On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'return the user?
yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether