Tuesday, March 7, 2023

[389-users] Problem with 389-ds authentication


I'm running two 389-ds instances on Centos9 servers, one master and one readonly slave server.
Global pwpolicy is PBKDF2_SHA256 and local pwpolicy is SSHA512.
The mail-servers are querying the readonly slave server for LDAP data.
All servers are using TLS for encryption.

I'm running a two mail servers, one for incoming mail with Dovecot as an imap frontend and one for Postfix smtp with Dovecot as a SASL authentication backend.
The Dovecot imap server has been running LDAP authentication flawlessly, but I recently switched the Postfix smtp server over to Dovecot SASL authentication.

Here's when everything started taking an interesting turn.

The incoming Dovecot imap server is set to do an authentication bind:
auth_bind = yes

while the smtp server with Postfix + Dovecot SASL authentication does not do an auth_bind.

The authentication process started failing on the smtp server with the following error message for every authenticated user:

dovecot[721505]: auth: Error: ldap(USERNAME): Unknown scheme PBKDF2-SHA512

Changing password for a user will allow authentication against the LDAP from the smtp server, but when the imap server authenticates and use auth_bind, then no LDAP authentication is possible do on the smtp server and the above error message appears again for the user.

I found out, that when I also use auth_bind for Dovecot on the smtp server everything works.

What I hope someone could explain for me is, what's happening with the slave queries against the 389-ds ro server instance when the imap server authenticates the user with auth_bind enabled and the smtp server cannot authenticate the user when auth_bind is not enabled.

The servers are binding prior to auth_bind with a

dn = cn=binduser,ou=bindaccount,dc=example,dc=com

user so that part is working as intended.

Thank you.


No comments:

Post a Comment