[Dovecot] LDAP subtree search on AD
Hello people!
I'm new to the list and to dovecot too. In advance I'd like to thank everybody who could help me, and I'll be very glad if a could help somebody here. I'm working in a project to integrate dovecot and active directory authentication for 2 weeks without total success. I've tried so many waysto solve my problem, but no one gave me the right answer. I'll appreciate if someone could help me. First off all let me show some needed data.
Distro: Debian Etch
dovecot --version 1.0.0
dovecot -n # /etc/dovecot/dovecot.conf base_dir: /var/run/dovecot/ log_path: /var/log/dovecot-imapd.log log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/lib/dovecot/imap-login mail_debug: yes imap_client_workarounds: outlook-idle delay-newmail auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: dovecot userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail
/etc/dovecot/dovecot-ldap.conf
hosts = 192.168.0.11 dn = cn=dovecot,cn=Users,dc=tecnicopias01,dc=com,dc=br dnpass = password ldap_version = 3 auth_bind = yes base = DC=tecnicopias01,DC=com,DC=br deref = never scope = subtree user_attrs = info=mail user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) user_global_uid = 5000 user_global_gid = 5000
I can authenticate using pam+krb5 with success, but when I try to make a userdb search to get maillocation for the authenticated user, I get in trouble. The ldap_search doesn't make subtree search, making only onelevel search. So, if I point the base directive (/etc/dovecot/dovecot-ldap.conf) to where the user that is authenticating in that moment is, I can perfect login and get the maillocation.
My question is: Why dovecot doesn't make ldap subtree search? Or, am I missing anything?
Thanks Bruno.
With postfix using virtual_mailbox_maps through the same ldap backend, I can make subtree searchs in the Active Directory without problems.
Any ideas?
I really need this information and appreciate any help or new ideas!
Thanks Bruno.
---------- Forwarded message ---------- From: Bruno Puga <brpuga@gmail.com> Date: Jun 12, 2007 6:04 PM Subject: LDAP subtree search on AD To: dovecot@dovecot.org
Hello people!
I'm new to the list and to dovecot too. In advance I'd like to thank everybody who could help me, and I'll be very glad if a could help somebody here. I'm working in a project to integrate dovecot and active directory authentication for 2 weeks without total success. I've tried so many ways to solve my problem, but no one gave me the right answer. I'll appreciate if someone could help me. First off all let me show some needed data.
Distro: Debian Etch
dovecot --version 1.0.0
dovecot -n # /etc/dovecot/dovecot.conf base_dir: /var/run/dovecot/ log_path: /var/log/dovecot-imapd.log log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/lib/dovecot/imap-login mail_debug: yes imap_client_workarounds: outlook-idle delay-newmail auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: dovecot userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail
/etc/dovecot/dovecot-ldap.conf
hosts = 192.168.0.11 dn = cn=dovecot,cn=Users,dc=tecnicopias01,dc=com,dc=br dnpass = password ldap_version = 3 auth_bind = yes base = DC=tecnicopias01,DC=com,DC=br deref = never scope = subtree user_attrs = info=mail user_filter = (&(objectClass=organizationalPerson)(sAMAccountName=%u)) user_global_uid = 5000 user_global_gid = 5000
I can authenticate using pam+krb5 with success, but when I try to make a userdb search to get maillocation for the authenticated user, I get in trouble. The ldap_search doesn't make subtree search, making only onelevel search. So, if I point the base directive (/etc/dovecot/dovecot- ldap.conf) to where the user that is authenticating in that moment is, I can perfect login and get the maillocation.
My question is: Why dovecot doesn't make ldap subtree search? Or, am I missing anything?
Thanks Bruno.
On Wed, 2007-06-13 at 15:46 -0300, Bruno Puga wrote:
With postfix using virtual_mailbox_maps through the same ldap backend, I can make subtree searchs in the Active Directory without problems.
Any ideas?
I really need this information and appreciate any help or new ideas!
I've no idea about Active Directory, or even all that much about LDAP.
scope = subtree
This should however work, and it's also the default. It gets passed to ldap_search() function correctly, so as far as I know there are no bugs related to this.
Maybe you could check with eg. Wireshark if it supports LDAP protocol and see what's different between what Dovecot sends and what Postfix sends.
Ok Timo, first os all thanks for your reply!
I've used ngrep to sniff the packet and I grab the below data. As we can see, Postfix makes the bind before anything else, and Dovecot send some lines of data before the bind. After that, dovecot tries to make the subtree search, but in my understanding dovecot isn't making a correct bind maybe because the two lines sent before the bind, or any other thing. I think it could also be that dovecot is using other connections for the search other than the connection used in the bind time, as we can see in the logs below that dovecot use various local ports at one unique search, an Postfix open just one local port to make that search.
