[Dovecot] Active Directory LDAP userdb and dovecot
Simone Ferretti
simone at galliera.it
Fri Dec 6 13:01:01 EET 2013
Hello everybody,
I have a problem with LDAP userdb and dovecot. Let me first explain
my LDAP configuration: I got three Active Directory LDAP servers
(a.galliera.it, b.galliera.it, c.galliera.it) responding round robin
to the name galliera.it.
I want to use LDAP for the userdb lookup, so I configured
dovecot-ldap-userdb.conf.ext as follow:
hosts = galliera.it # round robin
base = dc=galliera,dc=it
ldap_version = 3
auth_bind=yes
auth_bind_userdn = %n at galliera.it
dn=CN=stampa,CN=Users,DC=galliera,DC=it
dnpass=stampa
base = DC=galliera,DC=it
scope = subtree
deref = always
user_attrs = sAMAccountName=home=/home/dovecot.galliera.it/%$,=uid=8,=gid=8
user_filter = (&(objectClass=person)(sAMAccountName=%n))
default_pass_scheme=CRYPT
With this configuration everything go fine, I can authenticate and
lookup my users in the expected way. What follows is the conversation
between (one of) the LDAP server(s) and dovecot after a issue of the
command
$ doveadm user -u <user>@galliera.it :
62.785686 10.0.31.235 -> 10.0.5.0 TCP 74 43053 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=536265719 TSecr=0
WS=32
62.786216 10.0.5.0 -> 10.0.31.235 TCP 78 ldap > 43053 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1
62.786279 10.0.31.235 -> 10.0.5.0 TCP 66 43053 > ldap [ACK]
Seq=1 Ack=1 Win=14624 Len=0 TSval=536265719 TSecr=0
62.786394 10.0.31.235 -> 10.0.5.0 LDAP 122 bindRequest(1)
"CN=stampa,CN=Users,DC=galliera,DC=it" simple
62.786583 10.0.31.235 -> 10.0.5.0 TCP 74 43054 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=536265719 TSecr=0
WS=32
62.786953 10.0.5.0 -> 10.0.31.235 TCP 78 ldap > 43054 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1
62.787008 10.0.31.235 -> 10.0.5.0 TCP 66 43054 > ldap [ACK]
Seq=1 Ack=1 Win=14624 Len=0 TSval=536265719 TSecr=0
62.787039 10.0.31.235 -> 10.0.5.0 LDAP 122 bindRequest(1)
"CN=stampa,CN=Users,DC=galliera,DC=it" simple
62.788484 10.0.5.0 -> 10.0.31.235 LDAP 88 bindResponse(1) success
62.788528 10.0.31.235 -> 10.0.5.0 TCP 66 43053 > ldap [ACK]
Seq=57 Ack=23 Win=14624 Len=0 TSval=536265719 TSecr=36040952
62.789334 10.0.5.0 -> 10.0.31.235 LDAP 88 bindResponse(1) success
62.789365 10.0.31.235 -> 10.0.5.0 TCP 66 43054 > ldap [ACK]
Seq=57 Ack=23 Win=14624 Len=0 TSval=536265720 TSecr=36040952
62.789462 10.0.31.235 -> 10.0.5.0 LDAP 174 searchRequest(2)
"DC=galliera,DC=it" wholeSubtree
62.790396 10.0.5.0 -> 10.0.31.235 LDAP 392 searchResEntry(2)
"CN=Marco De benedetto,OU=S.S.C. Area sistemistica,OU=S.C. S.I.e.T. -
Servizi informatici e telecomunicazioni,OU=Dipartimento di
Staff,OU=Direzione generale,DC=galliera,DC=it" | searchResRef(2) |
searchResDone(2) success
62.790508 10.0.31.235 -> 10.0.5.0 LDAP 191 searchRequest(3)
"CN=Configuration,DC=galliera,DC=it" wholeSubtree
62.791077 10.0.5.0 -> 10.0.31.235 LDAP 168 searchResRef(3) |
searchResDone(3) success
62.791172 10.0.31.235 -> 10.0.5.0 LDAP 203 searchRequest(4)
"CN=Schema,CN=Configuration,DC=galliera,DC=it" wholeSubtree
62.791838 10.0.5.0 -> 10.0.31.235 LDAP 88 searchResDone(4) success
62.828752 10.0.31.235 -> 10.0.5.0 TCP 66 43054 > ldap [ACK]
Seq=427 Ack=473 Win=15680 Len=0 TSval=536265730 TSecr=36040952
Strange things happen instead if I change the 'hosts' configuration
variable to one (no matter what) of the domain controllers e.g.:
hosts = a.galliera.it
base = dc=galliera,dc=it
ldap_version = 3
auth_bind=yes
auth_bind_userdn = %n at galliera.it
dn=CN=stampa,CN=Users,DC=galliera,DC=it
dnpass=stampa
base = DC=galliera,DC=it
scope = subtree
deref = always
user_attrs = sAMAccountName=home=/home/dovecot.galliera.it/%$,=uid=8,=gid=8
user_filter = (&(objectClass=person)(sAMAccountName=%n))
default_pass_scheme=CRYPT
Changing this variable to only one of the domain controllers make the
doveadm request (issued as above) hang for some seconds and then exit
with a Request time out message.
