My dovecot works fine against Active Directory 2003, but not against AD2008

Matthias Lay matthias.lay at securepoint.de
Thu Sep 10 13:40:47 UTC 2015 

Hi Fran,


this is not a dovecot problem, thats a pure dns problem and can only
be fixed in your dns environment.


referrals are propagated in a "special" dns design in SRV records.
so the ldap client performs a dns lookup for this names and this is the
point of hanging (as in most "hanging cases", its dns).

see:
https://technet.microsoft.com/en-us/library/cc978014.aspx
https://technet.microsoft.com/en-us/library/cc961719.aspx
http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html

for information.


Greetz Matze




On Thu, 10 Sep 2015 13:10:57 +0200
Fran <cumc-4361-2 at chguadalquivir.es> wrote:

> Hi Matthias,
> 
> thank you very much! that fixed the problem.
> 
> I had workaround the problem by using "base = ou=xxxx, dc=dom",
> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because
> that also worked (I don't know why, but the problem happen if you use
> as base just the domain, but not if you add a second level). But that
> forced to me to use several userdb/passdb blocks definitions, one for
> each OU in which I have users, so I think that your fix is better.
> 
> I'm not able to understand the actual reason behind all this though...
> 
> What's the technical explanation behind this behaviour?? I mean, it
> seems to be that the problem is that the Domain controller (DC) was
> sending a "referrals" answer and dovecot auth made a connection to
> these others DC but something wrong happened (dovecot can't deal
> correctly with that kind of answers?? I don't know).
> 
> Anyways, as far as I know:
> 
> 1) A referral answer should be done by a DC when it can't provide the
> object that the client are requesting
> 2) REFERRALS off in ldap.conf means that the client should not follow
> referrals returned by the DC
> 
> So, if a referral answer is given from my DC, I think that is because
> such DC can't provide the object which the client is looking for, so,
> why works fine just by telling dovecot: "Don't follow referrals"?
> 
> Regards
> 
> 
> 
> El 09/09/2015 a las 17:22, Matthias Lay escribió:
> > hi,
> >
> > check your 
> >
> > /etc/openldap/ldap.conf
> >
> > for
> >
> > REFERRALS off
> >
> > I had this errors with "referrals on" in misconfigured dns
> > environments.
> >
> >
> > you can debug the dns packets by strace-ing the auth process
> >
> >
> >
> >
> > On Tue, 8 Sep 2015 11:00:37 +0200

More information about the dovecot mailing list