Re: Using 2 LDAP sources for passdb

Can you send doveconf -n

Aki

 On 02/06/2026 21:10 EEST Tom via dovecot <[1]dovecot@dovecot.org> wrote:


 On 2026-06-02 09:36, Aki Tuomi via dovecot wrote:
 >>> I can't seem to find documentation that shows how to set up 2 LDAP
 passdb blocks. I can get each of them working properly, but only the
 second of the two works at any given time. I can't figure out the syntax
 needed to get both to work, even though I've been all over the Dovecot
 2.4x official documentation. The docs seem to suggest settings that the
 server rejects.
 >>>
 >>> Anyone have any experience doing this, or know the correct syntax?
 Thanks in advance!
 >>
 >> # you can share settings like this
 >> ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com
 >> ldap_auth_dn_password = D0vec0t
 >> ldap_uris = ldapi://%2Frun%2Fldapi
 >> ldap_version = 3
 >> ldap_bind = yes
 >>
 >> passdb ldab-1 {
 >> driver = ldap
 >> ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com
 >> ldap_filter = (&(objectClass=applicationProcess)(cn=%{user}))
 >> }
 >>
 >> passdb ldap-2 {
 >> driver = ldap
 >> ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com
 >> ldap_filter =
 (&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com))
 >> }
 >>
 >> Aki

   Sorry, small mistake

   ldap_bind = yes => passdb_ldap_bind = yes

 Thanks for your replies.

 2026.06.02 13:52:40
 auth([2]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: sasl(plain): Set authid [3]'example@example.net'
 2026.06.02 13:52:40
 auth([4]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: sasl(plain): Performing plain passdb verification
 2026.06.02 13:52:40
 auth([5]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: ldap-1: Performing passdb lookup
 2026.06.02 13:52:40
 auth([6]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: ldap-1: Finished passdb lookup
 2026.06.02 13:52:40
 auth([7]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: ldap-2: Performing passdb lookup
 2026.06.02 13:52:40
 auth([8]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: ldap-2: Finished passdb lookup
 2026.06.02 13:52:43
 auth([9]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: sasl(plain): Finished plain passdb verification
 (status=internal-failure)
 2026.06.02 13:52:43
 auth([10]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: sasl(plain): Interaction failed (internal failure)
 2026.06.02 13:52:43
 auth([11]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: Auth request finished
 2026.06.02 13:52:43
 auth([12]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
 Debug: immediate auth failure due to internal failure

 Not getting either one to work. This is with full debugging on. It looks
 like the internal error happens instantly, no attempt to contact the
 directory.
 _______________________________________________
 dovecot mailing list -- [13]dovecot@dovecot.org
 To unsubscribe send an email to [14]dovecot-leave@dovecot.org

References

Visible links

1. mailto:dovecot@dovecot.org
2. mailto:example@example.net
3. mailto:'example@example.net
4. mailto:example@example.net
5. mailto:example@example.net
6. mailto:example@example.net
7. mailto:example@example.net
8. mailto:example@example.net
9. mailto:example@example.net
10. mailto:example@example.net
11. mailto:example@example.net
12. mailto:example@example.net
13. mailto:dovecot@dovecot.org
14. mailto:dovecot-leave@dovecot.org