Bonjour bonjour!
Je (re)viens ici car je me trainasse depuis un moment sur des problèmes d’authentification LDAP pour un serveur de mail basé sur Postfix+Dovecot.
J’ai suivi l’aide de postfix sur les domaines virtual (ici) et pour l’authentification ldap (ici). J’ai également suivi ce tutorial.
Pour info je bosse sous VMWARE avec 2 machines virtuelles pour chaque machine (une avec LDAP et l’autre avec postfix+dovecot).
Mes services ldap, postfix et ldap tournent bien. Ma base LDAP est peuplé comme ceci:
Lorsque depuis mon laptop (qui héberge les 2 VM) j’essaie un:
Je rentre le champs USER, puis le champs PASSWORD, mais ca fail tout le temps. Dans mon dovecot il est précisé que l’authentification par défaut est a {PLAIN} (pour commencer).
J’ai même essayer de coller le mot de passe en base64 dans mon terminal telnet (car ils sont encodés en base64 dans ldap si je ne me trompe) mais rien n’y fait.
En cherchant un peu, j’ai constaté que mon dovecot se bind bien avec le “dn:cn=admin,dc=hfexample,dc=com”, il fait ses requètes, retournes les attributs demandés,MAIS quand l’utilisateur se bind (en anonymous donc), il se fait recaler.
Pourtant dans mon slapd.conf j’ai bien renseigné les directives:
[code]# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn=“cn=admin,dc=hfexample,dc=com” read
by dn=“cn=admin,dc=hfexample,dc=com” write
Dovecot LDAP support by rockette
by dn="cn=dovecot,ou=services,dc=hfexample,dc=com" read
by anonymous auth
by self write
by * none[/code]
Par contre plus bas j’ai:
[code]# The admin dn has full write access, everyone else
can read everything.
access to *
by dn=“cn=admin,dc=hfexample,dc=com” write
by dn=“cn=dovecot,ou=services,dc=hfexample,dc=com” read
by * none
by * read[/code]
C’est bien le premier qui sert pour l’auth ?
Contenu de mon slapd.conf:
[code]# This is the main slapd configuration file. See slapd.conf(5) for more
info on the configuration options.
#######################################################################
Global Directives:
Features to permit
#allow bind_v2
Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
Schema ajouté manuellement
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/mmc.schema
#NE PAS UTILISER postfix.schema et mail.schema en même temps, a cause de l’attribut maildrop que les 2 définissent
#include /etc/ldap/schema/postfix.schema
Where the pid file is put. The init.d script
will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
Read slapd.conf(5) for possible values
loglevel stats stats2 filter ACL
Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
The maximum number of entries that is returned for a search operation
sizelimit 500
The tool-threads parameter sets the actual amount of cpu’s that is used
for indexing.
tool-threads 1
#######################################################################
Specific Backend Directives for hdb:
Backend specific directives apply to this backend until another
‘backend’ directive occurs
backend hdb
#######################################################################
Specific Backend Directives for ‘other’:
Backend specific directives apply to this backend until another
‘backend’ directive occurs
#backend
#######################################################################
Specific Directives for database #1, of type hdb:
Database specific directives apply to this databasse until another
‘database’ directive occurs
database hdb
The base of your directory in database #1
suffix “dc=hfexample,dc=com”
rootdn directive for specifying a superuser on the database. This is needed
for syncrepl.
rootdn "cn=admin,dc=hfexample,dc=com"
rootpw {SSHA}
Where the database file are physically stored for database #1
directory “/var/lib/ldap”
The dbconfig settings are used to generate a DB_CONFIG file the first
time slapd starts. They do NOT override existing an existing DB_CONFIG
file. You should therefore change these settings in DB_CONFIG directly
or remove DB_CONFIG and restart slapd for changes to take effect.
For the Debian package we use 2MB as default but be sure to update this
value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
Sven Hartge reported that he had to set this value incredibly high
to get slapd running at all. See http://bugs.debian.org/303057 for more
information.
Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
Number of lockers
dbconfig set_lk_max_lockers 1500
Indexing options for database #1
index objectClass eq
Save the time that the entry gets modified, for database #1
lastmod on
Checkpoint the BerkeleyDB database periodically in case of system
failure and to speed slapd shutdown.
checkpoint 512 30
Where to store the replica logs for database #1
replogfile /var/lib/ldap/replog
The userPassword by default can be changed
by the entry owning it if they are authenticated.
Others should not be able to see it, except the
admin entry below
These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn=“cn=admin,dc=hfexample,dc=com” read
by dn=“cn=admin,dc=hfexample,dc=com” write
Dovecot LDAP support
by dn="cn=dovecot,ou=services,dc=hfexample,dc=com" read
by anonymous auth
by self write
by * none
Ensure read access to the base for things like
supportedSASLMechanisms. Without this you may
have problems with SASL not knowing what
mechanisms are available and the like.
