[Dovecot] dovecot with Active Directory problem

marie ot otmarie2501 at gmail.com
Sun Nov 14 14:31:59 EET 2010


Hello,

I am using dovecot-2.0.6 with NetBSD amd64.
Active Directory is used as an authentication server.
(Windows Server 2008 R2)

However, the message of "Operations error" was displayed first and it did
not move.
It solved it by understanding that this is because the authority of the user
who used it for bind was insufficient, and adding to "Account Operators"
group.
# Though it is not the best.

The error "Error: re_encode_request new request is" occurs,
and it doesn't operate still as follows.

Postfix operates though connects with LDAP.
The following are samples.

------------------------
# Active Directory Server settings
domain = example.com
server_host = ldap://xxx.xxx.xxx.xxx:389
search_base = dc=example, dc=com
version = 3
timeout = 30

# Active Directory Searcher settings
bind = yes
bind_dn = cn=Mail Administrator, cn=Users, dc=example, dc=com
bind_pw = *********

# Filter Query
query_filter =
(&(&(objectCategory=person)(|(mail=%s)(userPrincipalName=%s)))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute = userPrincipalName
result_filter = %s/
chase_referrals = no
------------------------

The packet was done with wireshark by using this definition and a capture
doing and a similar test were done to dovecot.

It is a setting of dovecot.

------------------------
hosts = xxx.xxx.xxx.xxx:389
dn = cn=Mail Administrator, cn=Users, dc=example, dc=com
dnpass = *********

auth_bind = no
ldap_version = 3
base = dc=example, dc=com
user_attrs = unixHomeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter =
(&(&(objectCategory=person)(userPrincipalName=%u))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

pass_attrs = userPrincipalName=user,unixUserPassword=password
pass_filter =
(&(&(objectCategory=person)(userPrincipalName=%u))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
iterate_attrs = userPrincipalName=user
iterate_filter =
(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
 default_pass_scheme = MD5
------------------------

# Schema of LDAP is matched to Windows Services for UNIX,
# and the password is made a hush with MD5.

Both dovecot and postfix the first "bindRequest" was quite
the same demand and the results.

Next, dovecot demanded query of "userPrincipalName" and "unixUserPassword".
It seems to be ok for the result.
# This fails if it doesn't add to "Account Operators" group.

However, "name" and "simple" were issued by the blank (anonymously?)
as for the following next demand (bindRequest).
In addition, query of "userPrincipalName" and "unixUserPassword" is issued
to
"cn=Configuration, dc=example, dc=com" afterwards.
And, "Operations Error" is returned because of this.

Error description in LDAP packet:
 ------------------------
errorMessage: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform
this operation a successful bind must be completed on the connection., data
0, v1db0
 ------------------------

Because LDAP is unprofessional, it has not understood though
the source code was seen.

Do you serve as a reference?

Thanks powerful codes.


More information about the dovecot mailing list