Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Cordialement,
R.J. Baart Portable: +33 7 88398245
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot
[2]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as
backend for the users.
I don't have problems. Authentication works fine. However logging show
every time the following line:
auth-worker(<user
name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request
[7]:
Error: ldap: auth_passdb_post settings: Failed to parse configuration:
Failed to expand passdb_fields/password setting variables: ldap: No
such
attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this
message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap {
passdb_use_worker = yes
passdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes
fields {
user = %{[3]ldap:mailDeliveryaddress}
password = %{[4]ldap:userPassword}
}
}
userdb ldap {
userdb_use_worker = yes
userdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields {
home = %{[5]ldap:mailBase}
mail = %{[6]ldap:mailMessageStore}
mail_path = %{[7]ldap:mailMessageStore}
quota_storage_size = %{[8]ldap:dovecotQuota}
}
}
_______________________________________________
dovecot mailing list -- [9]dovecot@dovecot.org
To unsubscribe send an email to [10]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [11]dovecot@dovecot.org
To unsubscribe send an email to [12]dovecot-leave@dovecot.org--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- file:///tmp/tmpw_nfu2nq/ldap:mailBase
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Cordialement,
R.J. Baart Portable: +33 7 88398245
- Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have 'userpassword' instead of 'userPassword' in your config? Aki On 03/02/2026 13:21 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote: Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users. I don't have problems. Authentication works fine. However logging show every time the following line: auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword' The LDAP authentication works correct. So I don't understand this message. My correct working LDAP configuration in auth-ldap.conf.ext: passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3]ldap:mailDeliveryaddress} password = %{[4]ldap:userPassword} } } userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5]ldap:mailBase} mail = %{[6]ldap:mailMessageStore} mail_path = %{[7]ldap:mailMessageStore} quota_storage_size = %{[8]ldap:dovecotQuota} } } _______________________________________________ dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- [11]dovecot@dovecot.org To unsubscribe send an email to [12]dovecot-leave@dovecot.org--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- file:///tmp/tmpw_nfu2nq/ldap:mailBase
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
You mean verify with doveconf? Same result
doveconf |grep -i userpassword password = %{ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote: Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users. I don't have problems. Authentication works fine. However logging show every time the following line: auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword' The LDAP authentication works correct. So I don't understand this message. My correct working LDAP configuration in auth-ldap.conf.ext: passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3]ldap:mailDeliveryaddress} password = %{[4]ldap:userPassword} } } userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5]ldap:mailBase} mail = %{[6]ldap:mailMessageStore} mail_path = %{[7]ldap:mailMessageStore} quota_storage_size = %{[8]ldap:dovecotQuota} } } _______________________________________________ dovecot mailing list -- [9]dovecot@dovecot.org To unsubscribe send an email to [10]dovecot-leave@dovecot.org_______________________________________________ dovecot mailing list -- [11]dovecot@dovecot.org To unsubscribe send an email to [12]dovecot-leave@dovecot.org
--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links 1. file:///tmp/tmpw_nfu2nq/ldap:userPassword 2. mailto:dovecot@dovecot.org 3. file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress 4. file:///tmp/tmpw_nfu2nq/ldap:userPassword 5. file:///tmp/tmpw_nfu2nq/ldap:mailBase 6. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 7. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 8. file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota 9. mailto:dovecot@dovecot.org10. mailto:dovecot-leave@dovecot.org 11. mailto:dovecot@dovecot.org 12. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive. Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{ldap:userPassword} } }
in
passdb ldap { ... fields { ... password = %{ldap:userpassword} } }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword password = %{ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
* Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3]ldap:mailDeliveryaddress} password = %{[4]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5]ldap:mailBase} mail = %{[6]ldap:mailMessageStore} mail_path = %{[7]ldap:mailMessageStore} quota_storage_size = %{[8]ldap:dovecotQuota} } }
References
Visible links 1. file:///tmp/tmpw_nfu2nq/ldap:userPassword 2. mailto:dovecot@dovecot.org 3. file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress 4. file:///tmp/tmpw_nfu2nq/ldap:userPassword 5. file:///tmp/tmpw_nfu2nq/ldap:mailBase 6. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 7. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 8. file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota 9. mailto:dovecot@dovecot.org 10. mailto:dovecot-leave@dovecot.org 11. mailto:dovecot@dovecot.org 12. mailto:dovecot-leave@dovecot.org
Hi Ruud
I think that message "No such attribute 'userpassword' " is being produced because the attribute name userPassword in your configuration is being lower cased by Dovecot and the lower case name is being used by Dovecot both in the check for existence of the attribute and in the error messager. (see *t_str_lcase *call in code below).
That can also explain why the error still happens even when you change your configuration to use the attribute name userpassword, because that is in any case the value that Dovecot uses internally when checking for the existence of the attribute. If so, you can rule out the line of enquiry of searching for extraneous userpassword attributes in your configuration.
