[Dovecot] Dovecot-2.0.11 searches in all LDAP directory

[Басов Евгений]

Hello.

I have some users IDs in different OUs with different passwords. Base OU
for mail server is 'ou=Mail, dc=ph, dc=com'

Trying manual search:

# ldapsearch -b 'ou=Mail, dc=ph, dc=com' -D 'cn=bind, ou=Users, dc=ph,
dc=com' -w XXX -s sub -h mainserv.ph.com
'(&(objectClass=qmailUser)(uid=someuser))' uid mailMessageStore
…

# extended LDIF
…
uid: someuser
mailMessageStore: /var/mail/someuser/Maildir/

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

It works fine.

My dovecot configuration:

# 2.0.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.36-gentoo-r5 x86_64 Gentoo Base System release 2.0.1
base_dir = /var/run/dovecot/
listen = *
login_trusted_networks = 192.168.1.0/24
mail_location = maildir:~/.maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
passdb {
args = *
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin/sieve = ~/.dovecot.sieve
plugin/sieve_dir = ~/sieve
protocols = imap
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
verbose_proctitle = yes
protocol lda {
mail_plugins = sieve
}


My /etc/dovecot/dovecot-ldap.conf.ext:

hosts = mainserv.ph.com
dn = cn=bind, ou=Users, dc=ph, dc=com
dnpass = XXX
debug_level = 255
auth_bind = yes
ldap_version = 3
base = ou=Mail, dc=ph, dc=com
scope = subtree
user_attrs = mailMessageStore=home
user_filter = (&(objectClass=qmailUser)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=qmailUser)(uid=%u))


I tested IMAP over telnet:

$ telnet mainserv.ph.com 143
Trying 192.168.1.252...
Connected to mainserv.ph.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a001 LOGIN someuser password1

Two passwords are tested: for uid from ou=Mail and ou=Users. LDAP logs
of searches:

slapd[1917]:     filter: (&(objectClass=posixAccount)(uid=someuser))
slapd[1917]:     attrs:
slapd[1917]:  uid
slapd[1917]:  userPassword
slapd[1917]:  uidNumber
slapd[1917]:  gidNumber… and etc

after this:

slapd[1917]: => access_allowed: search access to "cn=John
Smith,ou=Mail,dc=ph,dc=com" "objectClass" requested
slapd[1917]: => dn: [2] ou=mail,dc=ph,dc=com
slapd[1917]: => acl_get: [2] matched
slapd[1917]: => acl_get: [2] attr objectClass… and etc

I have some questions:

   1. Why is it searches in another LDAP places, not only ou=Mail,
      dc=ph, dc=com?
   2. It not put mailMessageStore from ou=Mail, dc=ph, dc=com. Why?
   3. How disable lookup in another LDAP places exept ou=Mail, dc=ph,
      dc=com?

Thanks for answers.