1

Upgrading from SLES11 to SLES 12 I had to replace a working Cyrus mail server with dovecot. Unfortunately I'm unable to authenticate via LDAP (which was not a problem with Cyrus):

My LDAP user has two uid attributes. When authenticating via IMAP dovecot detects that (Warning: ldap(*uid*,*IP*,<*SID*>): Multiple values found for '*uid*', using '*uid2*').

While this shouldn't be a problem, authentication fails with no further message. How can I authenticate without changing my LDAP user? (In UNIX/PAM I can login using either uid)

This is my /etc/dovecot/dovecot-ldap.conf.ext (most comments removed for brevity, and actual domain changed (not reachable anyway)):

# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
hosts = ds2.domain.org ds1.domain.org
tls = yes
tls_require_cert = demand
debug_level = 0
auth_bind_userdn = uid=%u,ou=people,dc=domain,dc=org
ldap_version = 3
base = ou=people,dc=domain,dc=org
scope = onelevel

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=%n,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
iterate_attrs = uid=user
iterate_filter = (objectClass=posixAccount)
default_pass_scheme = SSHA

So what's needed IMHO is a way to make dovecot continue with the user name that was used to query the userdb and passdb. Instead it continues with the one returned from LDAP.

Improve this question

1 Answer 1

Reset to default
0

Why do you have multiple uid attribute values?

IMO you should not do that.

E.g. in the dovecot config some path names are derived from the username. Thus dovecot cannot reliably determine the username to be used from the LDAP search result.

Because attribute type description for uid does not enforce SINGLE-VALUE one should constrain the attribute to one value if the LDAP server permits. E.g. with OpenLDAP you set in slapd.conf (see slapo-constraint):

constraint_attribute uid count 1

If you already have multiple uid values you should sanitize your data because you will definitely run into trouble with other LDAP-enabled software too.

Improve this answer
4
  • Simply because the schema for uid does not require SINGLE. On the user name: I pass uid1 and pass for user and password, and LDAP returns a record with this uid1 and another uid2 and a matching password (challenge). Why isn't dovecot just happy, but instead complains on uid2? Meaning: dovecut should simply use the UID (username) I provide, nothing else. Commented Jul 2, 2019 at 13:08
  • Think about mailbox path names. Commented Jul 2, 2019 at 13:19
  • Actually I think CyrusIMAP was much more flexible than dovecot is: I had one user to access multiple mailboxes in CyrusIMAP, but dovecot seems to make that much harder, but that's a different topic... Commented Jul 2, 2019 at 13:29
  • I think I shouldn't adjust LDAP to the applications being used, but the other way round, especially when it worked so nicely with Cyrus IMAP. See my edit. Commented Oct 31, 2019 at 11:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.