It's still a mystery to me why the existence check went wrong for %{ldap:userPassword} but not for other attributes in your configuration like %{ldap:mailDeliveryaddress}, assuming of course that the latter isn't really called maildeliveryaddress in your schema, which seems unlikely. Maybe Aki has some more insight.
source code file: auth/db-ldap.c
static int db_ldap_field_multi_expand(const char *data, const char **value_r, void *context, const char **error_r) { struct db_ldap_field_expand_context *ctx = context; struct auth_fields *fields = ctx->fields; * const char *field_name = t_str_lcase(data);*
const char *value = auth_fields_find(fields, db_ldap_attribute_as_multi(field_name)); if (value == NULL || *value == '\0') value = auth_fields_find(fields, field_name);
if (value == NULL || *value == '\0') { *error_r = t_strdup_printf("No such attribute '%s'", field_name); return -1; } *value_r = value; return 0; }
John
On 04/02/2026 15:29, Ruud Baart via dovecot wrote:
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive. Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{ldap:userPassword} } }
in
passdb ldap { ... fields { ... password = %{ldap:userpassword} } }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword password = %{ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes fields { user = %{ldap:mailDeliveryaddress} password = %{ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields { home = %{ldap:mailBase} mail = %{ldap:mailMessageStore} mail_path = %{ldap:mailMessageStore} quota_storage_size = %{ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
* Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes fields { user = %{[3]ldap:mailDeliveryaddress} password = %{[4]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields { home = %{[5]ldap:mailBase} mail = %{[6]ldap:mailMessageStore} mail_path = %{[7]ldap:mailMessageStore} quota_storage_size = %{[8]ldap:dovecotQuota} } }
References
Visible links 1. file:///tmp/tmpw_nfu2nq/ldap:userPassword 2. mailto:dovecot@dovecot.org 3. file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress 4. file:///tmp/tmpw_nfu2nq/ldap:userPassword 5. file:///tmp/tmpw_nfu2nq/ldap:mailBase 6. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 7. file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore 8. file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota 9. mailto:dovecot@dovecot.org 10. mailto:dovecot-leave@dovecot.org 11. mailto:dovecot@dovecot.org 12. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Ruud
I think that message "No such attribute 'userpassword' " is being produced because the attribute name userPassword in your configuration is being lower cased by Dovecot and the lower case name is being used by Dovecot both in the check for existence of the attribute and in the error messager. (see t_str_lcase call in code below).
That can also explain why the error still happens even when you change your configuration to use the attribute name userpassword, because that is in any case the value that Dovecot uses internally when checking for the existence of the attribute. If so, you can rule out the line of enquiry of searching for extraneous userpassword attributes in your configuration.
It's still a mystery to me why the existence check went wrong for %{[1]ldap:userPassword} but not for other attributes in your configuration like %{[2]ldap:mailDeliveryaddress}, assuming of course that the latter isn't really called maildeliveryaddress in your schema, which seems unlikely. Maybe Aki has some more insight.
source code file: auth/db-ldap.c
static int db_ldap_field_multi_expand(const char *data, const char **value_r, void *context, const char **error_r) { struct db_ldap_field_expand_context *ctx = context; struct auth_fields *fields = ctx->fields; const char *field_name = t_str_lcase(data);
const char *value = auth_fields_find(fields,
db_ldap_attribute_as_multi(field_name));
if (value == NULL || *value == '\0')
value = auth_fields_find(fields, field_name);
if (value == NULL || *value == '\0') {
*error_r = t_strdup_printf("No such attribute '%s'", field_name);
return -1;
}
*value_r = value;
return 0;}
John
On 04/02/2026 15:29, Ruud Baart via dovecot wrote:
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive.
Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{[3]ldap:userPassword} }
}
in
passdb ldap { ... fields { ... password = %{[4]ldap:userpassword}
} }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword
password = %{[5]ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot
[6]<dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword *
/etc/dovecot/conf.d# grep -H userPassword *
auth-ldap.conf.ext: password = %{[7]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot
[8]<dovecot@dovecot.org>
wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use
LDAP as
backend for the users.
I don't have problems. Authentication works fine. However
logging show
every time the following line:
auth-worker(<user
name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>:
request [7]:
Error: ldap: auth_passdb_post settings: Failed to parse
configuration:
Failed to expand passdb_fields/password setting variables:
ldap: No such
attribute 'userpassword'
The LDAP authentication works correct. So I don't understand
this
message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap {
passdb_use_worker = yes
passdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes
fields {
user = %{[9]ldap:mailDeliveryaddress}
password = %{[10]ldap:userPassword}
}
}
userdb ldap {
userdb_use_worker = yes
userdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields {
home = %{[11]ldap:mailBase}
mail = %{[12]ldap:mailMessageStore}
mail_path = %{[13]ldap:mailMessageStore}
quota_storage_size = %{[14]ldap:dovecotQuota}
}
}
_______________________________________________
dovecot mailing list -- [15]dovecot@dovecot.org
To unsubscribe send an email to [16]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [17]dovecot@dovecot.org
To unsubscribe send an email to [18]dovecot-leave@dovecot.org
* Don't think so
/etc/dovecot/conf.d# grep -H userpassword *
/etc/dovecot/conf.d# grep -H userPassword *
auth-ldap.conf.ext: password =
%{[1][19]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot
[2][20]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use
LDAP as
backend for the users.
I don't have problems. Authentication works fine. However
logging show
every time the following line:
auth-worker(<user
name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>:
request
[7]:
Error: ldap: auth_passdb_post settings: Failed to parse
configuration:
Failed to expand passdb_fields/password setting variables:
ldap: No
such
attribute 'userpassword'
The LDAP authentication works correct. So I don't
understand this
message.
