[Dovecot] LDAP auth_bind fails to process certain LDAP server responses (Windows AD)

Konstantin Khomoutov flatworm at users.sourceforge.net
Fri May 15 22:19:25 EEST 2009 

LDAP auth backend in Dovecot 1.1.5 seemingly fails to handle certain
paths of interaction with LDAP server, which is Windows AD running 
Windows 2003 server machine in my case.

The symptoms I observe look exactly as were already reported in [1]: 
authentication backend "hangs" after logging the fact it has sent the 
search request, then after a while the IMAP/POP3 connection is teared 
down by the server due to idle condition.

In the mentioned mail thread, it was proposed that if Dovecot doesn't 
log any LDAP server response, there is no such response, so I dumped the 
TCP traffic going between the backend and the server, and studied what 
happens with different settings.

The result is that it seems LDAP auth backend doesn't understand the 
case when the server offerrs one or more "referrals" which the client 
might want to check. It seems that the backend tries to do something 
else after it gets such a result from the LDAP server even if the server 
returned an entry matching the search request.

The described behaviour manifests itself with Windows AD only if I 
specify the domain name alone as the search base, e.g. 
"dc=mydomain,dc=com". If I also include at least one OU, the server 
doesn't return its list of referrals and Dovecot LDAP auth backend works OK.

I attached two files produced by tcpdump -- one with "hung" search 
request, and another with successful one.
They are:

1) ldap-hung.pcap.gz
Captured with /etc/dovecot/dovecot-ldap.conf settings:
hosts = domain007.com
dn = saslauthd at domain007.com
dnpass = "secret"
auth_bind = yes
base = dc=domain007, dc=com
pass_filter = (&(objectClass=person)(sAMAccountName=%u))

Packet #8 is of interest in this dump.

2) ldap-ok.pcap.gz
Captured with /etc/dovecot/dovecot-ldap.conf settings:
hosts = domain007.com
dn = saslauthd at domain007.com
dnpass = "secret"
auth_bind = yes
base = cn=Users, dc=domain007, dc=com
pass_filter = (&(objectClass=person)(sAMAccountName=%u))

The only difference compared to the first case is the "cn=Users" 
prepended to the base DN, which prevents the server from attaching a 
list of referrals.

In both cases "search result done" is present in the server response.

3) ldap-ldapsearch.pcap.gz
This dump captures the conversation of the ldapsearch utility with the 
same server using the same parameters Dovecot LDAP auth backend uses in 
the first case. ldapsearch invocation was like this:
$ ldapsearch -h domain007.com -x -D saslauthd at domain007.com -w secret -a 
always -b dc=domain007,dc=com 
'(&(objectClass=person)(sAMAccountName=kostix))'

General configuration info (package from Debian stable):

# dovecot --version
1.0.15

# dovecot -n
# 1.0.15: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_privileged_group: mail
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
auth default:
   verbose: yes
   debug: yes
   passdb:
     driver: ldap
     args: /etc/dovecot/dovecot-ldap.conf
   userdb:
     driver: passwd

1. http://www.mail-archive.com/dovecot@dovecot.org/msg09174.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-hung.pcap.gz
Type: application/gzip
Size: 1155 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090515/4cd36d58/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-ok.pcap.gz
Type: application/gzip
Size: 937 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090515/4cd36d58/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-ldapsearch.pcap.gz
Type: application/gzip
Size: 2191 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090515/4cd36d58/attachment-0002.bin

More information about the dovecot mailing list