[Dovecot] Fwd: LDAP subtree search on AD

Bruno Puga brpuga at gmail.com
Fri Jun 22 00:16:09 EEST 2007


Timo, I have sent this message below before but I didn't saw that it was
delivered to you personal email instead to the list, I just see this now,
sorry.

Because I'm in a hurry I gave up using Dovecot + AD and start using Mysql as
my userdb and passdb and things worked perfect until the moment. I have some
doubts but I will open a new thread for this.

Anyway, if you get some news about this issue I would appreciate to know, if
not, that's OK.

Many thanks for your help.

Bruno.


On 6/18/07, Bruno Puga <brpuga at gmail.com> wrote:
>
> Timo, I had set this in the dovecot.conf:
>
> auth_verbose = yes
> auth_debug = yes
> auth_debug_passwords = yes
>
> ###########################################################
> ### My dovecot logs shows this using auth_bind = yes and userdn template
> ###
>
> dovecot: 2007-06-17 12:35:52 Warning: Killed with signal 15
> dovecot: 2007-06-17 12:35:53 Info: Dovecot v1.0.0 starting up
> dovecot: 2007-06-17 12:37:23 Info: auth(default): client in: AUTH
> 1       PLAIN   service=IMAP    secured lip= 192.168.0.251       rip=192.168.0.251
> resp=AHRlc3RlAHRlc3Rl
> dovecot: 2007-06-17 12:37:23 Info: auth(default): ldap(teste,192.168.0.251):
> bind: dn=teste
> dovecot: 2007-06-17 12:37:23 Info: auth(default): client out: OK
> 1       user=teste
> dovecot: 2007-06-17 12:37:23 Info: auth(default): master in: REQUEST
> 1       31290   1
> dovecot: 2007-06-17 12:37:23 Info: auth(default): ldap(teste,192.168.0.251):
> user search: base=DC=tecnicopias01,DC=com,DC=br scope=subtree
> filter=(&(objectClass=organizationalPerson)(sAMAccountName=teste))
> fields=info
> dovecot: 2007-06-17 12:40:23 Info: imap-login: Disconnected: Inactivity:
> user=<teste>, method=PLAIN, rip=192.168.0.251 , lip=192.168.0.251, secured
>
> dovecot: 2007-06-17 12:52:46 Error: auth(default): ldap(teste,
> 192.168.0.251): ldap_search() failed: Operations error
> dovecot: 2007-06-17 12:52:46 Info: auth(default): master out: FAIL      1
> dovecot: 2007-06-17 12:52:46 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
> dovecot: 2007-06-17 13:07:46 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
> dovecot: 2007-06-17 13:22:47 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
>
> As we can see, first dovecot bind correct, but after it open a new
> connection as showed in the ngrep output, and without bind try to make the
> ldap_search, in that point AD blocks the search saying that for the new
> connection opened is necessary a successful bind.
> ###########################################################
>
> ### Now, changing for User database Lookups authenticating with krb5 ###
>
> dovecot: 2007-06-18 10:14:35 Info: auth(default): client in: AUTH
> 1       PLAIN   service=IMAP    secured lip=192.168.0.251        rip=
> 192.168.0.251     resp=AHRlc3RlAHRlc3Rl
> dovecot: 2007-06-18 10:14:35 Info: auth(default): pam(teste,192.168.0.251):
> lookup service=dovecot
> dovecot: 2007-06-18 10:14:35 Info: auth(default): client out: OK
> 1       user=teste
> dovecot: 2007-06-18 10:14:35 Info: auth(default): master in: REQUEST
> 1       32029   1
> dovecot: 2007-06-18 10:14:35 Info: auth(default): ldap(teste,192.168.0.251):
> user search: base=DC=tecnicopias01,DC=com,DC=br scope=subtree
> filter=(&(objectClass=organizationalPerson)(sAMAccountName=teste))
> fields=info
> dovecot: 2007-06-18 10:17:35 Info: imap-login: Disconnected: Inactivity:
> user=<teste>, method=PLAIN, rip=192.168.0.251 , lip=192.168.0.251, secured
>
> dovecot: 2007-06-18 10:29:25 Error: auth(default): ldap(teste,
> 192.168.0.251): ldap_search() failed: Operations error
> dovecot: 2007-06-18 10:29:25 Info: auth(default): master out: FAIL      1
> dovecot: 2007-06-18 10:29:25 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
> dovecot: 2007-06-18 10:44:26 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
> dovecot: 2007-06-18 10:59:26 Error: auth(default): LDAP: ldap_result()
> failed: Can't contact LDAP server
>
> ###########################################################
>
> After some time, the dovecot logs starts logging this last 3 lines saying
> it "Can't contact LDAP server", and ngrep shows this:
>
> ###########################################################
> #############
> T 192.168.0.251:49043 -> 192.168.0.11:389 [AP]
>   0E...`@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123!
> #
> T 192.168.0.11:389 -> 192.168.0.251:49043 [AP]
>   0........a............
> ###
> T 192.168.0.251:49043 -> 192.168.0.11:389 [AP]
>   0....B.
> #######
> T 192.168.0.251:42083 -> 192.168.0.11:389 [AP]
>   0E...`@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123!
> #
> T 192.168.0.11:389 -> 192.168.0.251:42083 [AP]
>   0........a............
> ###
> T 192.168.0.251:42083 -> 192.168.0.11:389 [AP]
>   0....B.
> #######
> T 192.168.0.251:52084 -> 192.168.0.11:389 [AP]
>   0E...`@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123!
> #
> T 192.168.0.11:389 -> 192.168.0.251:52084 [AP]
>   0........a............
> #
>
> Dovecot after a while keep trying to connect to LDAP server without any
> requests being sent to server. So it keep logging this line below forever:
>
> LDAP: ldap_result() failed: Can't contact LDAP server
> ###########################################################
>
> If I change the base to the same location as the user being authenticating
> is, the userdb lookup is successfully because he's find at a first
> ldap_seach try, and no subtree search is necessary. So again I think dovecot
> must not open other connections then that opened at the bind time to make
> the subtree search, like postfix do.
>
> Timo, I'm waiting for your reply.
>
> Thanks in advance to spent your time to contribute with free software,
> Bruno.


More information about the dovecot mailing list