Hi Fran,
this is not a dovecot problem, thats a pure dns problem and can only be fixed in your dns environment.
referrals are propagated in a "special" dns design in SRV records. so the ldap client performs a dns lookup for this names and this is the point of hanging (as in most "hanging cases", its dns).
see: https://technet.microsoft.com/en-us/library/cc978014.aspx https://technet.microsoft.com/en-us/library/cc961719.aspx http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html
for information.
Greetz Matze
On Thu, 10 Sep 2015 13:10:57 +0200 Fran <cumc-4361-2@chguadalquivir.es> wrote:
Hi Matthias,
thank you very much! that fixed the problem.
I had workaround the problem by using "base = ou=xxxx, dc=dom", instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because that also worked (I don't know why, but the problem happen if you use as base just the domain, but not if you add a second level). But that forced to me to use several userdb/passdb blocks definitions, one for each OU in which I have users, so I think that your fix is better.
I'm not able to understand the actual reason behind all this though...
What's the technical explanation behind this behaviour?? I mean, it seems to be that the problem is that the Domain controller (DC) was sending a "referrals" answer and dovecot auth made a connection to these others DC but something wrong happened (dovecot can't deal correctly with that kind of answers?? I don't know).
Anyways, as far as I know:
- A referral answer should be done by a DC when it can't provide the object that the client are requesting
- REFERRALS off in ldap.conf means that the client should not follow referrals returned by the DC
So, if a referral answer is given from my DC, I think that is because such DC can't provide the object which the client is looking for, so, why works fine just by telling dovecot: "Don't follow referrals"?
Regards
El 09/09/2015 a las 17:22, Matthias Lay escribió:
hi,
check your
/etc/openldap/ldap.conf
for
REFERRALS off
I had this errors with "referrals on" in misconfigured dns environments.
you can debug the dns packets by strace-ing the auth process
On Tue, 8 Sep 2015 11:00:37 +0200