Discussion:
LDAP authentication
John Oliver
2014-09-10 18:31:48 UTC
Permalink
CentOS 6.5, dovecot 2.0.9-7

I was using http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ to
get LDAP auth working. And what's really annoying is, it worked...
until I screwed something up and had to pull my work back from a backup.
Now it doesn't work :-(

[joliver at localhost ~]$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a1 LOGIN testuser1 password
a1 NO [AUTHENTICATIONFAILED] Authentication failed.

Turn on debugging and see:

Sep 10 11:26:58 localhost dovecot: auth: Debug:
pam(testuser1,127.0.0.1): lookup service=dovecot
Sep 10 11:26:58 localhost dovecot: auth: Debug:
pam(testuser1,127.0.0.1): #1/1 style=1 msg=Password:
Sep 10 11:27:00 localhost dovecot: auth: pam(testuser1,127.0.0.1):
pam_authenticate() failed: Permission denied
Sep 10 11:27:00 localhost dovecot: auth: ldap(testuser1,127.0.0.1):
invalid credentials
Sep 10 11:27:02 localhost dovecot: auth: Debug: client out:
FAIL#0111#011user=testuser1


So, I don't know what permission is being denied by PAM, or if that was
there or not when this did work. I can access my LDAP server just fine.

What else can I check?
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
Bob Miller
2014-09-10 19:41:16 UTC
Permalink
Hi,
Post by John Oliver
pam_authenticate() failed: Permission denied
invalid credentials
I am not clear from this if you are using pam auth first and ldap auth
2nd, or if you are trying to use pam to do your ldap authentication for
you. Assuming the former, I would guess that you are either failing the
auth_bind, or the attributes you are using for user_filter/pass_filter
aren't matching the username format. I would start by checking the
settings in your dovecot-ldap.conf file...
Post by John Oliver
FAIL#0111#011user=testuser1
So, I don't know what permission is being denied by PAM, or if that was
there or not when this did work. I can access my LDAP server just fine.
What else can I check?
John Oliver
2014-09-10 19:45:02 UTC
Permalink
Post by Bob Miller
Hi,
Post by John Oliver
pam_authenticate() failed: Permission denied
invalid credentials
I am not clear from this if you are using pam auth first and ldap auth
2nd, or if you are trying to use pam to do your ldap authentication for
you. Assuming the former, I would guess that you are either failing the
auth_bind, or the attributes you are using for user_filter/pass_filter
aren't matching the username format. I would start by checking the
settings in your dovecot-ldap.conf file...
[joliver at localhost ~]$ dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.el6.x86_64 x86_64 CentOS release 6.5 (Final)
auth_debug = yes
auth_username_format = %Lu
auth_verbose = yes
mail_access_groups = mail
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
userdb {
args = uid=503 gid=504 home=/home/vmail/%u
driver = static
}
[joliver at localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext
hosts = localhost
base = ou=Users,dc=my,dc=domain
ldap_version = 3
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
Bob Miller
2014-09-10 20:09:11 UTC
Permalink
Hi,
Post by John Oliver
[joliver at localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext
hosts = localhost
base = ou=Users,dc=my,dc=domain
ldap_version = 3
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
this looks different than mine. here is my example config file, maybe
it helps:

hosts = 192.168.26.10:389
debug_level = 0
auth_bind = yes
auth_bind_userdn = %Ln at computerisms.com
base = dn=computerisms,dn=com
scope = subtree
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(sAMAccountName=%Ln))
John Oliver
2014-09-10 20:20:56 UTC
Permalink
Post by Bob Miller
Hi,
Post by John Oliver
[joliver at localhost ~]$ cat /etc/dovecot/dovecot-ldap.conf.ext
hosts = localhost
base = ou=Users,dc=my,dc=domain
ldap_version = 3
auth_bind = yes
auth_bind_userdn = uid=%u,ou=Users,dc=my,dc=domain
this looks different than mine. here is my example config file, maybe
hosts = 192.168.26.10:389
debug_level = 0
auth_bind = yes
auth_bind_userdn = %Ln at computerisms.com
base = dn=computerisms,dn=com
scope = subtree
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(sAMAccountName=%Ln))
I wish it was possible to kiss someone over the Internet :-)

The debug_level helped me immensely... I realized it was literally
looking for 'uid' on my LDAP. Changed to 'cn' and all is well!

THANK YOU!!!
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
Continue reading on narkive:
Loading...