Dear list members,
I am having some problems with a LDAP passdb authentication on Dovecot. Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot 1.0.5 connecting to 2 different machines running LDAP servers: gold with OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication slave of gold).
The initial setup of dovecot was with a MySQL passdb, which is still the first passdb, now followed by my new LDAP passdb, all with a static userdb.
Here is my dovecot-ldap.conf (the LDAP passdb) (I switched the domain with example.com for privacy sake):
#Servidor hosts = gold.example.com extra.example.com tls = yes ldap_version = 3 base = ou=people,dc=example,dc=com scope = onelevel
#uid/gid user_global_uid = 5000 user_global_gid = 5000
#Bind para ler coisas dn = cn=dovecot,ou=people,dc=example,dc=com dnpass = secret sasl_bind = no sasl_mech =
#passdb: usar password lookups para autenticar utilizadores auth_bind = no pass_attrs = userPassword=password #, =userdb_home=/home/vmail/%d/%n pass_filter = (&(maildrop=%u)(mailacceptinguser=1))
default_pass_scheme = PLAIN-MD5
This setup is currently working for some tests users (the others are still being auth'ed with the old MySQL passdb).
Unfortunately, I seemed to have run into a big problem on an occasion when dovecot was unable to connect my first server (gold) and hence went to the second one (extra). Backtracking from the logs (starting with dovecot-error.log):
Mar 31 13:11:50 bunker dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Mar 31 13:11:50 bunker dovecot: auth-worker(default): LDAP: ldap_result() failed: Can't contact LDAP server
This is when the users stopped being able to login via imap, with the following message being shown on dovecot-info.log:
Mar 31 13:13:00 bunker dovecot: auth(default): ldap(user@domain.com,xxx.xxx.xxx.xxx): unknown user
(I know, an auth_debug log would be handy here, but it wasn't activated at the time). I went on to investigate and from the slapd logs I noticed that the second LDAP server (extra) was being contacted for the passdb lookups, thus proving that dovecot considered the gold to be dead (it wasn't, but that's a different matter). Anyway, the problem is that dovecot doesn't seem to be able to retrieve the user information from extra. As the slapd log shows:
Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH base="ou=people,dc=example,dc=com" scope=1 deref=0 filter="(&(?=undefined)(?=undefined))" Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH attr=userPassword Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SEARCH RESULT tag=101 err=0 nentries=0 text=
For some reason, dovecot sends an undefined filter to extra, even though the same filter works without issues with gold (and remember they are "clones"). I just can't see how this is caused by any of my configurations!
Any ideas?
Thanks in advance,
-- Daniel Gomes