[Dovecot] Problem with Dovecot and AD LDAP auth

Алексей Переклад at_hacker at mail.ru
Thu Jun 7 17:28:02 EEST 2012


Hi.

Seems it's a bug in dovecot auth. I have  FreeBSD 8.1-RELEASE-p1 and I tried 1.2.17 and 2.1.7 versions of Dovecot, and still no luck.

The problem: when I set in dovecot-ldap.conf: base = CN=Users,DC=domain,DC=local

everything works fine. But if I set: base = DC=domain,DC=local

mail client can't authorize. /var/log/dovecot.log says:
=============================================== 
Jun 07 18:07:17 auth: Debug: auth client connected (pid=14611)
Jun 07 18:08:11 auth: Debug: client in: AUTH 1 PLAIN service=imap session=G1//aeLB6wAKAABu lip=10.0.0.3 rip=10.0.0.110 lport=143 rport=55787 resp=AGdhdGV3YXkAVU82eUpuUXQ=
Jun 07 18:08:11 auth: Debug: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): bind search: base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway))
Jun 07 18:08:11 auth: Debug: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): result: uid missing
Jun 07 18:10:18 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 127 secs): user=<>, method=PLAIN, rip=10.0.0.110, lip=10.0.0.3, session=<G1//aeLB6wAKAABu>
Jun 07 18:10:18 auth: Debug: client in: CANCEL 1
Jun 07 18:10:18 auth: Debug: auth client connected (pid=14706)
Jun 07 18:10:26 auth: Debug: client in: AUTH 1 PLAIN service=imap session=n6IBcuLB7AAKAABu lip=10.0.0.3 rip=10.0.0.110 lport=143 rport=55788 resp=AGdhdGV3YXkAVU82eUpuUXQ=
Jun 07 18:10:26 auth: Debug: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): bind search: base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway))
Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): Connection appears to be hanging, reconnecting
Jun 07 18:10:26 auth: Debug: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): result: uid missing
Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): Request lost
Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): ldap_search(base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway))) failed: Operations error
Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2
Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2
Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2
Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2
Jun 07 18:10:28 auth: Debug: client out: FAIL 1 user=gateway temp
Jun 07 18:10:28 auth: Debug: client out: FAIL 1 user=gateway temp
Jun 07 18:13:18 imap-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 172 secs): user=<gateway>, method=PLAIN, rip=10.0.0.110, lip=10.0.0.3, session=<n6IBcuLB7AAKAABu>
============================================

My dovecot-ldap.conf:

===============================
ldap_version = 3
hosts = ad.domain.local
base = DC=hrom,DC=local
scope = subtree

dn = CN=mailserver,CN=Users,DC=domain,DC=local
dnpass = here_is_pass
auth_bind = yes
pass_attrs = uid=user
pass_filter = "(&(objectClass=person)(sAMAccountName=%u))"
user_attrs = name=mail=maildir:/var/mail/virtual/hrom.local/%n
user_filter = "(&(objectClass=person)(sAMAccountName=%u))"
=================================================== 
 
 I need base = DC=domain,DC=local for searching for user's accounts in different OU of my AD. If I set base = CN=Users,DC=domain,DC=local, Dovecot can't authorize user accounts from OU.

P.S.: Postfix with base = DC=domain,DC=local works perfectly, so the problem is not with our domain controller (LDAP server as well) .


More information about the dovecot mailing list