# Dovecot LDAP Pam Authentication Problems



## klabacita (Apr 1, 2010)

Hi my friends.

 I have been following the Samba+LDAP=PDC in this forum. Ldap looks like is working, now I want to use my ldap db and used with my ftp(pure-ftpd) and mail(dovecot) services, but looks like PAM is my issue.

 This is running inside a jail, my problem right now is dovecot.

 This is my dovecot settings:


```
dovecot -n
# 1.2.10: /usr/local/etc/dovecot.conf
# OS: FreeBSD 8.0-RELEASE-p2 i386
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.log
syslog_facility: local7
protocols: imap
listen: *:143
ssl: no
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
login_greeting: Dovecot SSSST ready.
login_trusted_networks: 192.168.49.0/24
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
maildir_stat_dirs: yes
maildir_copy_preserve_filename: yes
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
namespace:
  type: private
  separator: .
  prefix: INBOX.
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address: postmaster
  sendmail_path: /usr/sbin/sendmail
  rejection_subject: Rejected: %s
  rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth default:
  mechanisms: plain login
  username_format: %Lu
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: ldap
    args: /usr/local/etc/dovecot-ldap.conf
  userdb:
    driver: passwd
    args: /usr/local/etc/dovecot-ldap.conf blocking=yes
  userdb:
    driver: ldap
    args: /usr/local/etc/dovecot-ldap.conf
  socket:
    type: listen
    client:
      path: /var/run/dovecot/auth-client
      mode: 432
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
```

 Now, nss_ldap symlink to ldap.conf in /usr/local/etc/ && /usr/local/etc/openldap/ as the some doc say.

 This is my nss_ldap.conf:


```
host 192.168.49.6
# The distinguished name of the search base.
base dc=x,dc=dyndns, dc=org
ldap_version 3
port 389
pam_login_attribute uid
ssl off
```

 I have been trying with different settings in nss_ldap.conf, this is the most simple.

 My dovecot-ldap.conf is:


```
hosts = 192.168.49.6
dn = cn=Manager,dc=x,dc=dyndns,dc=org
dnpass = x
tls = no
auth_bind = yes
auth_bind_userdn = cn=%u,ou=x,ou=dyndns,dc=org
ldap_version = 3
base = ou=Users, dc=x, dc=dyndns, dc=org
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = SSHA
```

 I can add users with smbldap-useradd no issue here, I can ask the system about my users:


```
nis# smbldap-usershow test
dn: uid=test,ou=Users,dc=x,dc=dyndns,dc=org
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: test
sn: test
givenName: test
uid: test
uidNumber: 10003
gidNumber: 513
homeDirectory: /home/test
loginShell: /sbin/nologin
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: test
sambaSID: S-1-5-21-3301197195-1603911413-870733154-21006
sambaPrimaryGroupSID: S-1-5-21-3301197195-1603911413-870733154-513
sambaProfilePath: \\nis\profiles\test
sambaHomePath: \\nis\test
sambaHomeDrive: 'H:':
sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3DBDE697D71690A769204BEB12283678
sambaPwdLastSet: 1270082815
sambaPwdMustChange: 2134082815
userPassword: {SSHA}ExZnNMyrMD2JrI2INCnhE/Z9i+pJUG9S
shadowLastChange: 14700
shadowMax: 10000
```
 

```
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
```


```
getent passwd
root:$1$zksrXGQa$wu5ckxSu6V8WIKDF5RS/0/:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ldap:*:389:389:OpenLDAP Server:/nonexistent:/sbin/nologin
dovecot:*:143:143:Dovecot User:/var/empty:/usr/sbin/nologin
postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
root:*:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:*:999:514:nobody:/dev/null:/bin/false
test:*:10003:513:System User:/home/test:/sbin/nologin
```

  dovecot.log:


```
pr 01 00:40:20 auth(default): Info: new auth connection: pid=16913
Apr 01 00:40:24 auth(default): Info: client in: AUTH    1       PLAIN   service=imap    secured lip=192.168.49.6        rip=192.168.49.6        lport=143       rport=51478     resp=AHBtb3Jlbm8AMTIz
Apr 01 00:40:24 auth(default): Info: ldap(test,192.168.49.6): invalid credentials (given password: 123)
Apr 01 00:40:26 auth(default): Info: client out: FAIL   1       user=test
Apr 01 00:40:31 imap-login: Info: Disconnected (auth failed, 1 attempts): user=<test>, method=PLAIN, rip=192.168.49.6, lip=192.168.49.6, secured
```

