-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 8 Apr 2014, Deeztek Support wrote:
Date: Tue, 8 Apr 2014 05:36:51 -0400 From: Deeztek Support <support@deeztek.com> Reply-To: Dovecot Mailing List <dovecot@dovecot.org> To: dovecot@dovecot.org Subject: Re: [Dovecot] Dovecot LDAP issue
On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'return the user?
yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
You misunderstood the vivid points of this command: a) the base DN is the one you want, but is not working with Dovecot b) you perform a LDAP search in the local DC, not in Global Catalog c) that you've authentificated correctedly is just a side effect to know
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
as the page points points out, there are differences between LDAP and GC search in the sense of what results are found.
See: http://wiki2.dovecot.org/AuthDatabase/LDAP
"Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx "
The ldapsearch is to verify that your AD searches more than one OU at all.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug== =mWc0 -----END PGP SIGNATURE-----