My correct working LDAP configuration in
auth-ldap.conf.ext:
passdb ldap {
passdb_use_worker = yes
passdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes
fields {
user = %{[3][21]ldap:mailDeliveryaddress}
password = %{[4][22]ldap:userPassword}
}
}
userdb ldap {
userdb_use_worker = yes
userdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields {
home = %{[5][23]ldap:mailBase}
mail = %{[6][24]ldap:mailMessageStore}
mail_path = %{[7][25]ldap:mailMessageStore}
quota_storage_size = %{[8][26]ldap:dovecotQuota}
}
}
References
Visible links
1. [27]file:///tmp/tmpw_nfu2nq/ldap:userPassword
2. [28]mailto:dovecot@dovecot.org
3. [29]file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress
4. [30]file:///tmp/tmpw_nfu2nq/ldap:userPassword
5. [31]file:///tmp/tmpw_nfu2nq/ldap:mailBase
6. [32]file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
7. [33]file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
8. [34]file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota
9. [35]mailto:dovecot@dovecot.org
10. [36]mailto:dovecot-leave@dovecot.org
11. [37]mailto:dovecot@dovecot.org
12. [38]mailto:dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [39]dovecot@dovecot.org
To unsubscribe send an email to [40]dovecot-leave@dovecot.orgReferences
Visible links
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- file:///tmp/tmp5_y_4r2j/ldap:mailDeliveryaddress
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- file:///tmp/tmp5_y_4r2j/ldap:userpassword
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmp5_y_4r2j/ldap:mailDeliveryaddress
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- file:///tmp/tmp5_y_4r2j/ldap:mailBase
- file:///tmp/tmp5_y_4r2j/ldap:mailMessageStore
- file:///tmp/tmp5_y_4r2j/ldap:mailMessageStore
- file:///tmp/tmp5_y_4r2j/ldap:dovecotQuota
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmp5_y_4r2j/ldap:mailDeliveryaddress
- file:///tmp/tmp5_y_4r2j/ldap:userPassword
- file:///tmp/tmp5_y_4r2j/ldap:mailBase
- file:///tmp/tmp5_y_4r2j/ldap:mailMessageStore
- file:///tmp/tmp5_y_4r2j/ldap:mailMessageStore
- file:///tmp/tmp5_y_4r2j/ldap:dovecotQuota
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpw_nfu2nq/ldap:mailDeliveryaddress
- file:///tmp/tmpw_nfu2nq/ldap:userPassword
- file:///tmp/tmpw_nfu2nq/ldap:mailBase
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:mailMessageStore
- file:///tmp/tmpw_nfu2nq/ldap:dovecotQuota
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
Op 4-2-2026 om 19:54 schreef John Fawcett via dovecot:
Hi Ruud I think that message "No such attribute 'userpassword' " is being produced because the attribute name userPassword in your configuration is being lower cased by Dovecot and the lower case name is being used by Dovecot both in the check for existence of the attribute and in the error messager. (see t_str_lcase call in code below). That can also explain why the error still happens even when you change your configuration to use the attribute name userpassword, because that is in any case the value that Dovecot uses internally when checking for the existence of the attribute. If so, you can rule out the line of enquiry of searching for extraneous userpassword attributes in your configuration. It's still a mystery to me why the existence check went wrong for %{[1]ldap:userPassword} but not for other attributes in your configuration like %{[2]ldap:mailDeliveryaddress}, assuming of course that the latter isn't really called maildeliveryaddress in your schema, which seems unlikely. Maybe Aki has some more insight. source code file: auth/db-ldap.c static int db_ldap_field_multi_expand(const char *data, const char **value_r, void *context, const char **error_r) { struct db_ldap_field_expand_context *ctx = context; struct auth_fields *fields = ctx->fields; const char *field_name = t_str_lcase(data); const char *value = auth_fields_find(fields, db_ldap_attribute_as_multi(field_name)); if (value == NULL || *value == '\0') value = auth_fields_find(fields, field_name); if (value == NULL || *value == '\0') { *error_r = t_strdup_printf("No such attribute '%s'", field_name); return -1; } *value_r = value; return 0; } John On 04/02/2026 15:29, Ruud Baart via dovecot wrote: Still nobody knows the answer? In fact it is strange because LDAP attributes are case insensitive. Further If I change in the LDAP config passdb ldap { ... fields { ... password = %{[3]ldap:userPassword} } } in passdb ldap { ... fields { ... password = %{[4]ldap:userpassword} } } the logins are still OK but the error in the logfile remains the same. Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot: You mean verify with doveconf? Same result doveconf |grep -i userpassword password = %{[5]ldap:userPassword} Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot: I ment in your 2.4.1 config Aki On 03/02/2026 14:44 EET Ruud Baart via dovecot [6]<dovecot@dovecot.org> wrote: Don't think so /etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[7]ldap:userPassword} Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot: Could it be that you have 'userpassword' instead of 'userPassword' in your config? Aki On 03/02/2026 13:21 EET Ruud Baart via dovecot [8]<dovecot@dovecot.org> wrote: Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users. I don't have problems. Authentication works fine. However logging show every time the following line: auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword' The LDAP authentication works correct. So I don't understand this message. My correct working LDAP configuration in auth-ldap.conf.ext: passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[9]ldap:mailDeliveryaddress} password = %{[10]ldap:userPassword} } } userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[11]ldap:mailBase} mail = %{[12]ldap:mailMessageStore} mail_path = %{[13]ldap:mailMessageStore} quota_storage_size = %{[14]ldap:dovecotQuota} } } _______________________________________________ dovecot mailing list -- [15]dovecot@dovecot.org To unsubscribe send an email to [16]dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- [17]dovecot@dovecot.org To unsubscribe send an email to [18]dovecot-leave@dovecot.org * Don't think so /etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1][19]ldap:userPassword} Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot: Could it be that you have 'userpassword' instead of 'userPassword' in your config? Aki On 03/02/2026 13:21 EET Ruud Baart via dovecot [2][20]<dovecot@dovecot.org> wrote: Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users. I don't have problems. Authentication works fine. However logging show every time the following line: auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword' The LDAP authentication works correct. So I don't understand this message. My correct working LDAP configuration in auth-ldap.conf.ext: passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3][21]ldap:mailDeliveryaddress} password = %{[4][22]ldap:userPassword} } } userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5][23]ldap:mailBase} mail = %{[6][24]ldap:mailMessageStore} mail_path = %{[7][25]ldap:mailMessageStore} quota_storage_size = %{[8][26]ldap:dovecotQuota} } }
Hi Ruud
sorry, maybe it was too long and not that clear. What I am saying is that even if you have userPassword in your configuration, the error message for that particular error will always state the attribute in lower case. It is pointless to look for some configuration error containing userpassword since the attribute name userPassword will also generate that error you see.
But that gets no closer to understanding why the error is generated in the first place, especially considering that the authentication works anyway.
John
What is not clear to me
On 04/02/2026 21:29, Ruud Baart via dovecot wrote:
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
Op 4-2-2026 om 19:54 schreef John Fawcett via dovecot:
Hi Ruud
I think that message "No such attribute 'userpassword' " is being produced because the attribute name userPassword in your configuration is being lower cased by Dovecot and the lower case name is being used by Dovecot both in the check for existence of the attribute and in the error messager. (see t_str_lcase call in code below).
That can also explain why the error still happens even when you change your configuration to use the attribute name userpassword, because that is in any case the value that Dovecot uses internally when checking for the existence of the attribute. If so, you can rule out the line of enquiry of searching for extraneous userpassword attributes in your configuration.
It's still a mystery to me why the existence check went wrong for %{[1]ldap:userPassword} but not for other attributes in your configuration like %{[2]ldap:mailDeliveryaddress}, assuming of course that the latter isn't really called maildeliveryaddress in your schema, which seems unlikely. Maybe Aki has some more insight.
source code file: auth/db-ldap.c
static int db_ldap_field_multi_expand(const char *data, const char **value_r, void *context, const char **error_r) { struct db_ldap_field_expand_context *ctx = context; struct auth_fields *fields = ctx->fields; const char *field_name = t_str_lcase(data);
const char *value = auth_fields_find(fields, db_ldap_attribute_as_multi(field_name)); if (value == NULL || *value == '\0') value = auth_fields_find(fields, field_name);
if (value == NULL || *value == '\0') { *error_r = t_strdup_printf("No such attribute '%s'", field_name); return -1; } *value_r = value; return 0; }
John
On 04/02/2026 15:29, Ruud Baart via dovecot wrote:
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive. Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{[3]ldap:userPassword} } }
in
passdb ldap { ... fields { ... password = %{[4]ldap:userpassword} } }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword password = %{[5]ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot [6]<dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[7]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [8]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[9]ldap:mailDeliveryaddress} password = %{[10]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[11]ldap:mailBase} mail = %{[12]ldap:mailMessageStore} mail_path = %{[13]ldap:mailMessageStore} quota_storage_size = %{[14]ldap:dovecotQuota} } }
_______________________________________________ dovecot mailing list -- [15]dovecot@dovecot.org To unsubscribe send an email to [16]dovecot-leave@dovecot.org
_______________________________________________ dovecot mailing list -- [17]dovecot@dovecot.org To unsubscribe send an email to [18]dovecot-leave@dovecot.org
* Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1][19]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [2][20]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3][21]ldap:mailDeliveryaddress} password = %{[4][22]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5][23]ldap:mailBase} mail = %{[6][24]ldap:mailMessageStore} mail_path = %{[7][25]ldap:mailMessageStore} quota_storage_size = %{[8][26]ldap:dovecotQuota} } }
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 04/02/2026 22:29 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
You are using ldap_bind, which usually means that the driver attempts to bind with the user's credentials. I wonder if you intended to use this as you are also looking up user's password too.
Aki
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap { ldap_uris = ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx ldap_deref = never ldap_scope = subtree ldap_starttls = no ssl_client_require_valid_cert = no } }
passdb ldap {...}
userdb ldap {....}
Op 5-2-2026 om 06:23 schreef Aki Tuomi via dovecot:
On 04/02/2026 22:29 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
You are using ldap_bind, which usually means that the driver attempts to bind with the user's credentials. I wonder if you intended to use this as you are also looking up user's password too.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 05/02/2026 11:56 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap {
<not related to authentication at all>
} }
passdb ldap {...}
userdb ldap {....}
Can you actually head out to https://dovecot.org/upgrader/ , choose dovecot-auth-ldap.conf.ext and feed your 2.3 config file there? It should give you the corresponding 2.4 configuration.
