无法删除特权:用户缺少UID (请参见mail_uid设置)

Question

我希望我能得到一些帮助。

我正在配置dovecot_ldap，但我似乎无法获得dovecot来验证ldap用户。

下面是我的配置和日志信息：

hosts = 192.168.128.45:3268
dn = cn=Administrator,cn=Users,dc=company,dc=example,dc=com
dnpass = "passwd"
auth_bind = yes
ldap_version = 3
base = dc=company, dc=example, dc=com
user_attrs = sAMAccountName=home=/var/vmail/example.com/%$,uid=1001,gid=1001
user_filter = (&(sAMAccountName=%Ln))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))

dovecot.conf

# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-33-generic x86_64 Ubuntu 12.04 LTS
auth_mechanisms = plain login
auth_realms = example.com
auth_verbose = yes
disable_plaintext_auth = no
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
passdb {
  driver = pam
}
passdb {
  driver = passwd
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  imap_logout_format = bytes=%i/%o
  mail_plugins =
}

mail.log

Nov 29 10:51:44 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:44 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:44 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1892, TLS
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:44 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:46 mail dovecot: auth-worker: pam(charyorde,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:46 mail dovecot: auth-worker: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: auth: passwd(charyorde,10.10.1.28): unknown user
Nov 29 10:51:46 mail dovecot: imap-login: Login: user=<charyorde>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, mpid=1894, TLS
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: user charyorde: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Nov 29 10:51:46 mail dovecot: imap(charyorde): Error: Internal error occurred. Refer to server log for more information.
Nov 29 10:51:48 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:48 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:48 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:54 mail postfix/smtpd[1880]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1879]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1887]: proxymap stream disconnect
Nov 29 10:51:54 mail postfix/smtpd[1886]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: auto_clnt_close: disconnect private/tlsmgr stream
Nov 29 10:51:54 mail postfix/smtpd[1887]: idle timeout -- exiting
Nov 29 10:51:54 mail postfix/smtpd[1886]: idle timeout -- exiting
Nov 29 10:51:56 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:51:56 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:51:56 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth-worker: pam(charyorde@example.com,10.10.1.28): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 29 10:52:04 mail dovecot: auth-worker: passwd(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: ldap(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:04 mail dovecot: auth: passwd-file(charyorde@example.com,10.10.1.28): unknown user
Nov 29 10:52:06 mail dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<charyorde@example.com>, method=PLAIN, rip=10.10.1.28, lip=10.10.1.30, TLS

谢谢你调查此事。

Answer 1

如果除了普通unix系统用户的元数据(如home dir、gid等)之外，不需要dovecot来了解用户的任何特殊信息，那么配置dovecot进行pam身份验证和使用pam与ldap通信要简单得多。

您的dovecot.conf应该是这样的：

passdb {
        driver = pam
        args = %s
}
userdb {
        driver = passwd
}

然后你必须在/etc/pam.d/dovecot里放点东西。如果您已经为您的系统用户使用了LDAP辅助功能，那么您可能只需包含如下所示的适当上下文：

auth      include   system-remote-login
password  include   system-remote-login

另一方面，如果您还没有设置pam_ldap来对系统上的用户进行身份验证，那么您可能需要一个自定义方案来完成以下操作：

auth      sufficient pam_ldap.so     minimum_uid=1000
auth      required   pam_unix.so     try_first_pass nullok
auth      required   pam_env.so
password  sufficient pam_ldap.so     minimum_uid=1000
password  required   pam_unix.so     try_first_pass nullok

您需要告诉您的系统NSS如何与ldap对话，通常是通过/etc/nslcd.conf和类似于以下内容：

uri ldap://localhost/
base dc=example,dc=com
base   group  ou=Groups,dc=example,dc=com
base   passwd ou=People,dc=example,dc=com
base   shadow ou=People,dc=example,dc=com
nss_min_uid 1000

顺便说一句，如果您忽略了userdb { driver = password }文件中的dovecot.conf位，您将得到与dovecot的LDAP查找相同的错误。