[Dovecot] [BUG?] LDAP authentication with aliases issues

Sun, 31 Jul 2011 13:49:12 -0700 

Hello,
I am trying to configure Dovecot with LDAP authentication. My LDAP tree structure is as following: 
    dc=root,dc=pl
     \_ ou=Users
        \_ uid=test
     \_ ou=Mail
        \_ ou=domain.pl
           \_ uid=alias_to_test
I cannot authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl'. If I try to authenticate using 'uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl', following entry appears in the Dovecot's log file: 

#v+
auth: Debug: client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=993 rport=59818 resp=YWxpYXMxQGFsaWFzeS5wbABhbGlhczFAYWxpYXN5LnBsAGFzZHF3ZWFzZA== auth: Debug: ldap(alias_to_t...@domain.pl,127.0.0.1): pass search: base=uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl scope=base filter=(&(objectClass=posixAccount)) fields=uid,userPassword auth: Debug: auth(alias_to_t...@domain.pl,127.0.0.1): username changed alias_to_t...@domain.pl -> test auth: Debug: ldap(test,127.0.0.1): result: uid(user)=test userPassword(password)={CRYPT}ACnZvF4.K46UI 
auth: Debug: client out: OK     1       user=test
auth: Debug: ldap(test,127.0.0.1): user search: base=uid=test,ou=,ou=Mail,dc=root,dc=pl scope=base filter=(&(objectClass=posixAccount)(uid=test)) fields=homeDirectory,uidNumber,gidNumber 
auth: Debug: master out: FAIL   2551840769
#v-
In the LDAP server log file, following entries appear during authentication attempt 

#v+
ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" method=128 ldap slapd[11729]: conn=1125 op=0 BIND dn="cn=Manager,dc=root,dc=pl" mech=SIMPLE ssf=0 
ldap slapd[11729]: conn=1125 op=0 RESULT tag=97 err=0 text=
ldap slapd[11729]: conn=1125 op=1 SRCH base="uid=alias_to_test,ou=domain.pl,ou=Mail,dc=root,dc=pl" scope=0 deref=3 filter="(&(objectClass=posixAccount))" 
ldap slapd[11729]: conn=1125 op=1 SRCH attr=uid userPassword
ldap slapd[11729]: conn=1125 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap slapd[11729]: conn=1125 op=2 do_search: invalid dn: "uid=test,ou=,ou=Mail,dc=root,dc=pl" ldap slapd[11729]: conn=1125 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN 
#v-
It seems that LDAP AuthDatabase doesn't change the context when looking up for the target object, to which the alias points. Futhermore, the filter for the target object '(&(objectClass=posixAccount)(uid=test))' was not defined by me anywhere in the configuration file 'dovecot-ldap.ext'. I have tried both authentication ways: 'password lookups' and 'authentication binding' with the same result. However, There is no problem to authenticate as 'uid=test,ou=Users,dc=root,dc=pl' (of cource after modifying the configuration file listed at the end).
I suppose that it can be a bug in LDAP AuthDatabase, so I am writing this post as a potential bug report. 


Below are my configuration data:
***************
# dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.38.8-1 x86_64
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_verbose_passwords = plain
listen = *
mail_debug = yes
mail_gid = 2000
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date 
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmas...@domain.pl
protocols = imap pop3 sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/openssl/certs/vmail.pem
ssl_key = </etc/openssl/private/vmail.key
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
verbose_ssl = yes

***************
# cat /etc/dovecot/dovecot-ldap.ext
uris = ldap://X.Y.Z.V/
dn = cn=Manager,dc=root,dc=pl
dnpass = password
auth_bind = no
ldap_version = 3
base = uid=%n,ou=%d,ou=Mail,dc=root,dc=pl
deref = always
scope = base
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount))
default_pass_scheme = CRYPT

Reply via email to