I can't seem to find documentation that shows how to set up 2 LDAP passdb blocks. I can get each of them working properly, but only the second of the two works at any given time. I can't figure out the syntax needed to get both to work, even though I've been all over the Dovecot 2.4x official documentation. The docs seem to suggest settings that the server rejects.
Anyone have any experience doing this, or know the correct syntax? Thanks in advance!
passdb ldap { # works when standalone; fails when combined with 2nd block below #passdb_name = ldap1 #driver = ldap ldap_version = 3 bind = yes bind_userdn = %{user|username} ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com ldap_auth_dn_password = D0vec0t ldap_base = ou=apps,dc=foscore,dc=com ldap_uris = ldapi://%2Frun%2Fldapi filter = (&(objectClass=applicationProcess)(cn=%{user})) passdb_ldap_bind = yes passdb_ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com result_success = return-ok } passdb ldap { #driver = ldap #name = ldap_users ldap_version = 3 bind = yes bind_userdn = %{user|username} ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com ldap_auth_dn_password = D0vec0t ldap_base = ou=people,dc=example,dc=com ldap_uris = ldapi://%2Frun%2Fldapi filter = (&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com)) passdb_ldap_bind = yes passdb_ldap_bind_userdn = uid=%{user|username},ou=people,dc=example,dc=com result_success = return-ok }
On 02/06/2026 16:21 EEST Tom via dovecot <dovecot@dovecot.org> wrote:
I can't seem to find documentation that shows how to set up 2 LDAP passdb blocks. I can get each of them working properly, but only the second of the two works at any given time. I can't figure out the syntax needed to get both to work, even though I've been all over the Dovecot 2.4x official documentation. The docs seem to suggest settings that the server rejects.
Anyone have any experience doing this, or know the correct syntax? Thanks in advance!
you can share settings like this
ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com ldap_auth_dn_password = D0vec0t ldap_uris = ldapi://%2Frun%2Fldapi ldap_version = 3 ldap_bind = yes
passdb ldab-1 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=applicationProcess)(cn=%{user})) }
passdb ldap-2 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com)) }
Aki
On 02/06/2026 16:33 EEST Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
On 02/06/2026 16:21 EEST Tom via dovecot <dovecot@dovecot.org> wrote:
I can't seem to find documentation that shows how to set up 2 LDAP passdb blocks. I can get each of them working properly, but only the second of the two works at any given time. I can't figure out the syntax needed to get both to work, even though I've been all over the Dovecot 2.4x official documentation. The docs seem to suggest settings that the server rejects.
Anyone have any experience doing this, or know the correct syntax? Thanks in advance!
you can share settings like this
ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com ldap_auth_dn_password = D0vec0t ldap_uris = ldapi://%2Frun%2Fldapi ldap_version = 3 ldap_bind = yes
passdb ldab-1 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=applicationProcess)(cn=%{user})) }
passdb ldap-2 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com)) }
Aki
Sorry, small mistake
ldap_bind = yes => passdb_ldap_bind = yes
Aki
On 2026-06-02 09:36, Aki Tuomi via dovecot wrote:
I can't seem to find documentation that shows how to set up 2 LDAP passdb blocks. I can get each of them working properly, but only the second of the two works at any given time. I can't figure out the syntax needed to get both to work, even though I've been all over the Dovecot 2.4x official documentation. The docs seem to suggest settings that the server rejects.
Anyone have any experience doing this, or know the correct syntax? Thanks in advance!
you can share settings like this
ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com ldap_auth_dn_password = D0vec0t ldap_uris = ldapi://%2Frun%2Fldapi ldap_version = 3 ldap_bind = yes
passdb ldab-1 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=applicationProcess)(cn=%{user})) }
passdb ldap-2 { driver = ldap ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com ldap_filter = (&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com)) }
Aki
Sorry, small mistake
ldap_bind = yes => passdb_ldap_bind = yes
Thanks for your replies.
2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: sasl(plain): Set authid 'example@example.net' 2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: sasl(plain): Performing plain passdb verification 2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: ldap-1: Performing passdb lookup 2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: ldap-1: Finished passdb lookup 2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: ldap-2: Performing passdb lookup 2026.06.02 13:52:40 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: ldap-2: Finished passdb lookup 2026.06.02 13:52:43 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: sasl(plain): Finished plain passdb verification (status=internal-failure) 2026.06.02 13:52:43 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: sasl(plain): Interaction failed (internal failure) 2026.06.02 13:52:43 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: Auth request finished 2026.06.02 13:52:43 auth(example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>: Debug: immediate auth failure due to internal failure
Not getting either one to work. This is with full debugging on. It looks like the internal error happens instantly, no attempt to contact the directory.
Can you send doveconf -n
Aki
On 02/06/2026 21:10 EEST Tom via dovecot <[1]dovecot@dovecot.org> wrote:
On 2026-06-02 09:36, Aki Tuomi via dovecot wrote:
>>> I can't seem to find documentation that shows how to set up 2 LDAP
passdb blocks. I can get each of them working properly, but only the
second of the two works at any given time. I can't figure out the syntax
needed to get both to work, even though I've been all over the Dovecot
2.4x official documentation. The docs seem to suggest settings that the
server rejects.
>>>
>>> Anyone have any experience doing this, or know the correct syntax?
Thanks in advance!
>>
>> # you can share settings like this
>> ldap_auth_dn = cn=dovecot,ou=apps,dc=example,dc=com
>> ldap_auth_dn_password = D0vec0t
>> ldap_uris = ldapi://%2Frun%2Fldapi
>> ldap_version = 3
>> ldap_bind = yes
>>
>> passdb ldab-1 {
>> driver = ldap
>> ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com
>> ldap_filter = (&(objectClass=applicationProcess)(cn=%{user}))
>> }
>>
>> passdb ldap-2 {
>> driver = ldap
>> ldap_bind_userdn = cn=%{user},ou=apps,dc=example,dc=com
>> ldap_filter =
(&(objectClass=posixAccount)(uid=%{user|username})(memberOf=cn=mail,ou=%{user|domain},ou=groups,dc=example,dc=com))
>> }
>>
>> Aki
Sorry, small mistake
ldap_bind = yes => passdb_ldap_bind = yes
Thanks for your replies.
2026.06.02 13:52:40
auth([2]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: sasl(plain): Set authid [3]'example@example.net'
2026.06.02 13:52:40
auth([4]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: sasl(plain): Performing plain passdb verification
2026.06.02 13:52:40
auth([5]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: ldap-1: Performing passdb lookup
2026.06.02 13:52:40
auth([6]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: ldap-1: Finished passdb lookup
2026.06.02 13:52:40
auth([7]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: ldap-2: Performing passdb lookup
2026.06.02 13:52:40
auth([8]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: ldap-2: Finished passdb lookup
2026.06.02 13:52:43
auth([9]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: sasl(plain): Finished plain passdb verification
(status=internal-failure)
2026.06.02 13:52:43
auth([10]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: sasl(plain): Interaction failed (internal failure)
2026.06.02 13:52:43
auth([11]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: Auth request finished
2026.06.02 13:52:43
auth([12]example@example.net,10.0.0.99,sasl:plain)<qgg2+khTlLgKAABj>:
Debug: immediate auth failure due to internal failure
Not getting either one to work. This is with full debugging on. It looks
like the internal error happens instantly, no attempt to contact the
directory.
_______________________________________________
dovecot mailing list -- [13]dovecot@dovecot.org
To unsubscribe send an email to [14]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- mailto:example@example.net
- mailto:'example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:example@example.net
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
participants (2)
-
Aki Tuomi
-
Tom