Hi.
I'm running two 389-ds instances on Centos9 servers, one master and one
readonly slave server.
Global pwpolicy is PBKDF2_SHA256 and local pwpolicy is SSHA512.
The mail-servers are querying the readonly slave server for LDAP data.
All servers are using TLS for encryption.
I'm running a two mail servers, one for incoming mail with Dovecot as an
imap frontend and one for Postfix smtp with Dovecot as a SASL
authentication backend.
The Dovecot imap server has been running LDAP authentication flawlessly,
but I recently switched the Postfix smtp server over to Dovecot SASL
authentication.
Here's when everything started taking an interesting turn.
The incoming Dovecot imap server is set to do an authentication bind:
auth_bind = yes
while the smtp server with Postfix + Dovecot SASL authentication does not
do an auth_bind.
The authentication process started failing on the smtp server with the
following error message for every authenticated user:
dovecot[721505]: auth: Error: ldap(USERNAME): Unknown scheme PBKDF2-SHA512
Changing password for a user will allow authentication against the LDAP
from the smtp server, but when the imap server authenticates and use
auth_bind, then no LDAP authentication is possible do on the smtp server
and the above error message appears again for the user.
I found out, that when I also use auth_bind for Dovecot on the smtp server
everything works.
What I hope someone could explain for me is, what's happening with the
slave queries against the 389-ds ro server instance when the imap server
authenticates the user with auth_bind enabled and the smtp server cannot
authenticate the user when auth_bind is not enabled.
The servers are binding prior to auth_bind with a
dn = cn=binduser,ou=bindaccount,dc=example,dc=com
user so that part is working as intended.
Thank you.
BR,
/MrM
Show replies by date