AD query timeout might be result size limit exceeded

Julien Lambot jlambot at gmail.com
Fri Jun 3 07:24:59 UTC 2016 

On Thu, May 19, 2016 at 4:27 PM, Julien Lambot <jlambot at gmail.com> wrote:

> Hello list
>
> I've been struggling for a while trying to configure multiple domain ldap
> authentication with full e-mail address authentication. Which in fact was
> not the issue.
> There where some discrepancies between the doc and our actual
> configuration (see appendix A/ ) Seems that pass_filters and user_filters
> don't need much special settings for our setup.
>
> Now it's working correctly at the sole exception that when an OU contains
> "lots" of users (>200) i suspect that the ldapseach query fails. We can
> well authenticate when we have 50 users in an OU, but not when the number
> raises (I don't have the exact number above which it locks).
>


After further investigations, seems the issue is caused by the presence of
an "_" (underscore) in the OU name. Other OUs are not impacted.

If anyone as a suggestion, that would be welcome.
In fact, we cannot rename this OU without a wide impact on other
configurations.

Regards

Julien



>
> Is there a parameter that we can set to increase the result size limit (as
> i suspect this to be the cause of this possible bug)?
>
> If I query manually it's ok (ldapsearch)
> if I use "doveadm auth user.name at domain.tld", it succeed also but I
> wonder if it doesn't use the winbind authentication instead.
>
>
>
> Here is our ldap-auth configuration
>
> hosts = master.domain.local:389
> dn = DOMAIN\ro-user
> dnpass = password
> debug_level = 2
> auth_bind = yes
> #auth_bind_userdn =
> cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and
> without with no better results)
> ldap_version = 3
> #deref = never
> #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few
> users)
> base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
> scope = subtree
> user_filter = (&(objectclass=person)(mail=%u))
> pass_filter =  (&(objectclass=person)(mail=%u))
>
> and some logs in appendix B/
>
>
> Thanks for any hints on this.
>
> Have a nice day
>
>

More information about the dovecot mailing list