Does Dovecot LDAP auth support LDAP referral

Xuan Jia xuan.jia at gameloft.com
Tue Feb 6 04:29:34 EET 2018 

Hello Sami,

Thanks.

------------------------------------------------------------------------
*From:* Sami Ketola
*Sent:* Friday, Feb 2, 2018 9:17 GMT
*To:* Xuan Jia
*Cc:* dovecot at dovecot.org
*Subject:* Does Dovecot LDAP auth support LDAP referral

>> On 2 Feb 2018, at 10.38, Xuan Jia <xuan.jia at gameloft.com> wrote:
>>
>> We using Dovecot with LDAP.
>>  From the beginning, we using GC LDAP query with port 3268 for email accounts.
>> For example, user1 at our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine.
>>
>> But refer to this document:
>> https://wiki2.dovecot.org/AuthDatabase/LDAP
>> When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this:
>> "base = ou=usa, dc=our-organization, dc=org"
>>
>> But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
>>
>> When we debug with ldapsearch:
>> ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2 at our-organization.org)'
>> It can return user2 information with some "numReferences".
>>
>> But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
>>
>> So my question is: does Dovecot LDAP auth support LDAP referral?
>> If Dovecot relies on OpenLDAP, it should be support.
>> If not, why and what is the walkthrough?
> TBH, I don't think that it's supported. Looking at the source code at least it does not look it is.
>
> What you could do is to have separate passdb for both ldap bases.
> one that would query base = ou=usa, dc=our-organization, dc=org and one that would query
> base = ou=gbr, dc=our-organization, dc=org
>
> and then use skip=authenticated on the second passdb if user already found in first passdb.
>
> Sami

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180206/b07a04b8/attachment.html>

More information about the dovecot mailing list