Aki
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap(ldap://localhost:389): binding
failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to
perform, unauthenticated bind (DN with no password) disallowedOp 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
On 05/02/2026 11:56 EET Ruud Baart via dovecot<dovecot@dovecot.org> wrote:
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris =ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap { <not related to authentication at all>
} }
passdb ldap {...}
userdb ldap {....}
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap([1]ldap://localhost:389): binding
failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to perform,
unauthenticated bind (DN with no password) disallowedOp 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
On 05/02/2026 11:56 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote:
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = [3]ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap {
<not related to authentication at all>
}}
passdb ldap {...}
userdb ldap {....}
References
Visible links
- file:///tmp/tmpc2ke23vq/ldap:/localhost:389
- mailto:dovecot@dovecot.org
- file:///tmp/tmpc2ke23vq/ldap:/localhost
On 05/02/2026 14:57, Ruud Baart via dovecot wrote:
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing. auth-worker(154994): Error: ldap([1]ldap://localhost:389): binding failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to perform, unauthenticated bind (DN with no password) disallowed Op 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
HI
if you put the bind password back in the configuration and take out the ldap_bind = yes or set it to no in the passdb ldap config, does that go back to working again? If so is the error message about userpassword still produced?
John
Yes, that is the bugger.
using "ldap_bind = yes" within this context gives that error.
Thanks for all the help. It seems so harmless ...
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = ... fields { ... } }
Op 5-2-2026 om 20:46 schreef John Fawcett via dovecot:
On 05/02/2026 14:57, Ruud Baart via dovecot wrote:
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap([1]ldap://localhost:389): binding failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to perform, unauthenticated bind (DN with no password) disallowed
Op 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
HI
if you put the bind password back in the configuration and take out the ldap_bind = yes or set it to no in the passdb ldap config, does that go back to working again? If so is the error message about userpassword still produced?
John
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Cordialement,
R.J. Baart Portable: +33 7 88398245
Yes, that is the bugger.
using "ldap_bind = yes" within this context gives that error.
Thanks for all the help. It seems so harmless ...
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = ... fields { ... } }
Op 5-2-2026 om 20:46 schreef John Fawcett via dovecot:
On 05/02/2026 14:57, Ruud Baart via dovecot wrote:
Wrong idea I think. The simplest thing to try is to mask the bind
password
in the LDAP configuration by turning it into a comment. Restarting
Dovecot
immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap([1][1]ldap://localhost:389):
binding
failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to
perform,
unauthenticated bind (DN with no password) disallowed
Op 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
HI
if you put the bind password back in the configuration and take out
the ldap_bind = yes or set it to no in the passdb ldap config, does that
go back to working again? If so is the error message about userpassword
still produced?
John
_______________________________________________
dovecot mailing list -- [2]dovecot@dovecot.org
To unsubscribe send an email to [3]dovecot-leave@dovecot.org--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmplov8zxxy/ldap:/localhost:389
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
On 05/02/2026 23:07, Ruud Baart via dovecot wrote:
Yes, that is the bugger. using "ldap_bind = yes" within this context gives that error. Thanks for all the help. It seems so harmless ... passdb ldap { passdb_use_worker = yes passdb_ldap_filter = ... fields { ... } }
To give credit where it's due, Aki noticed that one first.
Still I think the error message was misleading. It would have been better to state clearly "warning you have configured ldap_bind and a password attribute" though that may be complicated. At the very least the parameter in the error message should be the one that was in the configuration, not the lower cased version, leading to some puzzling and searching for inexistent values in the config.
John
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap(ldap://localhost:389): binding
failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to
perform, unauthenticated bind (DN with no password) disallowedOp 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
On 05/02/2026 11:56 EET Ruud Baart via dovecot<dovecot@dovecot.org> wrote:
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris =ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap { <not related to authentication at all>
} }
passdb ldap {...}
userdb ldap {....}
--
Cordialement,
*R.J. Baart Portable: +33 7 88398245*
Wrong idea I think. The simplest thing to try is to mask the bind password in the LDAP configuration by turning it into a comment. Restarting Dovecot immediately shows in the log files that the password is missing.
