Does Dovecot LDAP auth support LDAP referral
We using Dovecot with LDAP. From the beginning, we using GC LDAP query with port 3268 for email accounts. For example, user1@our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine.
But refer to this document: https://wiki2.dovecot.org/AuthDatabase/LDAP When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: "base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
When we debug with ldapsearch: ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2@our-organization.org)' It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
Here are the config: # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 9.3 auth_verbose = yes dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -l%{lock_timeout} -n%{namespace} imap_id_send = imapc_user = %u import_environment = TZ listen = * login_log_format_elements = user=u> method=%m rip=%r lip=%l mpid=%e %c mail_shared_explicit_inbox = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap sieve" service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 } ssl_ca = /etc/ssl/certs/ca.pem ssl_cert = </etc/ssl/gameloft/our-organization.org.crt ssl_key = # hidden, use -P to show it ssl_parameters_regenerate = 1 weeks userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
So my question is: does Dovecot LDAP auth support LDAP referral? If Dovecot relies on OpenLDAP, it should be support. If not, why and what is the walkthrough?
Xuan Jia
On 2 Feb 2018, at 10.38, Xuan Jia <xuan.jia@gameloft.com> wrote:
We using Dovecot with LDAP. From the beginning, we using GC LDAP query with port 3268 for email accounts. For example, user1@our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine.
But refer to this document: https://wiki2.dovecot.org/AuthDatabase/LDAP When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: "base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
When we debug with ldapsearch: ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2@our-organization.org)' It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
So my question is: does Dovecot LDAP auth support LDAP referral? If Dovecot relies on OpenLDAP, it should be support. If not, why and what is the walkthrough?
TBH, I don't think that it's supported. Looking at the source code at least it does not look it is.
What you could do is to have separate passdb for both ldap bases. one that would query base = ou=usa, dc=our-organization, dc=org and one that would query base = ou=gbr, dc=our-organization, dc=org
and then use skip=authenticated on the second passdb if user already found in first passdb.
Sami
Hello Sami,
Thanks.
*From:* Sami Ketola *Sent:* Friday, Feb 2, 2018 9:17 GMT *To:* Xuan Jia *Cc:* dovecot@dovecot.org *Subject:* Does Dovecot LDAP auth support LDAP referral
On 2 Feb 2018, at 10.38, Xuan Jia <xuan.jia@gameloft.com> wrote:
We using Dovecot with LDAP. From the beginning, we using GC LDAP query with port 3268 for email accounts. For example, user1@our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine.
But refer to this document: https://wiki2.dovecot.org/AuthDatabase/LDAP When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: "base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
When we debug with ldapsearch: ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2@our-organization.org)' It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
So my question is: does Dovecot LDAP auth support LDAP referral? If Dovecot relies on OpenLDAP, it should be support. If not, why and what is the walkthrough? TBH, I don't think that it's supported. Looking at the source code at least it does not look it is.
What you could do is to have separate passdb for both ldap bases. one that would query base = ou=usa, dc=our-organization, dc=org and one that would query base = ou=gbr, dc=our-organization, dc=org
and then use skip=authenticated on the second passdb if user already found in first passdb.
Sami
participants (2)
-
Sami Ketola
-
Xuan Jia