using %d as a variable in the ldap search base

Marc Roos M.Roos at
Mon Aug 31 22:45:17 EEST 2020

You have two ways of authenticating against ldap. I decided to use the 
method where a single account has access to the user credentials. 
(Advantage of this method, you can limit ldap lookups eg do not have to 
do 2nd for the userdb)

debug_level = 1
uris = ldaps://ldap.local:8443
dn = cn=aaaa,cn=bbbbb,ou=ccccc,dc=dddd,dc=eeee,dc=local
dnpass = xxxx
base = ou=asdfadsfa,ou=hhhh,ou=ggg,dc=fffff,dc=eeee,dc=local
scope = subtree

user_filter = (&(objectClass=posixAccount)(uid=%u)
pass_attrs = 

However I did not have any issues authenticating against ldap with yours 
also. But using the %u

-----Original Message-----
From: Luke Schierer [mailto:luke-dovecot at] 
Sent: maandag 31 augustus 2020 21:32
To: dovecot at
Subject: using %d as a variable in the ldap search base


I'm trying to configure dovecot to use LDAP authentication directly, and 
I'm having a bit of trouble.  I have a somewhat unusual setup, in that I 
have an LDAP directory that has 3 OUs each of which have their own set 
of users, some of which overlap.  As I was trying to figure things out, 
I was setting the search base in my /etc/dovecot/dovecot-ldap.conf.ext 
file which is referenced by /etc/dovecot/conf.d/auth-ldap.conf.ext  file 

base = ou=%d,dc=thecrazyguys,dc=net

however, the resulting searches against the directory endup just 
dropping the %d, resulting in


which is invalid.  On a whim, I tried a search base of

base = dc=%d,dc=thecrazyguys,dc=net

and found that it did correctly substitute in the variable, which would 
be correct, except that my ldap tree is set up with OUs and not an extra 
DC segment.

for whatever reason, it will do variable substitution for dc=%d, but not 
for ou=%d. this is certainly not documented, and seems like wrong 
behavior, since having an ou in a search base is valid.

I'm including configuration information below.  Please let me know if 
I've missed including information that is required. 


luke at schierer@littera001:/etc/dovecot$ lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04
luke at schierer@littera001:/etc/dovecot$

luke at schierer@littera001:/etc/dovecot$ dpkg -l | grep -i dovecot ii 
dovecot-core 1: amd64 ii dovecot-imapd 
1: amd64 ii dovecot-ldap 1: amd64 
ii dovecot-pop3d 1: amd64 
luke at schierer@littera001:/etc/dovecot$

root at littera001:/etc/dovecot# dovecot -n # (d6601f4ec): 
/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: 
Linux 4.15.0-112-generic x86_64 Ubuntu 18.04.5 LTS auth_verbose = yes 
first_valid_uid = 1001 imap_hibernate_timeout = 100 secs lock_method = 
dotlock mail_cache_min_mail_count = 15 mail_fsync = always mail_location 
= maildir:~/Maildir:LAYOUT=fs:INDEX=MEMORY
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
mailbox_list_index = yes
maildir_broken_filename_sizes = yes
maildir_very_dirty_syncs = yes
mbox_min_index_size = 10 B
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  mailbox Junk {
    special_use = \Junk
  mailbox Sent {
    special_use = \Sent
  mailbox "Sent Messages" {
    special_use = \Sent
  mailbox Trash {
    special_use = \Trash
  prefix =
  separator = /
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
protocols = " imap pop3"
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
protocol imap {
  mail_max_userip_connections = 20
root at littera001:/etc/dovecot# 

root at littera001:/etc/dovecot# cat /etc/dovecot/dovecot-ldap.conf.ext | 
grep -v ^# | uniq | more

hosts =

tls = yes
tls_require_cert = allow

debug_level = 4

auth_bind = yes

base = ou=%d,dc=thecrazyguys,dc=net

scope = subtree

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

user_filter = (&(objectClass=posixAccount)(uid=%n))

blocking = no
root at littera001:/etc/dovecot# 

More information about the dovecot mailing list