auth-worker(154994): Error: ldap([1]ldap://localhost:389): binding
failed (dn cn=xxx,ou=xxx,dc=xxx,dc=xx): Server is unwilling to perform,
unauthenticated bind (DN with no password) disallowedOp 5-2-2026 om 11:31 schreef Aki Tuomi via dovecot:
On 05/02/2026 11:56 EET Ruud Baart via dovecot [2]<dovecot@dovecot.org> wrote:
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = [3]ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap {
<not related to authentication at all>
}}
passdb ldap {...}
userdb ldap {....}
--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmpxzbozumb/ldap:/localhost:389
- mailto:dovecot@dovecot.org
- file:///tmp/tmpxzbozumb/ldap:/localhost
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap { ldap_uris = ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx ldap_deref = never ldap_scope = subtree ldap_starttls = no ssl_client_require_valid_cert = no } }
passdb ldap {...}
userdb ldap {....}
Op 5-2-2026 om 06:23 schreef Aki Tuomi via dovecot:
On 04/02/2026 22:29 EET Ruud Baart via dovecot <dovecot@dovecot.org> wrote:
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
You are using ldap_bind, which usually means that the driver attempts to bind with the user's credentials. I wonder if you intended to use this as you are also looking up user's password too.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Cordialement,
*R.J. Baart Portable: +33 7 88398245*
I think you're pointing me in the right direction. I copied the LDAP configuration from version 2.3 to 2.4 and modified it, but perhaps I modified the bind section not correctly. If so, it probably works because an anonymous bind provides the requested data. In that case I need to rethink my access rules in the LDAP.
What if have:
ldap_uris = [1]ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx
passdb ldap {...}
userdb ldap {....}
And looking at the documentation now, perhaps it should be:
dict_server { dict ldap { ldap_uris = [2]ldap://localhost ldap_auth_dn = cn=xxxx,ou=xxxx,dc=abc,dc=xy ldap_auth_dn_password = secret ldap_base = ou=xxx,dc=xxx,dc=xx ldap_deref = never ldap_scope = subtree ldap_starttls = no ssl_client_require_valid_cert = no } }
passdb ldap {...}
userdb ldap {....}
Op 5-2-2026 om 06:23 schreef Aki Tuomi via dovecot:
On 04/02/2026 22:29 EET Ruud Baart via dovecot
[3]<dovecot@dovecot.org> wrote:
I'm tired. I have been working many hours now. So it may be that I
don't
quite understand you correctly. The conclusion I draw from these
responsen is that there is something strange going on that I can't do
anything about. Dovecot seems to be working fine on my server, so I'm
not immediately concerned.
I checked the exact spelling of the attributes I use. It is as
follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota,
mailDeliveryAddress and userPassword. And indeed, only userPassword
gives an error.
You are using ldap_bind, which usually means that the driver attempts to
bind with the user's credentials. I wonder if you intended to use this
as you are also looking up user's password too.
Aki
_______________________________________________
dovecot mailing list -- [4]dovecot@dovecot.org
To unsubscribe send an email to [5]dovecot-leave@dovecot.org--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmpvxy31psp/ldap:/localhost
- file:///tmp/tmpvxy31psp/ldap:/localhost
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Hello,
I am thinking the same as Aki. It is working, because ldap bind authenticates you. You get the error probably because of anonymous search in the ldap database for which userPassword attribute is not visible. How about just commenting out the line with userPassword?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 5. februára 2026, 6:29, Aki Tuomi via dovecot <dovecot@dovecot.org> napísal/a:
On 04/02/2026 22:29 EET Ruud Baart via dovecot dovecot@dovecot.org wrote:
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
You are using ldap_bind, which usually means that the driver attempts to bind with the user's credentials. I wonder if you intended to use this as you are also looking up user's password too.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Marek Greško wrote:
Hello, I am thinking the same as Aki. It is working, because ldap bind authenticates you. You get the error probably because of anonymous search in the ldap database for which userPassword attribute is not visible. How about just commenting out the line with userPassword? Marek
Hi there,
Let me jump in, as I have exactly the same problem. Here's my conf:
---------------- auth-ldap.conf.ext ---------------- ldap_uris = ldap://localhost ldap_base = ou=people,dc=example,dc=com ldap_auth_dn = cn=postfix,dc=example,dc=com ldap_auth_dn_password = xxx
passdb ldap { filter = (&(objectClass=organizationalPerson)(uid=%{user | username})(mail=%{user})) bind = yes fields { user = %{ldap:uid} password = %{ldap:userPassword} } }
userdb prefetch { driver = prefetch }
userdb ldap { filter = (&(objectClass=organizationalPerson)(uid=%{user | username})(mail=%{user})) fields { home = /srv/vmail/%{user | domain}/%{user | username} } }
That *works* (Thunderbird login) though with the same OP's error
auth(...) Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
What I have tried (running with "auth_verbose = yes"):
- remove "passdb_ldap_bind".
Result: broken login with error
Login auth request failed: Authenticated user not found from userdb
- remove "passdb_ldap_fields_password".
Result: broken login with error
auth(...) ldap: unknown user imap(...) Login auth request failed: Authenticated user not found from userdb, auth lookup id=...
Any idea?
Marco
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
Op 4-2-2026 om 19:54 schreef John Fawcett via dovecot:
Hi Ruud
I think that message "No such attribute 'userpassword' " is being produced because the attribute name userPassword in your configuration is being lower cased by Dovecot and the lower case name is being used by Dovecot both in the check for existence of the attribute and in the error messager. (see t_str_lcase call in code below).
That can also explain why the error still happens even when you change your configuration to use the attribute name userpassword, because that is in any case the value that Dovecot uses internally when checking for the existence of the attribute. If so, you can rule out the line of enquiry of searching for extraneous userpassword attributes in your configuration.
