locked ldap users

klemen at arnes.si klemen at arnes.si
Wed Nov 11 11:08:27 UTC 2015


I'm having a problem regarding locked users in ldap.
We are using 389DS ldap server. We lock our users with nsAccountLock=true.
If user successfully logs into dovecot, his credentials gets cached.
When this user is locked its credentials still stay in cache.
The problem I'm having is that our ldap server returns error code 53
("Unwilling to perform - Account inactivated"). Dovecot takes this error
code and decides that ldap doesnt work so it takes users credentials
from cache (like stated in docs). User can still login untill his
credentials are cleared from cache.

Error message in logs:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): ldap_bind() failed:
Server is unwilling to perform
Oct 20 14:39:31 SERVER dovecot: auth:
ldap(USERNAME,193.X.Y.Z,<aaaaaaaaaaaaaaaa>): Falling back to expired
data from cache

Does dovecot reacts to error code 53 as it should? Maybe our ldap server
should return different error code - like 49/533 (Account_disabled)? How
would dovecot react to error code 49?

Currenty we solve this problem by taking list of locked users and clear
cache every minute.

thank you and best regards,
Klemen Andreuzzi

More information about the dovecot mailing list