[Dovecot] Dovecot LDAP issue

Tue Apr 8 10:12:34 UTC 2014

On Tuesday 08 April 2014 05:36:51 Deeztek Support wrote:
> On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
> > The primary question is: Does
> > 
> > ldapsearch -H ldap://server.domain.tld:389 \
> > 
> >   -b dc=domain,dc=tld -D ...  -W \
> >   '(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl
> >   :1.2.840.113556.1.4.803:=2)))'> 
> > return the user?
> 
> yes it does. The authentication with AD works as it should as long as
> dovecot is pointing to the right OU.
> 
> > How many domain controllers to you have in the AD? Which of them holds
> > which domains? See
> > http://technet.microsoft.com/en-us/library/cc978012.aspx
> 
> I have on domain controller and there is only one domain. I think we are
> getting off track here. There is no problem with authentication. Maybe I
> need to be more clear.
> 
> Dovecot is able to authenticate with active directory as long as the
> "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to
> the OU that the dovecot users are. However, I have another OU where my
> Exchange users are. So, when I try to send email from a dovecot user to
> an Exchange user, dovecot throws the error "user unknown" because it's
> not able to find the Exchange user since it's in a different OU. When I
> set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain
> root i.e. instead of having it say:
> 
> base = ou=testou,dc=domain,dc=tld
> 
> I set it to:
> 
> base = dc=domain,dc=tld
> 
> so it can lookup all users in the entire domain
> 
> then dovecot stops authenticating with AD altogether

As I already said, authentication is one thing and delivery is other thing.
This filter receive probably different variable as %u when deliver ( posibly the 
mail address or the user part from it, depending on your master.cf .
You can use an |  in the ldap filter to accomodate that , it's ugly but it 
works.

-- 
Mihai Bădici
http://mihai.badici.ro