Re: [Dovecot] Fwd: LDAP subtree search on AD

Hello Timo!

I think that to make a ldap_search in the Microsoft Active Directory (I don't know about OpenLDAP, but it could be the same case) is necessary first open an connection, after bind with a valid user, and in the same connection make the search, but with Dovecot we could see in the sniffed packages that he open various connection in one ldap_seach. Because of this Microsoft Active Directory show this in the sniffer logs:

"comment: In order to perform this operation a successful bind must be completed on the connection"

So, in the connection using local port 58918 dovecot did make a successful bind but didn't found the ldap entry, after it tries to make a subtree search but using other connection ports 58920 58921 and 58922 without a successful bind, and AD blocks the search right here. I think dovecot isn't searching for ldap entries correct, isn't it?

I'm not an ldap and dovecot expert, so please tell us if what I write here is correct or not.

Waiting for your reply, thanks, Bruno.

Dovecot: # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP] 0....`......teste..teste # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ ## T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]

0E...`@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]

0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]

0....@...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te

cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:

//tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............ #### T 192.168.0.251:58920 -> 192.168.0.11:389 [AP] 0............ # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........a............ ##### T 192.168.0.251:58921 -> 192.168.0.11:389 [AP] 0............ # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........a............ ##### T 192.168.0.251:58922 -> 192.168.0.11:389 [AP] 0....`........ # T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........a............ ## T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]

0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]

0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info

# T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]

0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info

# T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece.

---