It's still a mystery to me why the existence check went wrong for %{[1]ldap:userPassword} but not for other attributes in your configuration like %{[2]ldap:mailDeliveryaddress}, assuming of course that the latter isn't really called maildeliveryaddress in your schema, which seems unlikely. Maybe Aki has some more insight.
source code file: auth/db-ldap.c
static int db_ldap_field_multi_expand(const char *data, const char **value_r, void *context, const char **error_r) { struct db_ldap_field_expand_context *ctx = context; struct auth_fields *fields = ctx->fields; const char *field_name = t_str_lcase(data);
const char *value = auth_fields_find(fields, db_ldap_attribute_as_multi(field_name)); if (value == NULL || *value == '\0') value = auth_fields_find(fields, field_name);
if (value == NULL || *value == '\0') { *error_r = t_strdup_printf("No such attribute '%s'", field_name); return -1; } *value_r = value; return 0; }
John
On 04/02/2026 15:29, Ruud Baart via dovecot wrote:
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive. Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{[3]ldap:userPassword} } }
in
passdb ldap { ... fields { ... password = %{[4]ldap:userpassword} } }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword password = %{[5]ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot [6]<dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[7]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [8]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[9]ldap:mailDeliveryaddress} password = %{[10]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[11]ldap:mailBase} mail = %{[12]ldap:mailMessageStore} mail_path = %{[13]ldap:mailMessageStore} quota_storage_size = %{[14]ldap:dovecotQuota} } }
dovecot mailing list -- [15]dovecot@dovecot.org To unsubscribe send an email to [16]dovecot-leave@dovecot.org
dovecot mailing list -- [17]dovecot@dovecot.org To unsubscribe send an email to [18]dovecot-leave@dovecot.org
- Don't think so
/etc/dovecot/conf.d# grep -H userpassword * /etc/dovecot/conf.d# grep -H userPassword * auth-ldap.conf.ext: password = %{[1][19]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot [2][20]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use LDAP as backend for the users.
I don't have problems. Authentication works fine. However logging show every time the following line:
auth-worker(<user name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>: request [7]: Error: ldap: auth_passdb_post settings: Failed to parse configuration: Failed to expand passdb_fields/password setting variables: ldap: No such attribute 'userpassword'
The LDAP authentication works correct. So I don't understand this message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap { passdb_use_worker = yes passdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) ldap_bind = yes fields { user = %{[3][21]ldap:mailDeliveryaddress} password = %{[4][22]ldap:userPassword} } }
userdb ldap { userdb_use_worker = yes userdb_ldap_filter = (&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user})) fields { home = %{[5][23]ldap:mailBase} mail = %{[6][24]ldap:mailMessageStore} mail_path = %{[7][25]ldap:mailMessageStore} quota_storage_size = %{[8][26]ldap:dovecotQuota} } }
--
Cordialement,
*R.J. Baart Portable: +33 7 88398245*
I'm tired. I have been working many hours now. So it may be that I don't quite understand you correctly. The conclusion I draw from these responsen is that there is something strange going on that I can't do anything about. Dovecot seems to be working fine on my server, so I'm not immediately concerned.
I checked the exact spelling of the attributes I use. It is as follows. In the ldif dump: mailBase, mailMessageStore, dovecotQuota, mailDeliveryAddress and userPassword. And indeed, only userPassword gives an error.
Op 4-2-2026 om 19:54 schreef John Fawcett via dovecot:
Hi Ruud
I think that message "No such attribute 'userpassword' " is being
produced
because the attribute name userPassword in your configuration is being
lower cased by Dovecot and the lower case name is being used by Dovecot
both in the check for existence of the attribute and in the error
messager. (see t_str_lcase call in code below).
That can also explain why the error still happens even when you change
your configuration to use the attribute name userpassword, because that
is
in any case the value that Dovecot uses internally when checking for the
existence of the attribute. If so, you can rule out the line of enquiry
of
searching for extraneous userpassword attributes in your configuration.
It's still a mystery to me why the existence check went wrong
for %{[1][1]ldap:userPassword} but not for other attributes in your
configuration like %{[2][2]ldap:mailDeliveryaddress}, assuming of course
that
the latter isn't really called maildeliveryaddress in your schema, which
seems unlikely. Maybe Aki has some more insight.
source code file: auth/db-ldap.c
static int
db_ldap_field_multi_expand(const char *data, const char **value_r,
void *context, const char **error_r)
{
struct db_ldap_field_expand_context *ctx = context;
struct auth_fields *fields = ctx->fields;
const char *field_name = t_str_lcase(data);
const char *value = auth_fields_find(fields,
db_ldap_attribute_as_multi(field_name));
if (value == NULL || *value == '\0')
value = auth_fields_find(fields, field_name);
if (value == NULL || *value == '\0') {
*error_r = t_strdup_printf("No such attribute '%s'", field_name);
return -1;
}
*value_r = value;
return 0;
}
John
On 04/02/2026 15:29, Ruud Baart via dovecot wrote:
Still nobody knows the answer?
In fact it is strange because LDAP attributes are case insensitive.
Further If I change in the LDAP config
passdb ldap { ... fields { ... password = %{[3][3]ldap:userPassword} }
}
in
passdb ldap { ... fields { ... password = %{[4][4]ldap:userpassword}
} }
the logins are still OK but the error in the logfile remains the same.