Note that this is covered by the ‘access to *’
ACL below too but if you change that as people
are wont to do you’ll still need this if you
want SASL (and possible other things) to work
happily.
access to dn.base="" by * read
The admin dn has full write access, everyone else
can read everything.
access to *
by dn=“cn=admin,dc=hfexample,dc=com” write
by dn=“cn=dovecot,ou=services,dc=hfexample,dc=com” read
by * none
by * read
For Netscape Roaming support, each user gets a roaming
profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
by dn=“cn=admin,dc=hfexample,dc=com” write
by dnattr=owner write
#######################################################################
Specific Directives for database #2, of type ‘other’ (can be hdb too):
Database specific directives apply to this databasse until another
‘database’ directive occurs
#database
The base of your directory for database #2
#suffix “dc=debian,dc=org”
[/code]
Contenu du main.cf de postfix:
[code]# See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
myhostname = mail.hfexample.com
alias_maps = hash:/etc/aliases ldap:/etc/postfix/ldap-aliases.cf
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8, 172.16.1.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
LDAP Transport
transport_map = ldap:/etc/postfix/ldap-transport.cf
Virtual Domains Control
#virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf
virtual_mailbox_domains = hfexample.com
#virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_mailbox_base = /var/mail/vhosts
#virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-maildrop.cf
virtual_alias_maps = hash:/etc/postfix/virtual
#virtual_alias_domains = hfexample.com
virtual_mailbox_domains = hfexample.com
virtual_minimum_uid= 100
virtual_uid_maps = static:vmail
virtual_gid_maps = static:mail
Dovecot MDA
#virtual_transport = dovecot
mailbox_transport = dovecot
dovecot_destination_recipient_limit = 1
[/code]
Contenu du dovecot-ldap.conf:
[code]# This file is opened as root, so it should be owned by root and mode 0600.
http://wiki.dovecot.org/AuthDatabase/LDAP
NOTE: If you’re not using authentication binds, you’ll need to give
dovecot-auth read access to userPassword field in the LDAP server.
With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
already be something like this:
access to attribute=userPassword
by dn="<dovecot’s dn>" read # add this
by anonymous auth
by self write
by * none
Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = 172.16.255.250
LDAP URIs to use. You can use this instead of hosts list. Note that this
setting isn’t supported by all LDAP libraries.
#uris =
Distinguished Name - the username used to login to the LDAP server
#dn="cn=dovecot,ou=services,dc=hfexample,dc=com"
dn=“cn=admin,dc=hfexample,dc=com”
Password for LDAP server
#dnpass = dovecot
dnpass =
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it’s lower. Also note that SASL binds
and auth_bind=yes don’t work together.
#sasl_bind = no
SASL mechanism name to use.
#sasl_mech =
SASL realm to use.
#sasl_realm =
SASL authorization ID, ie. the dnpass is for this “master user”, but the
dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =
Use TLS to connect to the LDAP server.
#tls = no
Use authentication binding for verifying password’s validity. This works by
logging into LDAP server using the username and password given by client.
The pass_filter is used to find the DN for the user. Note that the pass_attrs
is still used, only the password field is ignored in it. Before doing any
search, the binding is switched back to the default DN.
auth_bind = yes
If authentication binding is used, you can save one LDAP request per login
if users’ DN can be specified with a common template. The template can use
the standard %variables (see user_filter). Note that you can’t
use any pass_attrs if you use this setting.
If you use this setting, it’s a good idea to use a different
dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the
filename is different in userdb’s args). That way one connection is used only
for LDAP binds and another connection is used for user lookups. Otherwise
the binding is changed to the default DN before each user lookup.
For example:
auth_bind_userdn = cn=%u,ou=people,o=org
#auth_bind_userdn = cn=%u,ou=virtual,ou=people,dc=hfexample,dc=com
LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
LDAP base. %variables can be used here.
base = dc=hfexample,dc=com
Dereference: never, searching, finding, always
#deref = never
Search scope: base, onelevel, subtree
#scope = subtree
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location
There are also other special fields which can be returned, see
http://wiki.dovecot.org/UserDatabase/ExtraFields
#user_attrs = ou=virtual,ou=people,dc=hfexample,dc=com
user_attrs = mailbox=home
Filter for user lookup. Some variables can be used (see
http://wiki.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there’s no domain
%d - domain part in user@domain, empty if user there’s no domain
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = mail=user,userPassword=password
If you wish to avoid two LDAP lookups (passdb + userdb), you can use
userdb prefetch instead of userdb ldap in dovecot.conf. In that case you’ll
also have to include user_attrs in pass_attrs field prefixed with “userdb_”
string. For example:
#pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
Filter for password lookups
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
#pass_filter= mail=user, userPassword=password
Default password scheme. “{scheme}” before password overrides this.
