[Dovecot] dovecot-ldap : can't find user in OU subtree

me at electronico.nc me at electronico.nc
Wed Oct 30 10:00:39 EET 2013 

Hi all,

Well, I've compiled and installed dovecot 2.2.6 with following options:
> ./configure --prefix=/usr/ --sysconfdir=/etc/ --with-mysql 
> --libexecdir=/usr/lib/ --localstatedir=/var 
> --with-moduledir=/usr/lib/dovecot/modules --disable-rpath 
> --disable-static --with-zlib --with-bzlib --with-solr --with-ldap 
> --with-gssapi --with-nss

doveconf -n:
> # 2.2.6: /etc/dovecot/dovecot.conf
> # OS: Linux 3.8.0-32-generic x86_64 Ubuntu 12.04.3 LTS ext4
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> first_valid_gid = 20001
> first_valid_uid = 20001
> log_timestamp = %Y-%m-%d %H:%M:%S
> mail_debug = yes
> mail_gid = 20001
> mail_home = /media/data/email/%n
> mail_location = maildir:/media/data/email/%n/mail
> mail_plugins = fts fts_solr acl zlib mail_log notify
> mail_uid = 20001
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = comparator-i;octet 
> comparator-i;ascii-casemap fileinto reject envelope encoded-character 
> vacation subaddress comparator-i;ascii-numeric relational regex 
> imap4flags copy include variables body enotify environment mailbox 
> date spamtest spamtestplus virustest
> namespace {
>   list = no
>   location = 
> maildir:/media/data/email/%%n/mail:INDEX=/media/data/email/%n/mail/shared/%%n
>   prefix = shared/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace inbox {
>   inbox = yes
>   location = maildir:/media/data/email/%n/mail
>   mailbox Sent {
>     auto = subscribe
>   }
>   mailbox Spam {
>     auto = subscribe
>   }
>   mailbox SpamFalse {
>     auto = subscribe
>   }
>   mailbox SpamToLearn {
>     auto = subscribe
>   }
>   prefix =
>   separator = /
>   type = private
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
>   driver = ldap
> }
> plugin {
>   acl = vfile
>   mail_log_events = delete undelete expunge copy mailbox_delete 
> mailbox_rename save mailbox_create
>   mail_log_fields = uid box msgid size
>   sieve = /media/data/email/%n/dovecot.sieve
>   sieve_after = /media/data/email/sieve/global.sieve
>   sieve_dir = /media/data/email/%n/sieve
>   zlib_save = bz2
>   zlib_save_level = 9
> }
> protocols = imap pop3 sieve lmtp
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   unix_listener auth-master {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0640
>     user = vmail
>   }
> }
> service imap-login {
>   inet_listener imap {
>     address = *
>     port = 143
>   }
>   inet_listener imaps {
>     address = *
>     port = 993
>     ssl = yes
>   }
>   process_limit = 256
> }
> service lmtp {
>   inet_listener lmtp {
>     address = *
>     port = 24
>   }
>   user = vmail
> }
> service managesieve-login {
>   inet_listener sieve {
>     address = *
>     port = 4190
>   }
>   process_limit = 256
>   vsz_limit = 64 M
> }
> service pop3-login {
>   inet_listener pop3 {
>     address = *
>     port = 110
>   }
>   inet_listener pop3s {
>     address = *
>     port = 995
>     ssl = yes
>   }
> }
> ssl = required
> ssl_ca = </etc/postfix/tls/cacert.pem
> ssl_cert = </etc/postfix/tls/radiodjiido-cert.pem
> ssl_key = </etc/postfix/tls/radiodjiido-key.pem
> ssl_verify_client_cert = yes
> userdb {
>   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
>   driver = ldap
> }
> protocol imap {
>   imap_client_workarounds = delay-newmail
>   imap_max_line_length = 64 k
>   mail_max_userip_connections = 20
>   mail_plugins = acl imap_acl mail_log notify zlib
> }
> protocol pop3 {
>   mail_plugins = zlib mail_log notify
>   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>   pop3_uidl_format = %08Xu%08Xv
> }
> protocol sieve {
>   managesieve_logout_format = bytes ( in=%i : out=%o )
> }
> protocol lda {
>   info_log_path =
>   log_path =
>   mail_plugins = sieve zlib mail_log notify
>   quota_full_tempfail = yes
>   syslog_facility = mail
> }
> protocol lmtp {
>   info_log_path =
>   log_path =
>   mail_plugins = sieve fts zlib mail_log notify
>   quota_full_tempfail = yes
> }

/etc/dovecot/dovecot-ldap-passdb.conf.ext:
> hosts = localhost
> auth_bind = yes
> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
> ldap_version = 3
> base = ou=users,dc=domain,dc=lan
> scope = subtree
> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

/etc/dovecot/dovecot-ldap-userdb.conf.ext:
> hosts = localhost
> dn = cn=ldap,cn=Users,DC=domain,DC=lan
> dnpass = My_secret_pass
> ldap_version = 3
> base = OU=users,DC=domain,DC=lan
> scope = subtree
> user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, 
> mail=/media/data/email/%n/mail
> user_filter = (&(objectClass=person)(cn=%n)(mail=*))
> iterate_attrs = cn=user
> iterate_filter = (objectClass=person)

All seems to work as expected up-to-now, but :
If I move a user from OU 'users' to a sub-OU 'administrative' on Active 
Directory :
-> The user can't login anymore to Dovecot
I have added the "scope = subtree" to the userdb and passdb files but it 
doesn't change anything.

Here is the debug part when user test3 (located in ou=users, 
ou=administrative) tries to login:
> Oct 30 18:49:12 serveur dovecot: auth: Debug: auth client connected 
> (pid=4292)
> Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: 
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=L6uskfDpKwAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54827
> Oct 30 18:49:12 serveur dovecot: auth: Debug: client passdb out: 
> CONT#0111#011
> Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: CONT<hidden>
> Oct 30 18:49:12 serveur dovecot: auth: 
> ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials
> Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: 
> FAIL#0111#011user=test3

As soon as I move user 'test3' back to ou=users, it can login ...
> Oct 30 18:53:57 serveur dovecot: auth: Debug: Loading modules from 
> directory: /usr/lib/dovecot/modules/auth
> Oct 30 18:53:57 serveur dovecot: auth: Debug: Read auth token secret 
> from /var/run/dovecot/auth-token-secret.dat
> Oct 30 18:53:57 serveur dovecot: auth: Debug: auth client connected 
> (pid=4303)
> Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: 
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=h+ypovDpUAAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54864
> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: 
> CONT#0111#011
> Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: CONT<hidden>
> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: 
> OK#0111#011user=test3


Thanks in advance for your time and lights.
Nicolas

More information about the dovecot mailing list