On Tuesday 08 April 2014 05:36:51 Deeztek Support wrote:
On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389 \
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl :1.2.840.113556.1.4.803:=2)))'> return the user?yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works.
-- Mihai Bădici http://mihai.badici.ro