<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello Sami,<br>
<br>
Thanks.<br>
<div class="moz-cite-prefix">
<div id="rwhMsgHeader"><br>
<hr id="rwhMsgHdrDivider" style="border:0;border-top:1px solid
#B5C4DF;padding:0;margin:10px 0 5px 0;width:100%;"><span
style="margin: -1.3px 0 0 0 !important;"><font style="font:
14px Arial !important; color: #000000 !important;"
face="Arial" color="#000000"><b>From:</b> Sami Ketola</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 14px Arial !important; color: #000000
!important;" face="Arial" color="#000000"><b>Sent:</b>
Friday, Feb 2, 2018 9:17 GMT</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 14px Arial !important; color: #000000
!important;" face="Arial" color="#000000"><b>To:</b> Xuan
Jia</font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 14px Arial !important; color: #000000
!important;" face="Arial" color="#000000"><b>Cc:</b>
<a class="moz-txt-link-abbreviated" href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a></font></span><br>
<span style="margin: -1.3px 0 0 0 !important;"><font
style="font: 14px Arial !important; color: #000000
!important;" face="Arial" color="#000000"><b>Subject:</b>
Does Dovecot LDAP auth support LDAP referral</font></span><br>
<br>
</div>
</div>
<blockquote type="cite"
cite="mid:C743D946-D2D9-4077-B930-9536BBA9B56C@dovecot.fi"
style="border:none !important; margin-left:0px !important;
margin-right:0px !important; margin-top:0px !important;
padding-left:0px !important; padding-right:0px !important">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite" style="border:none !important;
margin-left:0px !important; margin-right:0px !important;
margin-top:0px !important; padding-left:0px !important;
padding-right:0px !important">
<pre class="moz-quote-pre" wrap="">On 2 Feb 2018, at 10.38, Xuan Jia <a class="moz-txt-link-rfc2396E" href="mailto:xuan.jia@gameloft.com"><xuan.jia@gameloft.com></a> wrote:
We using Dovecot with LDAP.
>From the beginning, we using GC LDAP query with port 3268 for email accounts.
For example, <a class="moz-txt-link-abbreviated" href="mailto:user1@our-organization.org">user1@our-organization.org</a> (in the USA) with "base = dc=our-organization, dc=org" works fine.
But refer to this document:
<a class="moz-txt-link-freetext" href="https://wiki2.dovecot.org/AuthDatabase/LDAP">https://wiki2.dovecot.org/AuthDatabase/LDAP</a>
When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this:
"base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can not login.
When we debug with ldapsearch:
ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(<a class="moz-txt-link-abbreviated" href="mailto:userPrincipalName=user2@our-organization.org">userPrincipalName=user2@our-organization.org</a>)'
It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout.
So my question is: does Dovecot LDAP auth support LDAP referral?
If Dovecot relies on OpenLDAP, it should be support.
If not, why and what is the walkthrough?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
TBH, I don't think that it's supported. Looking at the source code at least it does not look it is.
What you could do is to have separate passdb for both ldap bases.
one that would query base = ou=usa, dc=our-organization, dc=org and one that would query
base = ou=gbr, dc=our-organization, dc=org
and then use skip=authenticated on the second passdb if user already found in first passdb.
Sami</pre>
</blockquote>
<br>
</body>
</html>