 Sometimes the log told something about /etc/pam.d/dovecot, I really don't understand how to setup this file in freebsd, in linux is easy, I google a while and found this:

```
#%PAM-1.0
# auth
auth            required        /usr/local/lib/pam_ldap.so
# account
account         required        /usr/local/lib/pam_ldap.so
# session
session         required        /usr/local/lib/pam_ldap.so
# password
password        required        /usr/local/lib/pam_ldap.so
```

 Now u can see that service=imap in my log, which I copy the same settings as dovecot.

 What I'm missing?

 Thanks all for your time


----------



## gilinko (Apr 1, 2010)

You are not using PAM at all for your Dovevot, but directly accessing the ldap server using dovecot. The "service=imap" is from dovecot and indicates that the user has connected to port 143(ie the imap port). None of your userdb/passdb use the PAM system.

nss_ldap.conf should only be symlinked to /usr/local/etc/ldap.conf that is used by pam_ldap, as the /usr/local/etc/openldap/ldap.conf file is only for the configuration of ldap clients(as for example /etc/ssh/ssh_config vs /etc/ssh/sshd_config).

My suggestion would be to not use dovecot to access the ldap directly but insted use pam. So add the following to your /usr/local/etc/dovecot.conf in the auth default section:


```
passdb pam {
  args = session=yes imap
}
userdb passwd {
  args = blocking=yes
}
```

And this to /etc/pam.d/imap:

```
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7.8.1 2009/04/15 03:14:26 kensmith Exp $
#
# PAM configuration for the "imap" service
#

# auth
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
#account        required        pam_nologin.so
account         sufficient      /usr/local/lib/pam_ldap.so 
account         required        pam_unix.so
```

This way you control everything through PAM/NSS and never directly to the database source, which in your case is LDAP.


----------



## ZhangHuangbin (Apr 1, 2010)

Why not auth against LDAP directly in dovecot?
http://wiki.dovecot.org/AuthDatabase/LDAP


----------



## gilinko (Apr 1, 2010)

ZhangHuangbin said:
			
		

> Why not auth against LDAP directly in dovecot?
> http://wiki.dovecot.org/AuthDatabase/LDAP



Simple answer? Control. PAM offers way more control that accessing LDAP directly, and it simplifies configuration to one system, PAM, instead for one in each service that has to authenticate against a server's services. With the above configuration all information about the ldap server is stored in one place /usr/local/etc/pam.ldap.conf(to wich I symlink both /usr/local/etc/ldap.conf and /usr/local/etc/nss_ldap.conf)


----------



## klabacita (Apr 1, 2010)

Thanks glinko for your tip.

  But I still have issues, I had change the settings and this is the error now:


```
Apr 01 07:17:30 auth(default): Info: new auth connection: pid=24132
Apr 01 07:17:35 auth(default): Info: client in: AUTH    1       PLAIN   service=imap    secured lip=192.168.49.6        rip=192.168.49.6        lport=143       rport=34403     resp=AHBtb3Jlbm8AMTIz
Apr 01 07:17:35 auth-worker(default): Info: pam(test,192.168.49.6): lookup service=imap
Apr 01 07:17:35 auth-worker(default): Error: pam(test,192.168.49.6): pam_start() failed: system error
Apr 01 07:17:37 auth(default): Info: client out: FAIL   1       user=test    temp
```

 In other posts say about :



> worker_max_count: nonozero



But didn't work either.

