Couldn't drop privileges: User is missing UID (see mail_uid setting)

email dovecot ldap

I'm hoping I can use some help.

I'm configuring dovecot_ldap, but I can't seem to be able to get dovecot to authenticate the ldap user.

Below is my config and log info:

hosts = 192.168.128.45:3268
dn = cn=Administrator,cn=Users,dc=company,dc=example,dc=com
dnpass = "passwd"
auth_bind = yes
ldap_version = 3
base = dc=company, dc=example, dc=com
user_attrs = sAMAccountName=home=/var/vmail/example.com/%$,uid=1001,gid=1001
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))

dovecot.conf

# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-33-generic x86_64 Ubuntu 12.04 LTS
auth_mechanisms = plain login
auth_realms = example.com
auth_verbose = yes
disable_plaintext_auth = no
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
passdb {
  driver = pam
}
passdb {
  driver = passwd
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  imap_logout_format = bytes=%i/%o
  mail_plugins =
}

mail.log

Nov 29 10:51:44 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:44 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1892, TLS
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:46 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:46 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1894, TLS
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:48 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:48 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:51:54 mail postfix/smtpd[1880]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1879]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1887]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1886]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: idle timeout -- exiting
Nov 29 10:51:56 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:56 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth-worker: pam([email protected],10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:52:04 mail dovecot: auth-worker: passwd([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: ldap([email protected],10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: passwd-file([email protected],10.10.1.28): unknown user
Nov 29 10:52:06 mail dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<[email protected]>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, TLS

Thank you for looking into this.


Solution 1:

If you don't need dovecot to know anything special about your users beyond the meta data of a normal unix system user (i.e. home dir, gid, etc), then it is much simpler to configure dovecot to do pam authentication and use pam to communicate with ldap.

Your dovecot.conf would look something like this:

passdb {
        driver = pam
        args = %s
}
userdb {
        driver = passwd
}

Then you have to put something in /etc/pam.d/dovecot. If you are already using LDAP athentication for your system users, you can probably just include the appropriate context like so:

auth      include   system-remote-login
password  include   system-remote-login

On the other hand if you have not setup pam_ldap to authenticate your users on the system, you probably need a custom scheme that does just that:

auth      sufficient pam_ldap.so     minimum_uid=1000
auth      required   pam_unix.so     try_first_pass nullok
auth      required   pam_env.so
password  sufficient pam_ldap.so     minimum_uid=1000
password  required   pam_unix.so     try_first_pass nullok

And you'll need to tell your system NSS how to talk to ldap, usually via /etc/nslcd.conf and something like the following:

uri ldap://localhost/
base dc=example,dc=com
base   group  ou=Groups,dc=example,dc=com
base   passwd ou=People,dc=example,dc=com
base   shadow ou=People,dc=example,dc=com
nss_min_uid 1000

Incidentally, if you leave out the userdb { driver = password } bit from the dovecot.conf file, you will get the same error you were getting from dovecot's LDAP lookup.

Related

Domain Controller time is incorrect
Are vCPU the same as 1 Socket, or a single Core?
How can I specify multiple rules for a particular log file(s) with logrotate?
ZFS vdevs accumulate checksum errors, but individual disks do not
What is a realistic average time difference between servers in the same LAN?
Can "wannacrypt" (wcrypt) spread via Linux server serving over SMB?
HP DL380 G7 + Smart Array P410i + sysbench -> poor raid 10 performance
No Root DSE returned from OpenLDAP
How to escape spaces in systemd unit files?
Which virtualization platforms should I choose, Xen or OpenVZ? [closed]
SSH compression
Best practices or experience with company wide Username policies and resolving duplicates