LDAP Filters as defined for dovecot UserDB and passDB

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP Filters as defined for dovecot UserDB and passDB

Will Merkens
I have pretty much everything working fine.

I have run into one issue with the filters that I am unsure where this a filter is being set.

Dovecot 2.2.32 (dfbe293d4)

I have setup dovecot-ldap.conf.ext to control my LDAP query's

My current layout used filters based on looking at the posixAccount attributes

 user_filter = (&(objectClass=posixAccount)(uid=%u))

If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs

Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree
filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server
Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user
Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb

I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.

>From that I saw inetOrgPerson could be used. So I changed the filters.

 user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
 pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
 iterate_filter = (objectClass=inetOrgPerson)

Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured       
session=Y0GBzgVdlorAqHsn        lip=192.168.123.236 
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search:
base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales))
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email]
-> sales
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email] -> sales
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK        1        user=sales                original_user=[hidden email]

so far so good but then I get

Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST        3851550721        29049        1        519189df600c24c010b57158ac01c867       
session_pid=29073        request_auth_token
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca
scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server
Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user
Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb

The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson

I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings





--
William Merkens
IT Support Analyst
Userful Corporation
+1 403.289.2177 ext.289
+1 866 USERFUL (1-866-873-7385)
Suite 300, 736 8th Ave. SW
Calgary AB T2P 1H4

Managed Desktops Done Right.
http://www.userful.com
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Filters as defined for dovecot UserDB and passDB

Aki Tuomi-2
Check your userdb, is it using same config file?

Aki


On 02.11.2017 23:59, Will Merkens wrote:

> I have pretty much everything working fine.
>
> I have run into one issue with the filters that I am unsure where this a filter is being set.
>
> Dovecot 2.2.32 (dfbe293d4)
>
> I have setup dovecot-ldap.conf.ext to control my LDAP query's
>
> My current layout used filters based on looking at the posixAccount attributes
>
>  user_filter = (&(objectClass=posixAccount)(uid=%u))
>
> If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
>
> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree
> filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server
> Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user
> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
>
> I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
>
> >From that I saw inetOrgPerson could be used. So I changed the filters.
>
>  user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
>  pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
>  iterate_filter = (objectClass=inetOrgPerson)
>
> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured       
> session=Y0GBzgVdlorAqHsn        lip=192.168.123.236 
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search:
> base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales))
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email]
> -> sales
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales
> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email] -> sales
> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK        1        user=sales                original_user=[hidden email]
>
> so far so good but then I get
>
> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST        3851550721        29049        1        519189df600c24c010b57158ac01c867       
> session_pid=29073        request_auth_token
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca
> scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server
> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user
> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
>
> The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
>
> I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Filters as defined for dovecot UserDB and passDB

Steffen Kaiser-9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 3 Nov 2017, Aki Tuomi wrote:

> Check your userdb, is it using same config file?

some HOWTOs explicitly want you to use two config files, because Dovecot
maintains two different connections for passdb and userdb queries, which
is faster. So if you have copied the config file, instead of symlinked
them, you might have to change two files.

> On 02.11.2017 23:59, Will Merkens wrote:
>> I have pretty much everything working fine.
>>
>> I have run into one issue with the filters that I am unsure where this a filter is being set.
>>
>> Dovecot 2.2.32 (dfbe293d4)
>>
>> I have setup dovecot-ldap.conf.ext to control my LDAP query's
>>
>> My current layout used filters based on looking at the posixAccount attributes
>>
>>  user_filter = (&(objectClass=posixAccount)(uid=%u))
>>
>> If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
>>
>> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree
>> filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
>> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server
>> Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user
>> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
>>
>> I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
>>
>>> From that I saw inetOrgPerson could be used. So I changed the filters.
>>
>>  user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
>>  pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
>>  iterate_filter = (objectClass=inetOrgPerson)
>>
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured       
>> session=Y0GBzgVdlorAqHsn        lip=192.168.123.236 
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search:
>> base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales))
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email]
>> -> sales
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email] -> sales
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK        1        user=sales                original_user=[hidden email]
>>
>> so far so good but then I get
>>
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST        3851550721        29049        1        519189df600c24c010b57158ac01c867       
>> session_pid=29073        request_auth_token
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca
>> scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user
>> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
>>
>> The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
>>
>> I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
>>
>>
>>
>>
>>
>

