For example:

auth_bind_userdn = cn=%u,ou=people,o=org

#auth_bind_userdn =

LDAP protocol version to use. Likely 2 or 3.

#ldap_version = 3

LDAP base. %variables can be used here.

For example: dc=mail, dc=example, dc=org

base = dc=newtech,dc=fi

Dereference: never, searching, finding, always

#deref = never

Search scope: base, onelevel, subtree

#scope = subtree

User attributes are given in LDAP-name=dovecot-internal-name list. The

internal names are:

uid - System UID

gid - System GID

home - Home directory

mail - Mail location

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/UserDatabase/ExtraFields

#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

Filter for user lookup. Some variables can be used (see

http://wiki2.dovecot.org/Variables for full list):

%u - username

%n - user part in user@domain, same as %u if there's no domain

%d - domain part in user@domain, empty if user there's no domain

user_filter = (&(objectClass=posixAccount)(uid=%u))

Password checking attributes:

user: Virtual user name (user@domain), if you wish to change the

user-given username to something else

password: Password, may optionally start with {type}, eg. {crypt}

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u))

Attributes and filter to get a list of all users

iterate_attrs = uid=user iterate_filter = (objectClass=posixAccount)

Default password scheme. "{scheme}" before password overrides this.

List of supported schemes is in: http://wiki2.dovecot.org/Authentication

#default_pass_scheme = SHA

If you wish to avoid two LDAP lookups (passdb + userdb), you can use

userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll

also have to include user_attrs in pass_attrs field prefixed with "userdb_"

string. For example:

#pass_attrs = uid=user,userPassword=password,\

homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

Filter for password lookups

This file is opened as root, so it should be owned by root and mode 0600.

http://wiki2.dovecot.org/AuthDatabase/LDAP

NOTE: If you're not using authentication binds, you'll need to give

dovecot-auth read access to userPassword field in the LDAP server.

With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should

already be something like this:

access to attribute=userPassword

by dn="<dovecot's dn>" read # add this

by anonymous auth

by self write

by * none

Space separated list of LDAP hosts to use. host:port is allowed too.

hosts = ns.newtech.fi ns2.newtech.fi

LDAP URIs to use. You can use this instead of hosts list. Note that this

setting isn't supported by all LDAP libraries.

#uris =

Distinguished Name - the username used to login to the LDAP server.

Leave it commented out to bind anonymously (useful with auth_bind=yes).

#dn =

Password for LDAP server, if dn is specified.

#dnpass =

Use SASL binding instead of the simple binding. Note that this changes

ldap_version automatically to be 3 if it's lower. Also note that SASL binds

and auth_bind=yes don't work together.

#sasl_bind = no

SASL mechanism name to use.

#sasl_mech =

SASL realm to use.

#sasl_realm =

SASL authorization ID, ie. the dnpass is for this "master user", but the

dn is still the logged in user. Normally you want to keep this empty.

#sasl_authz_id =

Use TLS to connect to the LDAP server.

#tls = no

TLS options, currently supported only with OpenLDAP:

#tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite =

TLS cert/key is used only if LDAP server requires a client certificate.

#tls_cert_file = #tls_key_file =

Valid values: never, hard, demand, allow, try

#tls_require_cert =

Use the given ldaprc path.

#ldaprc_path =

LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.

-1 = everything. You may need to recompile OpenLDAP with debugging enabled

to get enough output.

#debug_level = 0

Use authentication binding for verifying password's validity. This works by

logging into LDAP server using the username and password given by client.

The pass_filter is used to find the DN for the user. Note that the

pass_attrs

is still used, only the password field is ignored in it. Before doing any

search, the binding is switched back to the default DN.

#auth_bind = no

If authentication binding is used, you can save one LDAP request per login

if users' DN can be specified with a common template. The template can use

the standard %variables (see user_filter). Note that you can't

use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different

dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as

the filename is different in userdb's args). That way one connection is used

only for LDAP binds and another connection is used for user lookups.

Otherwise the binding is changed to the default DN before each user lookup.

For example:

auth_bind_userdn = cn=%u,ou=people,o=org

#auth_bind_userdn =

LDAP protocol version to use. Likely 2 or 3.

#ldap_version = 3

LDAP base. %variables can be used here.

For example: dc=mail, dc=example, dc=org

base = dc=newtech,dc=fi

Dereference: never, searching, finding, always

#deref = never

Search scope: base, onelevel, subtree

#scope = subtree

User attributes are given in LDAP-name=dovecot-internal-name list. The

internal names are:

uid - System UID

gid - System GID

home - Home directory

mail - Mail location

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/UserDatabase/ExtraFields

#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

Filter for user lookup. Some variables can be used (see

http://wiki2.dovecot.org/Variables for full list):

%u - username

%n - user part in user@domain, same as %u if there's no domain

%d - domain part in user@domain, empty if user there's no domain

user_filter = (&(objectClass=posixAccount)(uid=%u))

Password checking attributes:

user: Virtual user name (user@domain), if you wish to change the

user-given username to something else

password: Password, may optionally start with {type}, eg. {crypt}

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u))

Attributes and filter to get a list of all users

iterate_attrs = uid=user iterate_filter = (objectClass=posixAccount)

Default password scheme. "{scheme}" before password overrides this.

