We using Dovecot with LDAP. From the beginning, we using GC LDAP query with port 3268 for email accounts. For example, user1@our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine.
But refer to this document: https://wiki2.dovecot.org/AuthDatabase/LDAP When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: "base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
When we debug with ldapsearch: ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2@our-organization.org)' It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
Here are the config: # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 9.3 auth_verbose = yes dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -l%{lock_timeout} -n%{namespace} imap_id_send = imapc_user = %u import_environment = TZ listen = * login_log_format_elements = user=u> method=%m rip=%r lip=%l mpid=%e %c mail_shared_explicit_inbox = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap sieve" service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 } ssl_ca = /etc/ssl/certs/ca.pem ssl_cert = </etc/ssl/gameloft/our-organization.org.crt ssl_key = # hidden, use -P to show it ssl_parameters_regenerate = 1 weeks userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
So my question is: does Dovecot LDAP auth support LDAP referral? If Dovecot relies on OpenLDAP, it should be support. If not, why and what is the walkthrough?
Xuan Jia