Timo, I think it could be a bug. Correct me if I am wrong!
Waiting for answers and ideas, and thanks until the moment. Bruno.
Dovecot:
#
T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
0..........teste..teste # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ ## T 192.168.0.251:58918 -> 192.168.0.11:389 [AP] 0E...
@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword
#
T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
0........a............
#
T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
0....@...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te
cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:
//tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............
####
T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
0............ # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........a............ ##### T 192.168.0.251:58921 -> 192.168.0.11:389 [AP] 0....
........
#
T 192.168.0.11:389 -> 192.168.0.251:58921 [AP]
0........a............
#####
T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]
0....`........
#
T 192.168.0.11:389 -> 192.168.0.251:58922 [AP]
0........a............
##
T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]
0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]
0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece.
Postfix: #### T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0E...`@....1cn=postfix,cn=Users,dc=tecnicopias01,dc=com,dc=br..mypassword # T 192.168.0.11:389 -> 192.168.0.251:47285 [AP] 0........a............ ## T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0f...ca..dc=tecnicopias01,dc=com,dc=br................ ..mail..bruno@ tecnicopias.com.br0...postOfficeBox # T 192.168.0.11:389 -> 192.168.0.251:47285 [AP] 0........d....w.9CN=Bruno Puga,OU=USER,OU=TI,DC=tecnicopias01,DC=com,DC=br0....60....0..postOfficeBox1.......tecnicopias.com.br/bruno/0....e...s....\.Zld
ap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=Do
mainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap://tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e.......... .. # T 192.168.0.251:47285 -> 192.168.0.11:389 [AP] 0....B. ####
On 6/13/07, Timo Sirainen <tss@iki.fi> wrote:
On Wed, 2007-06-13 at 15:46 -0300, Bruno Puga wrote:
With postfix using virtual_mailbox_maps through the same ldap backend, I can make subtree searchs in the Active Directory without problems.
Any ideas?
I really need this information and appreciate any help or new ideas!
I've no idea about Active Directory, or even all that much about LDAP.
scope = subtree
This should however work, and it's also the default. It gets passed to ldap_search() function correctly, so as far as I know there are no bugs related to this.
Maybe you could check with eg. Wireshark if it supports LDAP protocol and see what's different between what Dovecot sends and what Postfix sends.
Hello Timo!
I think that to make a ldap_search in the Microsoft Active Directory (I don't know about OpenLDAP, but it could be the same case) is necessary first open an connection, after bind with a valid user, and in the same connection make the search, but with Dovecot we could see in the sniffed packages that he open various connection in one ldap_seach. Because of this Microsoft Active Directory show this in the sniffer logs:
"comment: In order to perform this operation a successful bind must be completed on the connection"
So, in the connection using local port 58918 dovecot did make a successful bind but didn't found the ldap entry, after it tries to make a subtree search but using other connection ports 58920 58921 and 58922 without a successful bind, and AD blocks the search right here. I think dovecot isn't searching for ldap entries correct, isn't it?
I'm not an ldap and dovecot expert, so please tell us if what I write here is correct or not.
Waiting for your reply, thanks, Bruno.
Dovecot: # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP] 0....`......teste..teste # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ ## T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
0E...`@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP] 0........a............ # T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
0....@...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te
cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:
//tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............ #### T 192.168.0.251:58920 -> 192.168.0.11:389 [AP] 0....
........ # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........a............ ##### T 192.168.0.251:58921 -> 192.168.0.11:389 [AP] 0....
........ # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........a............ ##### T 192.168.0.251:58922 -> 192.168.0.11:389 [AP] 0....`........ # T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........a............ ## T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info # T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]
0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
# T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
# T 192.168.0.11:389 -> 192.168.0.251:58922 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58921 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connec tion., data 0, vece. # T 192.168.0.11:389 -> 192.168.0.251:58920 [AP] 0........e................00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece.
On Fri, 2007-06-15 at 14:50 -0300, Bruno Puga wrote:
Hello Timo!
I think that to make a ldap_search in the Microsoft Active Directory (I don't know about OpenLDAP, but it could be the same case) is necessary first open an connection, after bind with a valid user, and in the same connection make the search, but with Dovecot we could see in the sniffed packages that he open various connection in one ldap_seach. Because of this Microsoft Active Directory show this in the sniffer logs:
"comment: In order to perform this operation a successful bind must be completed on the connection"
I'm pretty sure Dovecot should have logged something similar. Have you checked if there's anything in error logs (and not just info logs)? See http://wiki.dovecot.org/Logging
Set auth_debug=yes and show what Dovecot logs while
participants (2)
-
Bruno Puga
-
Timo Sirainen