On Thu, May 19, 2016 at 4:27 PM, Julien Lambot jlambot@gmail.com wrote:
Hello list
I've been struggling for a while trying to configure multiple domain ldap authentication with full e-mail address authentication. Which in fact was not the issue. There where some discrepancies between the doc and our actual configuration (see appendix A/ ) Seems that pass_filters and user_filters don't need much special settings for our setup.
Now it's working correctly at the sole exception that when an OU contains "lots" of users (>200) i suspect that the ldapseach query fails. We can well authenticate when we have 50 users in an OU, but not when the number raises (I don't have the exact number above which it locks).
After further investigations, seems the issue is caused by the presence of an "_" (underscore) in the OU name. Other OUs are not impacted.
If anyone as a suggestion, that would be welcome. In fact, we cannot rename this OU without a wide impact on other configurations.
Regards
Julien
Is there a parameter that we can set to increase the result size limit (as i suspect this to be the cause of this possible bug)?
If I query manually it's ok (ldapsearch) if I use "doveadm auth user.name@domain.tld", it succeed also but I wonder if it doesn't use the winbind authentication instead.
Here is our ldap-auth configuration
hosts = master.domain.local:389 dn = DOMAIN\ro-user dnpass = password debug_level = 2 auth_bind = yes #auth_bind_userdn = cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and without with no better results) ldap_version = 3 #deref = never #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few users) base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local scope = subtree user_filter = (&(objectclass=person)(mail=%u)) pass_filter = (&(objectclass=person)(mail=%u))
and some logs in appendix B/
Thanks for any hints on this.
Have a nice day