[Dovecot] LDAP auth_bind hangs and times out

Timo Sirainen tss at iki.fi
Fri Apr 4 00:11:45 EEST 2008 

No, I mean this appears to be a bug somewhere since a LDAP request is  
sent, but it's never received by Dovecot. So either Dovecot does  
something wrong, OpenLDAP library does something wrong or your network  
blocks the reply for some reason. For example on my system:

auth(default): ldap(foo,127.0.0.1): bind search: base=...
auth(default): ldap(foo,127.0.0.1): result: uid(user)=foo

If Dovecot receives a reply to the "bind search", it logs the "result"  
line, which your logs show is missing.

On Apr 4, 2008, at 12:06 AM, Jack McKinney wrote:
> 	I am not sure that I understand you, here. Are you saying that I am
> missing something from my configuration after the "filter=" line  
> like a
> pass_attrs listing fields to return?  I do not have one, as there  
> are no
> fields that I need returned.  The only thing that dovecot needs is the
> DN of the match itself.
>
> 	According to http://wiki.dovecot.org/AuthDatabase/LDAP ,
>
> "The pass_filter is used to find the LDAP entry, and the DN is taken
> from the reply."
>
> 	Should I add a dummy pass_attrs entry?  What field is safe to grab?
> E.g., I do not want to overwrite "user"...
>
> On Thu, 2008-04-03 at 23:59 +0300, Timo Sirainen wrote:
>> On Thu, 2008-04-03 at 09:46 -0500, Jack McKinney wrote:
>>
>>> ldap(jackmc at lorentz.com,y.y.y.y): bind search: base=ou=users,
>>> dc=lorentz,dc=com
>>> filter=(&(objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))
>>
>> Here should be a line saying "result: <returned fields>". Since there
>> isn't, Dovecot never appears to receive the reply. You could verify  
>> this
>> by adding to src/auth/db-ldap.c ldap_input() around line 372:
>>
>> 		msgid = ldap_msgid(res);
>> // added line:
>> 		i_info("LDAP: Received reply %d", msgid);
>>
>> msgid might be the same as this tag:
>>
>>> Apr  3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT  
>>> tag=101
>>
>> But I'm not sure. If you anyway receive a reply after the "bind  
>> search",
>> there's something wrong in Dovecot's error handling.
>>
> -- 
> Jack McKinney
> GPG 1024D/99C6A174
> jackmc at lorentz.com YM:lfaatsnat2006 AIM:jackmclorentz
> "There is no parameter that makes it impossible for you to perform  
> still
> more excellently."
>   -Mario Cuomo, on the lack of a clock in baseball

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080404/44b9726c/attachment.bin

More information about the dovecot mailing list