Re: [Dovecot] Fwd: LDAP subtree search on AD
Timo, I have sent this message below before but I didn't saw that it was delivered to you personal email instead to the list, I just see this now, sorry.
Because I'm in a hurry I gave up using Dovecot + AD and start using Mysql as my userdb and passdb and things worked perfect until the moment. I have some doubts but I will open a new thread for this.
Anyway, if you get some news about this issue I would appreciate to know, if not, that's OK.
Many thanks for your help.
Bruno.
On 6/18/07, Bruno Puga brpuga@gmail.com wrote:
Timo, I had set this in the dovecot.conf:
auth_verbose = yes auth_debug = yes auth_debug_passwords = yes
########################################################### ### My dovecot logs shows this using auth_bind = yes and userdn template ###
dovecot: 2007-06-17 12:35:52 Warning: Killed with signal 15 dovecot: 2007-06-17 12:35:53 Info: Dovecot v1.0.0 starting up dovecot: 2007-06-17 12:37:23 Info: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip= 192.168.0.251 rip=192.168.0.251 resp=AHRlc3RlAHRlc3Rl dovecot: 2007-06-17 12:37:23 Info: auth(default): ldap(teste,192.168.0.251): bind: dn=teste dovecot: 2007-06-17 12:37:23 Info: auth(default): client out: OK 1 user=teste dovecot: 2007-06-17 12:37:23 Info: auth(default): master in: REQUEST 1 31290 1 dovecot: 2007-06-17 12:37:23 Info: auth(default): ldap(teste,192.168.0.251): user search: base=DC=tecnicopias01,DC=com,DC=br scope=subtree filter=(&(objectClass=organizationalPerson)(sAMAccountName=teste)) fields=info dovecot: 2007-06-17 12:40:23 Info: imap-login: Disconnected: Inactivity: user=<teste>, method=PLAIN, rip=192.168.0.251 , lip=192.168.0.251, secured
dovecot: 2007-06-17 12:52:46 Error: auth(default): ldap(teste, 192.168.0.251): ldap_search() failed: Operations error dovecot: 2007-06-17 12:52:46 Info: auth(default): master out: FAIL 1 dovecot: 2007-06-17 12:52:46 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server dovecot: 2007-06-17 13:07:46 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server dovecot: 2007-06-17 13:22:47 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server
As we can see, first dovecot bind correct, but after it open a new connection as showed in the ngrep output, and without bind try to make the ldap_search, in that point AD blocks the search saying that for the new connection opened is necessary a successful bind. ###########################################################
### Now, changing for User database Lookups authenticating with krb5 ###
dovecot: 2007-06-18 10:14:35 Info: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=192.168.0.251 rip= 192.168.0.251 resp=AHRlc3RlAHRlc3Rl dovecot: 2007-06-18 10:14:35 Info: auth(default): pam(teste,192.168.0.251): lookup service=dovecot dovecot: 2007-06-18 10:14:35 Info: auth(default): client out: OK 1 user=teste dovecot: 2007-06-18 10:14:35 Info: auth(default): master in: REQUEST 1 32029 1 dovecot: 2007-06-18 10:14:35 Info: auth(default): ldap(teste,192.168.0.251): user search: base=DC=tecnicopias01,DC=com,DC=br scope=subtree filter=(&(objectClass=organizationalPerson)(sAMAccountName=teste)) fields=info dovecot: 2007-06-18 10:17:35 Info: imap-login: Disconnected: Inactivity: user=<teste>, method=PLAIN, rip=192.168.0.251 , lip=192.168.0.251, secured
dovecot: 2007-06-18 10:29:25 Error: auth(default): ldap(teste, 192.168.0.251): ldap_search() failed: Operations error dovecot: 2007-06-18 10:29:25 Info: auth(default): master out: FAIL 1 dovecot: 2007-06-18 10:29:25 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server dovecot: 2007-06-18 10:44:26 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server dovecot: 2007-06-18 10:59:26 Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server
###########################################################
After some time, the dovecot logs starts logging this last 3 lines saying it "Can't contact LDAP server", and ngrep shows this:
########################################################### ############# T 192.168.0.251:49043 -> 192.168.0.11:389 [AP] 0E...
@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123! # T 192.168.0.11:389 -> 192.168.0.251:49043 [AP] 0........a............ ### T 192.168.0.251:49043 -> 192.168.0.11:389 [AP] 0....B. ####### T 192.168.0.251:42083 -> 192.168.0.11:389 [AP] 0E...
@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123! # T 192.168.0.11:389 -> 192.168.0.251:42083 [AP] 0........a............ ### T 192.168.0.251:42083 -> 192.168.0.11:389 [AP] 0....B. ####### T 192.168.0.251:52084 -> 192.168.0.11:389 [AP] 0E...`@....1CN=postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..post123! # T 192.168.0.11:389 -> 192.168.0.251:52084 [AP] 0........a............ #Dovecot after a while keep trying to connect to LDAP server without any requests being sent to server. So it keep logging this line below forever:
LDAP: ldap_result() failed: Can't contact LDAP server ###########################################################
If I change the base to the same location as the user being authenticating is, the userdb lookup is successfully because he's find at a first ldap_seach try, and no subtree search is necessary. So again I think dovecot must not open other connections then that opened at the bind time to make the subtree search, like postfix do.
Timo, I'm waiting for your reply.
Thanks in advance to spent your time to contribute with free software, Bruno.
participants (1)
-
Bruno Puga