[Dovecot] Dovecot LDAP issue

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Tue Apr 8 14:27:41 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Apr 2014, Deeztek Support wrote:

> Date: Tue, 8 Apr 2014 05:36:51 -0400
> From: Deeztek Support <support at deeztek.com>
> Reply-To: Dovecot Mailing List <dovecot at dovecot.org>
> To: dovecot at dovecot.org
> Subject: Re: [Dovecot] Dovecot LDAP issue
> 
> On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
>> The primary question is: Does
>> 
>> ldapsearch -H ldap://server.domain.tld:389 \
>>   -b dc=domain,dc=tld -D ...  -W \
>>   '(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
>> 
>> return the user?
>
> yes it does. The authentication with AD works as it should as long as dovecot 
> is pointing to the right OU.

You misunderstood the vivid points of this command:
a) the base DN is the one you want, but is not working with Dovecot
b) you perform a LDAP search in the local DC, not in Global Catalog
c) that you've authentificated correctedly is just a side effect to know

>> How many domain controllers to you have in the AD? Which of them holds
>> which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
>> 
>
> I have on domain controller and there is only one domain. I think we are 
> getting off track here. There is no problem with authentication. Maybe I need
> to be more clear.

> Dovecot is able to authenticate with active directory as long as the "base = 
> " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that 
> the dovecot users are. However, I have another OU where my Exchange users 
> are. So, when I try to send email from a dovecot user to an Exchange user, 
> dovecot throws the error "user unknown" because it's not able to find the 
> Exchange user since it's in a different OU. When I set the "base =" parameter 
> in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it 
> say:
>
> base = ou=testou,dc=domain,dc=tld
>
> I set it to:
>
> base = dc=domain,dc=tld
>
> so it can lookup all users in the entire domain
>
> then dovecot stops authenticating with AD altogether

as the page points points out, there are differences between LDAP and GC 
search in the sense of what results are found.

See: http://wiki2.dovecot.org/AuthDatabase/LDAP

"Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all 
LDAP fields are available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx "

The ldapsearch is to verify that your AD searches more than one OU at all.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub
ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM
CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo
pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea
DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX
cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug==
=mWc0
-----END PGP SIGNATURE-----


More information about the dovecot mailing list