[Dovecot] Fwd: LDAP subtree search on AD

Fri Jun 15 20:50:52 EEST 2007

Hello Timo!

I think that to make a ldap_search in the Microsoft Active Directory (I
don't know about OpenLDAP, but it could be the same case) is necessary first
open an connection, after bind with a valid user, and in the same connection
make the search, but with Dovecot we could see in the sniffed packages that
he open various connection in one ldap_seach. Because of this Microsoft
Active Directory show this in the sniffer logs:

"comment: In order to perform this operation a successful bind must be
completed on the connection"

So, in the connection using local port 58918 dovecot did make a successful
bind but didn't found the ldap entry, after it tries to make a subtree
search but using other connection ports 58920 58921 and 58922 without a
successful bind, and AD blocks the search right here.
I think dovecot isn't searching for ldap entries correct, isn't it?

I'm not an ldap and dovecot expert, so please tell us if what I write here
is correct or not.

Waiting for your reply, thanks,
Bruno.

--------------------------------------------------------------------------------------------
>
> Dovecot:
> #
> T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
>   0....`......teste..teste
> #
> T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
>   0........a............
> ##
> T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
>
> 0E...`@....1CN=Postfix,CN=Users,DC=tecnicopias01,DC=com,DC=br..mypassword
> #
> T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
>   0........a............
> #
> T 192.168.0.251:58918 -> 192.168.0.11:389 [AP]
>
> 0{...cv..DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
> #
> T 192.168.0.11:389 -> 192.168.0.251:58918 [AP]
>
> 0.... at ...d....7./CN=teste,CN=Users,DC=tecnicopias01,DC=com,DC=br0.....0....e...s....\.Zldap://ForestDnsZones.tecnicopias01.com.br/DC=ForestDnsZones,DC=te
>
> cnicopias01,DC=com,DC=br0....e...s....\.Zldap://DomainDnsZones.tecnicopias01.com.br/DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br0....U...s....L.Jldap:
>
>
> //tecnicopias01.com.br/CN=Configuration,DC=tecnicopias01,DC=com,DC=br0........e............
> ####
> T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
>   0....`........
> #
> T 192.168.0.11:389 -> 192.168.0.251:58920 [AP]
>   0........a............
> #####
> T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]
>   0....`........
> #
> T 192.168.0.11:389 -> 192.168.0.251:58921 [AP]
>   0........a............
> #####
> T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]
>   0....`........
> #
> T 192.168.0.11:389 -> 192.168.0.251:58922 [AP]
>   0........a............
> ##
> T 192.168.0.251:58922 -> 192.168.0.11:389 [AP]
>
> 0.....c....CN=Configuration,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
> #
> T 192.168.0.251:58921 -> 192.168.0.11:389 [AP]
>
> 0.....c.../DC=DomainDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
>
> #
> T 192.168.0.251:58920 -> 192.168.0.11:389 [AP]
>
> 0.....c.../DC=ForestDnsZones,DC=tecnicopias01,DC=com,DC=br................>.#..objectClass..organizationalPerson....sAMAccountName..teste0...info
>
> #
> T 192.168.0.11:389 -> 192.168.0.251:58922 [AP]
>   0........e................00000000: LdapErr: DSID-0C090627, comment: In
> order to perform this operation a successful bind must be completed on the
> connec
>   tion., data 0, vece.
> #
> T 192.168.0.11:389 -> 192.168.0.251:58921 [AP]
>   0........e................00000000: LdapErr: DSID-0C090627, comment: In
> order to perform this operation a successful bind must be completed on the
> connec
>   tion., data 0, vece.
> #
> T 192.168.0.11:389 -> 192.168.0.251:58920 [AP]
>   0........e................00000000: LdapErr: DSID-0C090627, comment: In
> order to perform this operation a successful bind must be completed on the
> connection., data 0, vece.
>
> --------------------------------------------------------------------------------------------
>