This is my current dovecot.conf:


```
dovecot -n
# 1.2.10: /usr/local/etc/dovecot.conf
# OS: FreeBSD 8.0-RELEASE-p2 i386
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.log
syslog_facility: local7
protocols: imap
listen: *:143
ssl: no
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
login_greeting: Dovecot SSSST ready.
login_trusted_networks: 192.168.49.0/24
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
maildir_stat_dirs: yes
maildir_copy_preserve_filename: yes
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
namespace:
  type: private
  separator: .
  prefix: INBOX.
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address: postmaster
  sendmail_path: /usr/sbin/sendmail
  rejection_subject: Rejected: %s
  rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth default:
  mechanisms: plain login
  username_format: %Lu
  verbose: yes
  debug: yes
  debug_passwords: yes
  worker_max_count: 1000
  passdb:
    driver: pam
    args: session=yes imap
  userdb:
    driver: passwd
    args: blocking=yes
  socket:
    type: listen
    client:
      path: /var/run/dovecot/auth-client
      mode: 432
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
```

  Thanks!!!


----------



## gilinko (Apr 1, 2010)

What does your /var/log/auth say? It's there that pam sends it's logs. A pam_start error usually indicates that you are missing a module that you have referenced in a configuration file. Have you "activated" proper parts in /usr/local/etc/ldap.conf and /usr/local/etc/nss_ldap.conf so they know "where to look" for users in your LDAP tree. ie:


```
nss_base_passwd     ou=Users,dc=x,dc=dyndns,dc=org?one
nss_base_shadow     ou=Users,dc=x,dc=dyndns,dc=org?one
nss_base_group      ou=Group,dc=x,dc=dyndns,dc=org?one
```

The last one is if you store unix group details in your LDAP tree. It can be found about halfway down the configuration file with the heading _RFC2307bis_


----------



## klabacita (Apr 2, 2010)

gilinko u did it, thanks :beer

  This are my working settings, just for the record, u will see a lot of debug stuff in dovecot.conf, but I prefer to see what is doing before sending this to production:

dovecot.conf


```
protocols = imap
   protocol imap {
      listen = *:143
   }
disable_plaintext_auth = no
shutdown_clients = yes
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = local7
ssl = no
login_greeting = Dovecot ready.
login_trusted_networks = 192.168.49.0/24
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
login_log_format = %$: %s
   mail_location = maildir:~/Maildir
namespace private {
   separator = .
   prefix = INBOX.
   inbox = yes
}
mail_privileged_group = mail
mail_debug = yes
mail_log_prefix = "%Us(%u): "
dotlock_use_excl = yes
verbose_proctitle = yes
maildir_stat_dirs = yes
maildir_copy_with_hardlinks = yes
maildir_copy_preserve_filename = yes
protocol imap {
  imap_client_workarounds = delay-newmail netscape-eoh tb-extra-mailbox-sep
}
protocol lda {
  postmaster_address = postmaster
  sendmail_path = /usr/sbin/sendmail
  rejection_subject = Rejected: %s
  rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
auth_username_format = %Lu
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_worker_max_count = 30
auth default {
  mechanisms = plain login
  passdb pam {
    args = session=yes imap
  }
  userdb passwd {
    args = blocking=yes
  }
  user = root
  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
    }
    client {
      path = /var/run/dovecot/auth-client
      mode = 0660
    }
  }
}
```

dovecot -n


```
# 1.2.10: /usr/local/etc/dovecot.conf
# OS: FreeBSD 8.0-RELEASE-p2 i386
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.log
syslog_facility: local7
protocols: imap
listen: *:143
ssl: no
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
login_greeting: Dovecot SSSST ready.
login_trusted_networks: 192.168.49.0/24
verbose_proctitle: yes
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
maildir_stat_dirs: yes
maildir_copy_preserve_filename: yes
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
namespace:
  type: private
  separator: .
  prefix: INBOX.
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address: postmaster
  sendmail_path: /usr/sbin/sendmail
  rejection_subject: Rejected: %s
  rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth default:
  mechanisms: plain login
  username_format: %Lu
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: pam
    args: session=yes imap
  userdb:
    driver: passwd
    args: blocking=yes
  socket:
    type: listen
    client:
      path: /var/run/dovecot/auth-client
      mode: 432
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
```
 
/etc/pam.d/imap


```
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7.8.1 2009/04/15 03:14:26 kensmith Exp $
#
# PAM configuration for the "imap" service
#

# auth
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
#account        required        pam_nologin.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so
```

/usr/local/etc/nss_ldap.conf, symlink to /usr/local/etc/ldap.conf


```
host 192.168.49.6
base dc=X,dc=dyndns,dc=org
ldap_version 3
port 389
scope one
bind_policy soft
nss_connect_policy persist
idle_timelimit 3600
nss_paged_results yes
pagesize 1000
pam_login_attribute uid
nss_base_passwd         ou=Users,dc=X,dc=dyndns,dc=org?one
nss_base_passwd         ou=Computers,dc=X,dc=dyndns,dc=org?one
nss_base_shadow         ou=Users,dc=X,dc=dyndns,dc=org?one
nss_base_group          ou=Groups,dc=X,dc=dyndns,dc=org?one
ssl off
```

Setup Samba with LDAP as describe here in one how-to.

