[Dovecot] LDAP Auth problems with auth_bind=yes

Rob Coward Rob.Coward at game.co.uk
Fri Aug 18 15:19:19 EEST 2006


I first posted this problem a day or two ago and have not seen any
responses yet.


To clarify my problem, I am authenticating virtual users against Active
Directory on Win2k3, where their login id is their email address. I am
using an almost identical setup to Suranga's below, however my initial
bind user doesn't have access to the userPassword attribute, so I am

auth_bind = yes


This is working fine when users enter their correct email address &
password, or if the email address is not found, however if a valid email
address is given but the password is incorrect, it seems to kill
something in the ldap_auth code as all further connections get a
temporary authentication error at the client, and the following in


Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client in: AUTH
1   PLAIN   service=IMAP secured lip=::ffff:
rip=::ffff:    resp=ADA5OTlAc3RvcmVzLmdhbWUuY28udWsAOTk5MA==

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,::ffff: bind search:
filter=(&(objectClass=user)(mail=0999 at stores.game.co.uk))

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default):
ldap(0999 at stores.game.co.uk,::ffff: ldap_search() failed:
Operations error

Aug 18 13:04:31 gm-ho-lin-06 dovecot: auth(default): client out: FAIL
1       user=0999 at stores.game.co.uk     temp

Aug 18 13:04:31 gm-ho-lin-06 dovecot: imap-login: Aborted login:
user=<0999 at stores.game.co.uk>, method=PLAIN, rip=::ffff:,
lip=::ffff:, secured


Is the auth_ldap code not resetting the ldap connection bind details to
the dn/dnpass values for each login ?


You help would be greatly appreciated as I hope to make this a
production server within the next week.




Rob Coward


Unix Developer



Tel: 01256 784476

Email: Rob.Coward at game.net



-----Original Message-----
From: dovecot-bounces at dovecot.org [mailto:dovecot-bounces at dovecot.org]
On Behalf Of suranga de silva
Sent: 18 August 2006 19:14
To: dovecot at dovecot.org
Subject: Re: [Dovecot] dovecot Digest, Vol 40, Issue 65


Dear Tim Schafer,


Take a look at my sample dovecot-ldap.conf



hosts = localhost

dn = cn=root,dc=ceylonlinux,dc=com

dnpass = secret 

ldap_version = 3

base = dc=ceylonlinux,dc=com

deref = never

scope = subtree

user_attrs =


user_filter = (&(objectClass=user)(mail=%u))

pass_attrs = mail=user,userPassword=password

pass_filter = (&(objectClass=user)(mail=%u)) 

default_pass_scheme = CRYPT

user_global_uid = 1003

user_global_gid = 1003



Here I am using my own schema called "user", but in your case change it

to inetOrgPerson or the schema name you are using.


I think the most common problem in this process is the ldap filter.

Above in my configuration user_filter and pass_filter are used as ldap

filters for querying user name and password. There I am using mail




gid and uid are belong to the user vmail.


May be this explanation will help you to figure out your problem


You can refer my article in the following link for further reference







Suranga De Silva.





This e-mail and any files transmitted with it are confidential and intended solely  
for the use of the individual or entity to whom they are addressed. If you have  
received this e-mail in error please notify the system manager at:  
        mailto:postmaster at game.net
The recipient acknowledges that the transmissions made via the Internet  
can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries  
do not give any warranty as to the quality or accuracy of any information  
contained in the message or assume any liability for it or for its transmission,  
reception or storage.  

This footnote also confirms that this e-mail message has been swept by  
anti-virus software for the presence of computer viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20060818/1255e951/attachment-0001.html 

More information about the dovecot mailing list