Op 3-2-2026 om 14:45 schreef Ruud Baart via dovecot:
You mean verify with doveconf? Same result
doveconf |grep -i userpassword
password = %{[5][5]ldap:userPassword}
Op 3-2-2026 om 14:08 schreef Aki Tuomi via dovecot:
I ment in your 2.4.1 config
Aki
On 03/02/2026 14:44 EET Ruud Baart via dovecot
[6][6]<dovecot@dovecot.org> wrote:
Don't think so
/etc/dovecot/conf.d# grep -H userpassword *
/etc/dovecot/conf.d# grep -H userPassword *
auth-ldap.conf.ext: password = %{[7][7]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot
[8][8]<dovecot@dovecot.org>
wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use
LDAP as
backend for the users.
I don't have problems. Authentication works fine. However
logging show
every time the following line:
auth-worker(<user
name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>:
request [7]:
Error: ldap: auth_passdb_post settings: Failed to parse
configuration:
Failed to expand passdb_fields/password setting variables:
ldap: No such
attribute 'userpassword'
The LDAP authentication works correct. So I don't understand
this
message.
My correct working LDAP configuration in auth-ldap.conf.ext:
passdb ldap {
passdb_use_worker = yes
passdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes
fields {
user = %{[9][9]ldap:mailDeliveryaddress}
password = %{[10][10]ldap:userPassword}
}
}
userdb ldap {
userdb_use_worker = yes
userdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields {
home = %{[11][11]ldap:mailBase}
mail = %{[12][12]ldap:mailMessageStore}
mail_path = %{[13][13]ldap:mailMessageStore}
quota_storage_size = %{[14][14]ldap:dovecotQuota}
}
}
_______________________________________________
dovecot mailing list -- [[15]15]dovecot@dovecot.org
To unsubscribe send an email to [[16]16]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [[17]17]dovecot@dovecot.org
To unsubscribe send an email to [[18]18]dovecot-leave@dovecot.org
* Don't think so
/etc/dovecot/conf.d# grep -H userpassword *
/etc/dovecot/conf.d# grep -H userPassword *
auth-ldap.conf.ext: password =
%{[1][19][19]ldap:userPassword}
Op 3-2-2026 om 13:35 schreef Aki Tuomi via dovecot:
Could it be that you have
'userpassword' instead of 'userPassword' in your config?
Aki
On 03/02/2026 13:21 EET Ruud Baart via dovecot
[2][20][20]<dovecot@dovecot.org> wrote:
Dovecot 2.4.1 works fine on my Debian Trixie server. I use
LDAP as
backend for the users.
I don't have problems. Authentication works fine. However
logging show
every time the following line:
auth-worker(<user
name@domain,::1)<109040><3v5ddOlJvrgAAAAAAAAAAAAAAAAAAAAB>:
request
[7]:
Error: ldap: auth_passdb_post settings: Failed to parse
configuration:
Failed to expand passdb_fields/password setting variables:
ldap: No
such
attribute 'userpassword'
The LDAP authentication works correct. So I don't
understand this
message.
My correct working LDAP configuration in
auth-ldap.conf.ext:
passdb ldap {
passdb_use_worker = yes
passdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
ldap_bind = yes
fields {
user = %{[3][21][21]ldap:mailDeliveryaddress}
password = %{[4][22][22]ldap:userPassword}
}
}
userdb ldap {
userdb_use_worker = yes
userdb_ldap_filter =
(&(objectClass=PromptMailUser)(accountStatus=TRUE)(mailDeliveryaddress=%{user}))
fields {
home = %{[5][23][23]ldap:mailBase}
mail = %{[6][24][24]ldap:mailMessageStore}
mail_path = %{[7][25][25]ldap:mailMessageStore}
quota_storage_size = %{[8][26][26]ldap:dovecotQuota}
}
}--
Cordialement,
R.J. Baart Portable: +33 7 88398245
References
Visible links
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- file:///tmp/tmpg74ljhhk/ldap:mailDeliveryaddress
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- file:///tmp/tmpg74ljhhk/ldap:userpassword
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpg74ljhhk/ldap:mailDeliveryaddress
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- file:///tmp/tmpg74ljhhk/ldap:mailBase
- file:///tmp/tmpg74ljhhk/ldap:mailMessageStore
- file:///tmp/tmpg74ljhhk/ldap:mailMessageStore
- file:///tmp/tmpg74ljhhk/ldap:dovecotQuota
- mailto:15]dovecot@dovecot.org
- mailto:16]dovecot-leave@dovecot.org
- mailto:17]dovecot@dovecot.org
- mailto:18]dovecot-leave@dovecot.org
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- mailto:dovecot@dovecot.org
- file:///tmp/tmpg74ljhhk/ldap:mailDeliveryaddress
- file:///tmp/tmpg74ljhhk/ldap:userPassword
- file:///tmp/tmpg74ljhhk/ldap:mailBase
- file:///tmp/tmpg74ljhhk/ldap:mailMessageStore
- file:///tmp/tmpg74ljhhk/ldap:mailMessageStore
- file:///tmp/tmpg74ljhhk/ldap:dovecotQuota
participants (6)
-
Aki Tuomi
-
John Fawcett
-
libre.praxis@professional-eth0s.ch
-
Marek Greško
-
Ruud Baart
-
Ruud Baart