[Dovecot] Fwd: LDAP subtree search on AD

Bruno Puga brpuga at gmail.com
Thu Jun 14 22:11:13 EEST 2007


Ok Timo, first os all thanks for your reply!

I've used ngrep to sniff the packet and I grab the below data. As we can
see, Postfix makes the bind before anything else, and Dovecot send some
lines of data before the bind. After that, dovecot tries to make the subtree
search, but in my understanding dovecot isn't making a correct bind maybe
because the two lines sent before the bind, or any other thing. I think it
could also be that dovecot is using other connections for the search other
than the connection used in the bind time, as we can see in the logs below
that dovecot use various local ports at one unique search, an Postfix open
just one local port to make that search.

Timo, I think it could be a bug. Correct me if I am wrong!

Waiting for answers and ideas, and thanks until the moment.
Bruno.


--------------------------------------------------------------------------------------------
Dovecot:
#
T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
  0....`......teste..teste
#
T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
  0........a............
##
T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
  0E...`@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword
#
T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
  0........a............
#
T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]

0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
#
T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]

0.... at ...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te

cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:

//tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............
####
T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
  0....`........
#
T 192.168.0.11:389 -> 192.168.0.251:58920 [AP]
  0........a............
#####
T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]
  0....`........
#
T 192.168.0.11:389 -> 192.168.0.251:58921 [AP]
  0........a............
#####
T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]
  0....`........
#
T 192.168.0.11:389 -> 192.168.0.251:58922 [AP]
  0........a............
##
T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]

0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
#
T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]

0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
#
T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]

0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
#
T 192.168.0.11:389 -> 192.168.0.251:58922 [AP]
  0........e................00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connec
  tion., data 0, vece.
#
T 192.168.0.11:389 -> 192.168.0.251:58921 [AP]
  0........e................00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connec
  tion., data 0, vece.
#
T 192.168.0.11:389 -> 192.168.0.251:58920 [AP]
  0........e................00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, vece.
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
Postfix:
####
T 192.168.0.251:47285 -> 192.168.0.11:389 [AP]
  0E...`@....1cn=postfix,cn=Users,dc=tecnicopias01,dc=com,dc=br..mypassword
#
T 192.168.0.11:389 -> 192.168.0.251:47285 [AP]
  0........a............
##
T 192.168.0.251:47285 -> 192.168.0.11:389 [AP]
  0f...ca..dc=tecnicopias01,dc=com,dc=br................ ..mail..bruno@
tecnicopias.com.br0...postOfficeBox
#
T 192.168.0.11:389 -> 192.168.0.251:47285 [AP]
  0........d....w.9CN=Bruno
Puga,OU=USER,OU=TI,DC=tecnicopias01,DC=com,DC=br0....60....0..postOfficeBox1.......tecnicopias.com.br/bruno/0....e...s....\.Zld

ap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=Do

mainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap://tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e..........
  ..
#
T 192.168.0.251:47285 -> 192.168.0.11:389 [AP]
  0....B.
####
--------------------------------------------------------------------------------------------




On 6/13/07, Timo Sirainen <tss at iki.fi> wrote:
>
> On Wed, 2007-06-13 at 15:46 -0300, Bruno Puga wrote:
> > With postfix using virtual_mailbox_maps through the same ldap backend, I
> can
> > make subtree searchs in the Active Directory without problems.
> >
> > Any ideas?
> >
> > I really need this information and appreciate any help or new ideas!
>
> I've no idea about Active Directory, or even all that much about LDAP.
>
> > scope = subtree
>
> This should however work, and it's also the default. It gets passed to
> ldap_search() function correctly, so as far as I know there are no bugs
> related to this.
>
> Maybe you could check with eg. Wireshark if it supports LDAP protocol
> and see what's different between what Dovecot sends and what Postfix
> sends.
>
>
>


More information about the dovecot mailing list