[Dovecot] Dovecot LDAP issue
Steffen Kaiser
skdovecot at smail.inf.fh-brs.de
Tue Apr 8 14:27:41 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 8 Apr 2014, Deeztek Support wrote:
> Date: Tue, 8 Apr 2014 05:36:51 -0400
> From: Deeztek Support <support at deeztek.com>
> Reply-To: Dovecot Mailing List <dovecot at dovecot.org>
> To: dovecot at dovecot.org
> Subject: Re: [Dovecot] Dovecot LDAP issue
>
> On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
>> The primary question is: Does
>>
>> ldapsearch -H ldap://server.domain.tld:389 \
>> -b dc=domain,dc=tld -D ... -W \
>> '(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
>>
>> return the user?
>
> yes it does. The authentication with AD works as it should as long as dovecot
> is pointing to the right OU.
You misunderstood the vivid points of this command:
a) the base DN is the one you want, but is not working with Dovecot
b) you perform a LDAP search in the local DC, not in Global Catalog
c) that you've authentificated correctedly is just a side effect to know
>> How many domain controllers to you have in the AD? Which of them holds
>> which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
>>
>
> I have on domain controller and there is only one domain. I think we are
> getting off track here. There is no problem with authentication. Maybe I need
> to be more clear.
> Dovecot is able to authenticate with active directory as long as the "base =
> " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that
> the dovecot users are. However, I have another OU where my Exchange users
> are. So, when I try to send email from a dovecot user to an Exchange user,
> dovecot throws the error "user unknown" because it's not able to find the
> Exchange user since it's in a different OU. When I set the "base =" parameter
> in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it
> say:
>
> base = ou=testou,dc=domain,dc=tld
>
> I set it to:
>
> base = dc=domain,dc=tld
>
> so it can lookup all users in the entire domain
>
> then dovecot stops authenticating with AD altogether
as the page points points out, there are differences between LDAP and GC
search in the sense of what results are found.
See: http://wiki2.dovecot.org/AuthDatabase/LDAP
"Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all
LDAP fields are available in port 3268. Use whatever works.
http://technet.microsoft.com/en-us/library/cc978012.aspx "
The ldapsearch is to verify that your AD searches more than one OU at all.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub
ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM
CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo
pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea
DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX
cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug==
=mWc0
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list