Re: [Dovecot] Fwd: LDAP subtree search on AD

Ok Timo, first os all thanks for your reply!

I've used ngrep to sniff the packet and I grab the below data. As we can see, Postfix makes the bind before anything else, and Dovecot send some lines of data before the bind. After that, dovecot tries to make the subtree search, but in my understanding dovecot isn't making a correct bind maybe because the two lines sent before the bind, or any other thing. I think it could also be that dovecot is using other connections for the search other than the connection used in the bind time, as we can see in the logs below that dovecot use various local ports at one unique search, an Postfix open just one local port to make that search.

Timo, I think it could be a bug. Correct me if I am wrong!

Waiting for answers and ideas, and thanks until the moment. Bruno.

Dovecot: # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP] 0..........teste..teste # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ ## T 192.168.0.251:58918 -> 192.168.0.11:389 [AP] 0E...@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]

0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]

0....@...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te

cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:

//tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............ #### T 192.168.0.251:58920 -> 192.168.0.11:389 [AP] 0............ # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........a............ ##### T 192.168.0.251:58921 -> 192.168.0.11:389 [AP] 0............ # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........a............ ##### T 192.168.0.251:58922 -> 192.168.0.11:389 [AP] 0....`........ # T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........a............ ## T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]

0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]

0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]

0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece.

Postfix: #### T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0E...`@....1cn=postfix,cn=Users,dc=tecnicopias01,dc=com,dc=br..mypassword # T 192.168.0.11:389 -> 192.168.0.251:47285 [AP] 0........a............ ## T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0f...ca..dc=tecnicopias01,dc=com,dc=br................ ..mail..bruno@ tecnicopias.com.br0...postOfficeBox # T 192.168.0.11:389 -> 192.168.0.251:47285 [AP] 0........d....w.9CN=Bruno Puga,OU=USER,OU=TI,DC=tecnicopias01,DC=com,DC=br0....60....0..postOfficeBox1.......tecnicopias.com.br/bruno/0....e...s....\.Zld

ap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=Do

mainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap://tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e.......... .. # T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0....B. ####

On 6/13/07, Timo Sirainen tss@iki.fi wrote:

On Wed, 2007-06-13 at 15:46 -0300, Bruno Puga wrote:

...

With postfix using virtual_mailbox_maps through the same ldap backend, I can make subtree searchs in the Active Directory without problems.

Any ideas?

I really need this information and appreciate any help or new ideas!

I've no idea about Active Directory, or even all that much about LDAP.

...

scope = subtree

This should however work, and it's also the default. It gets passed to ldap_search() function correctly, so as far as I know there are no bugs related to this.

Maybe you could check with eg. Wireshark if it supports LDAP protocol and see what's different between what Dovecot sends and what Postfix sends.