This is the conversation record, you can note that there is *more the
one* LDAP server involved in the conversation despite the fact that in
the conf file only one is specified:
3427.019635 10.0.31.235 -> 10.0.10.0 TCP 74 33963 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=537106777 TSecr=0
WS=32
3427.020428 10.0.10.0 -> 10.0.31.235 TCP 78 ldap > 33963 [SYN,
ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0
SACK_PERM=1
3427.020489 10.0.31.235 -> 10.0.10.0 TCP 66 33963 > ldap [ACK]
Seq=1 Ack=1 Win=14624 Len=0 TSval=537106777 TSecr=0
3427.020562 10.0.31.235 -> 10.0.10.0 LDAP 122 bindRequest(1)
"CN=stampa,CN=Users,DC=galliera,DC=it" simple
3427.021894 10.0.31.235 -> 10.0.10.0 TCP 74 33964 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=537106778 TSecr=0
WS=32
3427.022474 10.0.10.0 -> 10.0.31.235 LDAP 88 bindResponse(1) success
3427.022498 10.0.31.235 -> 10.0.10.0 TCP 66 33963 > ldap [ACK]
Seq=57 Ack=23 Win=14624 Len=0 TSval=537106778 TSecr=33551087
3427.022805 10.0.10.0 -> 10.0.31.235 TCP 78 ldap > 33964 [SYN,
ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0
SACK_PERM=1
3427.022868 10.0.31.235 -> 10.0.10.0 TCP 66 33964 > ldap [ACK]
Seq=1 Ack=1 Win=14624 Len=0 TSval=537106778 TSecr=0
3427.022996 10.0.31.235 -> 10.0.10.0 LDAP 122 bindRequest(1)
"CN=stampa,CN=Users,DC=galliera,DC=it" simple
3427.024537 10.0.10.0 -> 10.0.31.235 LDAP 88 bindResponse(1) success
3427.024574 10.0.31.235 -> 10.0.10.0 TCP 66 33964 > ldap [ACK]
Seq=57 Ack=23 Win=14624 Len=0 TSval=537106778 TSecr=33551087
3427.024884 10.0.31.235 -> 10.0.10.0 LDAP 176 searchRequest(2)
"DC=galliera,DC=it" wholeSubtree
3427.028078 10.0.10.0 -> 10.0.31.235 LDAP 391 searchResEntry(2)
"CN=Simone Ferretti,OU=S.S.C. Area sistemistica,OU=S.C. S.I.e.T. -
Servizi informatici e telecomunicazioni,OU=Dipartimento di
Staff,OU=Direzione generale,DC=galliera,DC=it" | searchResRef(2) |
searchResDone(2) success
3427.028426 10.0.31.235 -> 10.0.5.0 TCP 74 43077 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=537106779 TSecr=0
WS=32
3427.028882 10.0.5.0 -> 10.0.31.235 TCP 78 ldap > 43077 [SYN,
ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0
SACK_PERM=1
3427.028932 10.0.31.235 -> 10.0.5.0 TCP 66 43077 > ldap [ACK]
Seq=1 Ack=1 Win=14624 Len=0 TSval=537106780 TSecr=0
3427.029091 10.0.31.235 -> 10.0.5.0 LDAP 80 bindRequest(4) "<ROOT>" simple
3427.029816 10.0.5.0 -> 10.0.31.235 LDAP 88 bindResponse(4) success
3427.029832 10.0.31.235 -> 10.0.5.0 TCP 66 43077 > ldap [ACK]
Seq=15 Ack=23 Win=14624 Len=0 TSval=537106780 TSecr=36074586
3427.030001 10.0.31.235 -> 10.0.5.0 LDAP 193 searchRequest(3)
"CN=Configuration,DC=galliera,DC=it" wholeSubtree
3427.030980 10.0.5.0 -> 10.0.31.235 LDAP 168 searchResRef(3) |
searchResDone(3) success
3427.064639 10.0.31.235 -> 10.0.10.0 TCP 66 33964 > ldap [ACK]
Seq=167 Ack=348 Win=15680 Len=0 TSval=537106789 TSecr=33551087
3427.068791 10.0.31.235 -> 10.0.5.0 TCP 66 43077 > ldap [ACK]
Seq=142 Ack=125 Win=14624 Len=0 TSval=537106790 TSecr=36074586
Is there anyone that have some ideas of what is going on?
My dovecot version is 2.2.9 (5c170e0786f3) running on a debian wheezy
3.2.0-4-amd64. My Active Directory server is a windows server 2003 R2.
Follows my doveconf -n:
# 2.2.9 (5c170e0786f3): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.2 ext4
auth_cache_size = 8 k
auth_debug = yes
auth_master_user_separator = *
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at +
auth_verbose = yes
disable_plaintext_auth = no
first_valid_uid = 5
hostname = dovecot.galliera.it
last_valid_uid = 100000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_location = maildir:/home/%d/%n/Maildir
mail_privileged_group = mail
mail_uid = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational
regex imap4flags copy include variables body enotify environment
mailbox date ihave
namespace {
list = children
location = maildir:/var/mail/shared/istituzionali:INDEX=/var/mail/shared/istituzionali/INDEX/%n
prefix = Avvisi al personale.
subscriptions = yes
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile
fts = squat
fts_squat = partial=4 full=10
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_fields = from subject uid box msgid size
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster at galliera.it
protocols = " imap lmtp sieve pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
mode = 0600
user = mail
}
unix_listener auth-userdb {
mode = 0777
user = mail
}
user = root
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
ssl = no
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
syslog_facility = local5
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
driver = ldap
}
protocol imap {
mail_max_userip_connections = 30
mail_plugins = fts fts_squat mail_log zlib acl imap_acl notify
}
protocol pop3 {
pop3_uidl_format = %v.%u
}
Thanks in advance and ciao!
Simone
More information about the dovecot
mailing list