[Dovecot] Dovecot+LDAP issues

Daniel Gomes daniel.gomes at ist.utl.pt
Wed Mar 31 16:59:28 EEST 2010 

Dear list members,

I am having some problems with a LDAP passdb authentication on Dovecot.
Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot
1.0.5 connecting to 2 different machines running LDAP servers: gold with
OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication
slave of gold).

The initial setup of dovecot was with a MySQL passdb, which is still the
first passdb, now followed by my new LDAP passdb, all with a static
userdb.

Here is my dovecot-ldap.conf (the LDAP passdb) (I switched the domain
with example.com for privacy sake):

-----------------------------------------------------------------
#Servidor
hosts = gold.example.com extra.example.com
tls = yes
ldap_version = 3
base = ou=people,dc=example,dc=com
scope = onelevel

#uid/gid
user_global_uid = 5000
user_global_gid = 5000

#Bind para ler coisas
dn = cn=dovecot,ou=people,dc=example,dc=com
dnpass = secret
sasl_bind = no
sasl_mech =

#passdb: usar password lookups para autenticar utilizadores
auth_bind = no
pass_attrs =    userPassword=password
#, =userdb_home=/home/vmail/%d/%n
pass_filter =   (&(maildrop=%u)(mailacceptinguser=1))

default_pass_scheme = PLAIN-MD5

-----------------------------------------------------------------

This setup is currently working for some tests users (the others are
still being auth'ed with the old MySQL passdb).

Unfortunately, I seemed to have run into a big problem on an occasion
when dovecot was unable to connect my first server (gold) and hence went
to the second one (extra). Backtracking from the logs (starting with
dovecot-error.log):

Mar 31 13:11:50 bunker dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Mar 31 13:11:50 bunker dovecot: auth-worker(default): LDAP:
ldap_result() failed: Can't contact LDAP server

--------------------

This is when the users stopped being able to login via imap, with the
following message being shown on dovecot-info.log:

Mar 31 13:13:00 bunker dovecot: auth(default):
ldap(user at domain.com,xxx.xxx.xxx.xxx): unknown user

(I know, an auth_debug log would be handy here, but it wasn't activated
at the time).
I went on to investigate and from the slapd logs I noticed that the
second LDAP server (extra) was being contacted for the passdb lookups,
thus proving that dovecot considered the gold to be dead (it wasn't, but
that's a different matter).
Anyway, the problem is that dovecot doesn't seem to be able to retrieve
the user information from extra. As the slapd log shows:

Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH
base="ou=people,dc=example,dc=com" scope=1 deref=0
filter="(&(?=undefined)(?=undefined))" 
Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH
attr=userPassword 
Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SEARCH RESULT tag=101
err=0 nentries=0 text=

For some reason, dovecot sends an undefined filter to extra, even though
the same filter works without issues with gold (and remember they are
"clones"). I just can't see how this is caused by any of my
configurations!

Any ideas?

Thanks in advance,

-- 
Daniel Gomes

More information about the dovecot mailing list