List of supported schemes is in: http://wiki.dovecot.org/Authentication
#default_pass_scheme = CRYPT
default_pass_scheme = {PLAIN}
You can use same UID and GID for all user accounts if you really want to.
If the UID/GID is still found from LDAP reply, it overrides these values.
user_global_uid = vmail
user_global_gid = mail
#user_global_uid = 1001
#user_global_gid = 8
[/code]
Log de LDAP
Apr 6 18:00:11 ldap slapd[2907]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $#012#011buildd@ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Apr 6 18:00:11 ldap slapd[2907]: /etc/ldap/slapd.conf: line 116: rootdn is always granted unlimited privileges.
Apr 6 18:00:11 ldap slapd[2907]: /etc/ldap/slapd.conf: line 116: rootdn is always granted unlimited privileges.
Apr 6 18:00:11 ldap slapd[2907]: /etc/ldap/slapd.conf: line 139: rootdn is always granted unlimited privileges.
Apr 6 18:00:11 ldap slapd[2908]: slapd starting
Apr 6 18:00:27 ldap slapd[2908]: conn=0 fd=14 ACCEPT from IP=172.16.255.249:55335 (IP=0.0.0.0:389)
Apr 6 18:00:27 ldap slapd[2908]: conn=0 op=0 BIND dn="cn=admin,dc=hfexample,dc=com" method=128
Apr 6 18:00:27 ldap slapd[2908]: conn=0 op=0 BIND dn="cn=admin,dc=hfexample,dc=com" mech=SIMPLE ssf=0
Apr 6 18:00:27 ldap slapd[2908]: conn=0 op=0 RESULT tag=97 err=0 text=
Apr 6 18:01:04 ldap slapd[2908]: conn=1 fd=15 ACCEPT from IP=172.16.255.249:55336 (IP=0.0.0.0:389)
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=0 BIND dn="cn=admin,dc=hfexample,dc=com" method=128
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=0 BIND dn="cn=admin,dc=hfexample,dc=com" mech=SIMPLE ssf=0
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=0 RESULT tag=97 err=0 text=
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=1 SRCH base="dc=hfexample,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lolzy@hfexample.com))"
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Apr 6 18:01:04 ldap slapd[2908]: <= bdb_equality_candidates: (uid) not indexed
Apr 6 18:01:04 ldap slapd[2908]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=1 SRCH base="dc=hfexample,dc=com" scope=2 deref=0 filter="(&(objectClass=mailAccount)(mail=lolzy@hfexample.com)(mailenable=ok))"
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=1 SRCH attr=mail
Apr 6 18:01:06 ldap slapd[2908]: <= bdb_equality_candidates: (mail) not indexed
Apr 6 18:01:06 ldap slapd[2908]: <= bdb_equality_candidates: (mailenable) not indexed
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=2 BIND anonymous mech=implicit ssf=0
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=2 BIND dn="cn=lolzy,ou=virtual,ou=people,dc=hfexample,dc=com" method=128
Apr 6 18:01:06 ldap slapd[2908]: conn=0 op=2 RESULT tag=97 err=49 text=
log de dovecot
dovecot: 2011-04-08 03:45:04 Info: auth(default): new auth connection: pid=5686
dovecot: 2011-04-08 03:45:28 Info: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 resp=AGxvbHp5QGhmZXhhbXBsZS5jb20AbG9senk=
dovecot: 2011-04-08 03:45:28 Info: auth(default): ldap(lolzy@hfexample.com,127.0.0.1): bind search: base=dc=hfexample,dc=com filter=(&(objectClass=mailAccount)(mail=lolzy@hfexample.com)(mailenable=OK))
dovecot: 2011-04-08 03:45:28 Info: auth(default): ldap(lolzy@hfexample.com,127.0.0.1): result: mail(user)=lolzy@hfexample.com
dovecot: 2011-04-08 03:45:28 Info: auth(default): ldap(lolzy@hfexample.com,127.0.0.1): bind: dn=cn=lolzy,ou=virtual,ou=people,dc=hfexample,dc=com
dovecot: 2011-04-08 03:45:28 Info: auth(default): ldap(lolzy@hfexample.com,127.0.0.1): invalid credentials
dovecot: 2011-04-08 03:45:30 Info: auth(default): client out: FAIL 1 user=lolzy@hfexample.com
dovecot: 2011-04-08 03:45:34 Info: imap-login: Disconnected: Too many invalid commands: user=<lolzy@hfexample.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
EDIT: Ajout du screen du compte utilisé dans LDAP avec ses attributs.