I handle my users with samba-ldap-tools.

This machine is running inside a Jail, this are the settings I use to build the jail, /etc/src.conf


```
WITHOUT_AMD="yes"
WITHOUT_APM="yes"
WITHOUT_ASSERT_DEBUG="yes"
WITHOUT_AT="yes"
WITHOUT_ATM="yes"
WITHOUT_AUTHPF="yes"
WITHOUT_BIND="yes"
WITHOUT_BLUETOOTH="yes"
WITHOUT_BOOT="yes"
WITHOUT_CALENDAR="yes"
WITHOUT_CDDL="yes"
WITHOUT_CTM="yes"
WITHOUT_CVS="yes"
WITHOUT_DICT="yes"
WITHOUT_EXAMPLES="yes"
WITHOUT_FLOPPY="yes"
WITHOUT_FREEBSD_UPDATE="yes"
WITHOUT_GAMES="yes"
WITHOUT_GPIB="yes"
WITHOUT_HTML="yes"
WITHOUT_INET6="yes"
WITHOUT_IPFILTER="yes"
WITHOUT_IPFW="yes"
WITHOUT_IPX="yes"
WITHOUT_JAIL="yes"
WITHOUT_KVM="yes"
WITHOUT_LPR="yes"
WITHOUT_MAIL="yes"
WITHOUT_MAN="yes"
WITHOUT_NCP="yes"
WITHOUT_NDIS="yes
WITHOUT_NTP="yes"
WITHOUT_PF="yes"
WITHOUT_PMC="yes"
WITHOUT_PPP="yes"
WITHOUT_PROFILE="yes"
WITHOUT_QUOTAS="yes"
WITHOUT_RCMDS="yes"
WITHOU_RCS="yes"
WITHOUT_SHAREDOCS="yes"
WITHOUT_TELNET="yes"
WITHOUT_USB="yes"
WITHOUT_WIRELESS="yes"
WITHOUT_WPA_SUPPLICANT_EAPOL="yes"
```

Testing from the host machine using telnet, I could the Maildir created:

home user folder:


```
drwx------  2 test  Domain Users  512 Apr  2 09:29 cur
-rw-------  1 test  Domain Users   17 Apr  2 09:31 dovecot-uidlist
-rw-------  1 test  Domain Users    8 Apr  2 09:29 dovecot-uidvalidity
-rw-------  1 test  Domain Users    0 Apr  2 09:29 dovecot-uidvalidity.4bb5b904
-rw-------  1 test  Domain Users  248 Apr  2 09:31 dovecot.index.log
drwx------  2 test  Domain Users  512 Apr  2 09:29 new
drwx------  2 test  Domain Users  512 Apr  2 09:29 tmp
```

Final question about PAM and LDAP and see if I understand this.

I see that each service if they could use PAM to authenticate, some or all require the settings inside /etc/pam.d/?, now each one need different settings or I can copy the settings that works, example I can copy my imap settings for ftp? ftpd?, etc, etc.

Thanks all for your time and gilinko thanks again :e


----------



## gilinko (Apr 2, 2010)

The software has to be able to use PAM, which in some cases are a compile options. If a service will look for authentication using pam then it will first look for a configured option(which was defined at compile time or in a configuration file) and usually named after the protocol(imap, ftp, su etc), and if that isn't found it uses "other" or "system" depending on it's implementation(aka a default file). Essentially a file in /etc/pam.d is a set of conditions that has to be met for the service to allow or deny the authentication.


If you want to learn more about PAM I suggest that you read up this excellent article Pluggable Authentication Modules.


----------



## klabacita (Apr 5, 2010)

Got it.

 Thanks again gilinko, appreciated your help!!!


----------

