AD query timeout might be result size limit exceeded

Julien Lambot jlambot at gmail.com
Thu May 19 14:27:18 UTC 2016 

Hello list

I've been struggling for a while trying to configure multiple domain ldap
authentication with full e-mail address authentication. Which in fact was
not the issue.
There where some discrepancies between the doc and our actual configuration
(see appendix A/ ) Seems that pass_filters and user_filters don't need much
special settings for our setup.

Now it's working correctly at the sole exception that when an OU contains
"lots" of users (>200) i suspect that the ldapseach query fails. We can
well authenticate when we have 50 users in an OU, but not when the number
raises (I don't have the exact number above which it locks).

Is there a parameter that we can set to increase the result size limit (as
i suspect this to be the cause of this possible bug)?

If I query manually it's ok (ldapsearch)
if I use "doveadm auth user.name at domain.tld", it succeed also but I wonder
if it doesn't use the winbind authentication instead.



Here is our ldap-auth configuration

hosts = master.domain.local:389
dn = DOMAIN\ro-user
dnpass = password
debug_level = 2
auth_bind = yes
#auth_bind_userdn =
cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and
without with no better results)
ldap_version = 3
#deref = never
#base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few
users)
base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
scope = subtree
user_filter = (&(objectclass=person)(mail=%u))
pass_filter =  (&(objectclass=person)(mail=%u))

and some logs in appendix B/


Thanks for any hints on this.

Have a nice day



appendix A/

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
default_vsz_limit = 1 G
disable_plaintext_auth = no
first_valid_gid = 5000
first_valid_uid = 5000
last_valid_gid = 50000
last_valid_uid = 50000
mail_gid = 5000
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = virtmail
mail_uid = 5000
namespace inbox {
  hidden = no
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  subscriptions = yes
}
passdb {
  args = scheme=plain-md5 username_format=%u /etc/dovecot/users
  driver = passwd-file
}
passdb {
  args = scheme=plain-md5 username_format=%u /etc/dovecot/users
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = /etc/dovecot/pirisusers-ldap.conf.ext
  driver = ldap
}
protocols = imap
service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = virtmail
  }
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
userdb {
  args = /etc/dovecot/dovecot-ldap-users.conf.ext
  driver = ldap
}
userdb {
  args = /etc/dovecot/pirisusers-ldap-users.conf.ext
  driver = ldap
}
protocol lda {
  postmaster_address = postmaster at domain.tld
}
protocol imap {
  mail_plugins =
}



appendix B/


May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_select
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 14 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 11 message type search-reference
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referrals
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_url_parse_ext(ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request: new
msgid 15, new dn <DC=ForestDnsZones,DC=domain,DC=local>
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request new
request is:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referral:
msgid 11, url
"ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local"
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_connection 0 1
1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_open_connection
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
TCP ForestDnsZones.domain.local:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_prepare_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
Trying 10.1.2.34:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_pvt_connect: fd:
21 tm: -1 async: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: anonymous rebind via
ldap_sasl_bind("")
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_sasl_bind
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_send_initial_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_result ld
0x7fcc0a585fa0 msgid 16
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg ld
0x7fcc0a585fa0 msgid 16 (timeout 100000 usec)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg continue ld
0x7fcc0a585fa0 msgid 16 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Connections:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
ForestDnsZones.domain.local  port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 2  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:     queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
DomainDnsZones.domain.local  port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 2  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:     queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
master.domain.local  port: 389  (default)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 4  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Outstanding Requests:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 16,  origid
16, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:    outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 14,  origid
14, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:    outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 11,  origid
11, status InProgress
May 19 13:00:06 iftstpupimap1 dovecot: auth: Error: PLAIN(): Request 0.1
timeouted after 150 secs, state=1

More information about the dovecot mailing list