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWfwUUnz1H7kL/d9rAQI3dggAnmkloeNU+DF1nOeKeZzEMELow9lO1DeA
vQ7eUpiXvsD/HkXdAUjF+/bd+AdUEMgZfqn8b/Wd5XhMYkcmx9w1mikYzsX8kZ/P
oHRTpfcR+pgp/FfwOeMpg64BXEUwNKcdqVeYrzVKbveWY0wJra9AifpQfFq2TXLI
1Ey4cXkqpafFcEIsjFVGzaZAtyY5+flyD/Hciyf+xP37Mpsi+pXftqzQKiH5ZV93
PVVhW7gMth6jCqIV5rvI/24rjmBqQXV+Il2/3YxLcHpvP8sL+5iis2bWSM06Lvbo
wUnMmM7mPFtRWNZfP9ClyUAIt0Qf+pu55BKbdG+bDU/i5TW6dVKs5Q==
=esxF
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Filters as defined for dovecot UserDB and passDB

Will Merkens
On 17-11-03 01:01 AM, Steffen Kaiser wrote:
> On Fri, 3 Nov 2017, Aki Tuomi wrote:
>
> > Check your userdb, is it using same config file?
>
> some HOWTOs explicitly want you to use two config files, because Dovecot maintains two different connections for passdb and userdb queries, which is faster.
> So if you have copied the config file, instead of symlinked them, you might have to change two files.

Ok I checked for this.

# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>

passdb {
  driver = ldap

  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
#  driver = prefetch
#}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext

  # Default fields can be used to specify defaults that LDAP may override
  #default_fields = home=/var/spool/maildir/%d/%n/Maildir
}

# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
  #driver = static
  #args = uid=vmail gid=vmail home=/var/vmail/%u
#}


Only one file is being called.

And in my 10-auth.conf at the bottom

# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


ldap is the only auth system I am using.






>
> > On 02.11.2017 23:59, Will Merkens wrote:
> >> I have pretty much everything working fine.
> >>
> >> I have run into one issue with the filters that I am unsure where this a filter is being set.
> >>
> >> Dovecot 2.2.32 (dfbe293d4)
> >>
> >> I have setup dovecot-ldap.conf.ext to control my LDAP query's
> >>
> >> My current layout used filters based on looking at the posixAccount attributes
> >>
> >>  user_filter = (&(objectClass=posixAccount)(uid=%u))
> >>
> >> If I connect to a a ldap account that has no posixAccount attributes set I was getting a failure in the logs
> >>
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user search: base=ou=People,dc=userful,dc=ca scope=subtree
> >> filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Debug: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): no fields returned by the server
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): unknown user
> >> Nov 02 14:15:48 mail2 dovecot[28715]: auth: Error: ldap(sales,192.168.123.39,<fd5mpwVddrvAqHsn>): user not found from userdb
> >>
> >> I changed the filters thinking I needed to look at the attributes seen by one of these accounts, I used the apache studio to find out what was visible.
> >>
> >>> From that I saw inetOrgPerson could be used. So I changed the filters.
> >>
> >>  user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
> >>  pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
> >>  iterate_filter = (objectClass=inetOrgPerson)
> >>
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured       
> >> session=Y0GBzgVdlorAqHsn        lip=192.168.123.236
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): bind search:
> >> base=ou=People,dc=userful,dc=ca filter=(&(objectClass=inetOrgPerson)(uid=sales))
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales; uid unused
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email]
> >> -> sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): result: uid=sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: ldap([hidden email],192.168.123.39,<Y0GBzgVdlorAqHsn>): username changed [hidden email] -> sales
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: client passdb out: OK        1        user=sales                original_user=[hidden email]
> >>
> >> so far so good but then I get
> >>
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Debug: master in: REQUEST        3851550721        29049        1        519189df600c24c010b57158ac01c867       
> >> session_pid=29073        request_auth_token
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user search: base=ou=People,dc=userful,dc=ca
> >> scope=subtree filter=(&(objectClass=posixAccount)(uid=sales)) fields=mail,user_filter
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): Debug: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): no fields returned by the server
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth-worker(29066): ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): unknown user
> >> Nov 02 14:26:44 mail2 dovecot[29047]: auth: Error: ldap(sales,192.168.123.39,<Y0GBzgVdlorAqHsn>): user not found from userdb
> >>
> >> The question then is where did it get filter=(&(objectClass=posixAccount) from since I changed the filters to inetOrgPerson
> >>
> >> I grep the dovecot settings directory and all My filters are in the one file. The file that hold the ldap settings
> >>
> >>
> >>
> >>
> >>
>
>
> -- Steffen Kaiser

--
William Merkens
IT Support Analyst
Userful Corporation
+1 403.289.2177 ext.289
+1 866 USERFUL (1-866-873-7385)
Suite 300, 736 8th Ave. SW
Calgary AB T2P 1H4

Managed Desktops Done Right.
http://www.userful.com