我希望我能得到一些帮助。
我正在配置 dovecot_ldap,但似乎无法让 dovecot 对 ldap 用户进行身份验证。
以下是我的配置和日志信息:
hosts = 192.168.128.45:3268
dn = cn=Administrator,cn=Users,dc=company,dc=example,dc=com
dnpass = "passwd"
auth_bind = yes
ldap_version = 3
base = dc=company, dc=example, dc=com
user_attrs = sAMAccountName=home=/var/vmail/example.com/%$,uid=1001,gid=1001
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))
dovecot配置文件
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-33-generic x86_64 Ubuntu 12.04 LTS
auth_mechanisms = plain login
auth_realms = example.com
auth_verbose = yes
disable_plaintext_auth = no
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
passdb {
driver = pam
}
passdb {
driver = passwd
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocols = " imap pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
imap_logout_format = bytes=%i/%o
mail_plugins =
}
邮件日志
Nov 29 10:51:44 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:44 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1892, TLS
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:46 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:46 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1894, TLS
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:48 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:48 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:51:54 mail postfix/smtpd[1880]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1879]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1887]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1886]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: idle timeout -- exiting
Nov 29 10:51:56 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:56 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:52:04 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:52:06 mail dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<[email protected]>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, TLS
感谢您对此进行调查。
答案1
如果您不需要 dovecot 了解您的用户的任何特殊信息,除了普通 unix 系统用户的元数据(即主目录、gid 等),那么配置 dovecot 进行 pam 身份验证并使用 pam 与 ldap 通信要简单得多。
你dovecot.conf
看起来会像这样:
passdb {
driver = pam
args = %s
}
userdb {
driver = passwd
}
然后你必须输入一些内容/etc/pam.d/dovecot
。如果你已经为系统用户使用了 LDAP 身份验证,那么你可能只需包含适当的上下文,如下所示:
auth include system-remote-login
password include system-remote-login
另一方面,如果你还没有设置 pam_ldap 来验证系统上的用户,那么你可能需要一个自定义方案来做到这一点:
auth sufficient pam_ldap.so minimum_uid=1000
auth required pam_unix.so try_first_pass nullok
auth required pam_env.so
password sufficient pam_ldap.so minimum_uid=1000
password required pam_unix.so try_first_pass nullok
您还需要告诉您的系统 NSS 如何与 ldap 通信,通常通过/etc/nslcd.conf
类似下面的方式:
uri ldap://localhost/
base dc=example,dc=com
base group ou=Groups,dc=example,dc=com
base passwd ou=People,dc=example,dc=com
base shadow ou=People,dc=example,dc=com
nss_min_uid 1000
顺便说一句,如果您忽略了文件userdb { driver = password }
中的位dovecot.conf
,您将会得到与 dovecot 的 LDAP 查找相同的错误。