AD query timeout might be result size limit exceeded
Hello list
I've been struggling for a while trying to configure multiple domain ldap authentication with full e-mail address authentication. Which in fact was not the issue. There where some discrepancies between the doc and our actual configuration (see appendix A/ ) Seems that pass_filters and user_filters don't need much special settings for our setup.
Now it's working correctly at the sole exception that when an OU contains "lots" of users (>200) i suspect that the ldapseach query fails. We can well authenticate when we have 50 users in an OU, but not when the number raises (I don't have the exact number above which it locks).
Is there a parameter that we can set to increase the result size limit (as i suspect this to be the cause of this possible bug)?
If I query manually it's ok (ldapsearch) if I use "doveadm auth user.name@domain.tld", it succeed also but I wonder if it doesn't use the winbind authentication instead.
Here is our ldap-auth configuration
hosts = master.domain.local:389 dn = DOMAIN\ro-user dnpass = password debug_level = 2 auth_bind = yes #auth_bind_userdn = cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and without with no better results) ldap_version = 3 #deref = never #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few users) base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local scope = subtree user_filter = (&(objectclass=person)(mail=%u)) pass_filter = (&(objectclass=person)(mail=%u))
and some logs in appendix B/
Thanks for any hints on this.
Have a nice day
appendix A/
# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb default_vsz_limit = 1 G disable_plaintext_auth = no first_valid_gid = 5000 first_valid_uid = 5000 last_valid_gid = 50000 last_valid_uid = 50000 mail_gid = 5000 mail_home = /var/vmail/%d/%n mail_location = maildir:~/mail mail_privileged_group = virtmail mail_uid = 5000 namespace inbox { hidden = no inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = subscriptions = yes } passdb { args = scheme=plain-md5 username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = scheme=plain-md5 username_format=%u /etc/dovecot/users driver = passwd-file } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/pirisusers-ldap.conf.ext driver = ldap } protocols = imap service auth { unix_listener auth-userdb { mode = 0666 user = virtmail } } ssl_cert =
appendix B/
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_select
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 14 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 11 message type search-reference
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referrals
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_url_parse_ext(ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request: new
msgid 15, new dn
On Thu, May 19, 2016 at 4:27 PM, Julien Lambot jlambot@gmail.com wrote:
Hello list
I've been struggling for a while trying to configure multiple domain ldap authentication with full e-mail address authentication. Which in fact was not the issue. There where some discrepancies between the doc and our actual configuration (see appendix A/ ) Seems that pass_filters and user_filters don't need much special settings for our setup.
Now it's working correctly at the sole exception that when an OU contains "lots" of users (>200) i suspect that the ldapseach query fails. We can well authenticate when we have 50 users in an OU, but not when the number raises (I don't have the exact number above which it locks).
After further investigations, seems the issue is caused by the presence of an "_" (underscore) in the OU name. Other OUs are not impacted.
If anyone as a suggestion, that would be welcome. In fact, we cannot rename this OU without a wide impact on other configurations.
Regards
Julien
Is there a parameter that we can set to increase the result size limit (as i suspect this to be the cause of this possible bug)?
If I query manually it's ok (ldapsearch) if I use "doveadm auth user.name@domain.tld", it succeed also but I wonder if it doesn't use the winbind authentication instead.
Here is our ldap-auth configuration
hosts = master.domain.local:389 dn = DOMAIN\ro-user dnpass = password debug_level = 2 auth_bind = yes #auth_bind_userdn = cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and without with no better results) ldap_version = 3 #deref = never #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few users) base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local scope = subtree user_filter = (&(objectclass=person)(mail=%u)) pass_filter = (&(objectclass=person)(mail=%u))
and some logs in appendix B/
Thanks for any hints on this.
Have a nice day
participants (1)
-
Julien Lambot