My dovecot works fine against Active Directory 2003, but not against AD2008

Fran cumc-4361-2 at chguadalquivir.es
Thu Sep 10 15:14:40 UTC 2015


Thank again for the solution and for the explanation.

Fran

El 10/09/2015 a las 15:40, Matthias Lay escribió:
> Hi Fran,
>
>
> this is not a dovecot problem, thats a pure dns problem and can only
> be fixed in your dns environment.
>
>
> referrals are propagated in a "special" dns design in SRV records.
> so the ldap client performs a dns lookup for this names and this is the
> point of hanging (as in most "hanging cases", its dns).
>
> see:
> https://technet.microsoft.com/en-us/library/cc978014.aspx
> https://technet.microsoft.com/en-us/library/cc961719.aspx
> http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
>
> for information.
>
>
> Greetz Matze
>
>
>
>
> On Thu, 10 Sep 2015 13:10:57 +0200
> Fran <cumc-4361-2 at chguadalquivir.es> wrote:
>
>> Hi Matthias,
>>
>> thank you very much! that fixed the problem.
>>
>> I had workaround the problem by using "base = ou=xxxx, dc=dom",
>> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because
>> that also worked (I don't know why, but the problem happen if you use
>> as base just the domain, but not if you add a second level). But that
>> forced to me to use several userdb/passdb blocks definitions, one for
>> each OU in which I have users, so I think that your fix is better.
>>
>> I'm not able to understand the actual reason behind all this though...
>>
>> What's the technical explanation behind this behaviour?? I mean, it
>> seems to be that the problem is that the Domain controller (DC) was
>> sending a "referrals" answer and dovecot auth made a connection to
>> these others DC but something wrong happened (dovecot can't deal
>> correctly with that kind of answers?? I don't know).
>>
>> Anyways, as far as I know:
>>
>> 1) A referral answer should be done by a DC when it can't provide the
>> object that the client are requesting
>> 2) REFERRALS off in ldap.conf means that the client should not follow
>> referrals returned by the DC
>>
>> So, if a referral answer is given from my DC, I think that is because
>> such DC can't provide the object which the client is looking for, so,
>> why works fine just by telling dovecot: "Don't follow referrals"?
>>
>> Regards
>>
>>
>>
>> El 09/09/2015 a las 17:22, Matthias Lay escribió:
>>> hi,
>>>
>>> check your 
>>>
>>> /etc/openldap/ldap.conf
>>>
>>> for
>>>
>>> REFERRALS off
>>>
>>> I had this errors with "referrals on" in misconfigured dns
>>> environments.
>>>
>>>
>>> you can debug the dns packets by strace-ing the auth process
>>>
>>>
>>>
>>>
>>> On Tue, 8 Sep 2015 11:00:37 +0200


More information about the dovecot mailing list