[Dovecot] Dovecot+LDAP issues

Daniel Gomes daniel.gomes at ist.utl.pt
Wed Mar 31 16:59:28 EEST 2010

Dear list members,

I am having some problems with a LDAP passdb authentication on Dovecot.
Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot
1.0.5 connecting to 2 different machines running LDAP servers: gold with
OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication
slave of gold).

The initial setup of dovecot was with a MySQL passdb, which is still the
first passdb, now followed by my new LDAP passdb, all with a static

Here is my dovecot-ldap.conf (the LDAP passdb) (I switched the domain
with example.com for privacy sake):

hosts = gold.example.com extra.example.com
tls = yes
ldap_version = 3
base = ou=people,dc=example,dc=com
scope = onelevel

user_global_uid = 5000
user_global_gid = 5000

#Bind para ler coisas
dn = cn=dovecot,ou=people,dc=example,dc=com
dnpass = secret
sasl_bind = no
sasl_mech =

#passdb: usar password lookups para autenticar utilizadores
auth_bind = no
pass_attrs =    userPassword=password
#, =userdb_home=/home/vmail/%d/%n
pass_filter =   (&(maildrop=%u)(mailacceptinguser=1))

default_pass_scheme = PLAIN-MD5


This setup is currently working for some tests users (the others are
still being auth'ed with the old MySQL passdb).

Unfortunately, I seemed to have run into a big problem on an occasion
when dovecot was unable to connect my first server (gold) and hence went
to the second one (extra). Backtracking from the logs (starting with

Mar 31 13:11:50 bunker dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Mar 31 13:11:50 bunker dovecot: auth-worker(default): LDAP:
ldap_result() failed: Can't contact LDAP server


This is when the users stopped being able to login via imap, with the
following message being shown on dovecot-info.log:

Mar 31 13:13:00 bunker dovecot: auth(default):
ldap(user at domain.com,xxx.xxx.xxx.xxx): unknown user

(I know, an auth_debug log would be handy here, but it wasn't activated
at the time).
I went on to investigate and from the slapd logs I noticed that the
second LDAP server (extra) was being contacted for the passdb lookups,
thus proving that dovecot considered the gold to be dead (it wasn't, but
that's a different matter).
Anyway, the problem is that dovecot doesn't seem to be able to retrieve
the user information from extra. As the slapd log shows:

Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH
base="ou=people,dc=example,dc=com" scope=1 deref=0
Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH
Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SEARCH RESULT tag=101
err=0 nentries=0 text=

For some reason, dovecot sends an undefined filter to extra, even though
the same filter works without issues with gold (and remember they are
"clones"). I just can't see how this is caused by any of my

Any ideas?

Thanks in advance,

Daniel Gomes

More information about the dovecot mailing list