List of supported schemes is in: http://wiki2.dovecot.org/Authentication

#default_pass_scheme = SHA

If you wish to avoid two LDAP lookups (passdb + userdb), you can use

userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll

also have to include user_attrs in pass_attrs field prefixed with "userdb_"

string. For example:

#pass_attrs = uid=user,userPassword=password,\

homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

Filter for password lookups

This file is opened as root, so it should be owned by root and mode 0600.

http://wiki2.dovecot.org/AuthDatabase/LDAP

NOTE: If you're not using authentication binds, you'll need to give

dovecot-auth read access to userPassword field in the LDAP server.

With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should

already be something like this:

access to attribute=userPassword

by dn="<dovecot's dn>" read # add this

by anonymous auth

by self write

by * none

Space separated list of LDAP hosts to use. host:port is allowed too.

hosts = ns.newtech.fi ns2.newtech.fi

LDAP URIs to use. You can use this instead of hosts list. Note that this

setting isn't supported by all LDAP libraries.

#uris =

Distinguished Name - the username used to login to the LDAP server.

Leave it commented out to bind anonymously (useful with auth_bind=yes).

#dn =

Password for LDAP server, if dn is specified.

#dnpass =

Use SASL binding instead of the simple binding. Note that this changes

ldap_version automatically to be 3 if it's lower. Also note that SASL binds

and auth_bind=yes don't work together.

#sasl_bind = no

SASL mechanism name to use.

#sasl_mech =

SASL realm to use.

#sasl_realm =

SASL authorization ID, ie. the dnpass is for this "master user", but the

dn is still the logged in user. Normally you want to keep this empty.

#sasl_authz_id =

Use TLS to connect to the LDAP server.

#tls = no

TLS options, currently supported only with OpenLDAP:

#tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite =

TLS cert/key is used only if LDAP server requires a client certificate.

#tls_cert_file = #tls_key_file =

Valid values: never, hard, demand, allow, try

#tls_require_cert =

Use the given ldaprc path.

#ldaprc_path =

LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.

-1 = everything. You may need to recompile OpenLDAP with debugging enabled

to get enough output.

#debug_level = 0

Use authentication binding for verifying password's validity. This works by

logging into LDAP server using the username and password given by client.

The pass_filter is used to find the DN for the user. Note that the

pass_attrs

is still used, only the password field is ignored in it. Before doing any

search, the binding is switched back to the default DN.

#auth_bind = no

If authentication binding is used, you can save one LDAP request per login

if users' DN can be specified with a common template. The template can use

the standard %variables (see user_filter). Note that you can't

use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different

dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as

the filename is different in userdb's args). That way one connection is used

only for LDAP binds and another connection is used for user lookups.

Otherwise the binding is changed to the default DN before each user lookup.

For example:

auth_bind_userdn = cn=%u,ou=people,o=org

#auth_bind_userdn =

LDAP protocol version to use. Likely 2 or 3.

#ldap_version = 3

LDAP base. %variables can be used here.

For example: dc=mail, dc=example, dc=org

base = dc=newtech,dc=fi

Dereference: never, searching, finding, always

#deref = never

Search scope: base, onelevel, subtree

#scope = subtree

User attributes are given in LDAP-name=dovecot-internal-name list. The

internal names are:

uid - System UID

gid - System GID

home - Home directory

mail - Mail location

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/UserDatabase/ExtraFields

#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

Filter for user lookup. Some variables can be used (see

http://wiki2.dovecot.org/Variables for full list):

%u - username

%n - user part in user@domain, same as %u if there's no domain

%d - domain part in user@domain, empty if user there's no domain

user_filter = (&(objectClass=posixAccount)(uid=%u))

Password checking attributes:

user: Virtual user name (user@domain), if you wish to change the

user-given username to something else

password: Password, may optionally start with {type}, eg. {crypt}

There are also other special fields which can be returned, see

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u))

Attributes and filter to get a list of all users

iterate_attrs = uid=user iterate_filter = (objectClass=posixAccount)

Default password scheme. "{scheme}" before password overrides this.

List of supported schemes is in: http://wiki2.dovecot.org/Authentication

#default_pass_scheme = SHA

If you wish to avoid two LDAP lookups (passdb + userdb), you can use

userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll

also have to include user_attrs in pass_attrs field prefixed with "userdb_"

string. For example:

#pass_attrs = uid=user,userPassword=password,\

homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

Filter for password lookups

==================================================