dovecot - Oct 2017 - Iteration for ldap userdb does not work

Hi,

I have a working ldap authentification for dovecot (with ldap based 
userdb query) for my Active Directory but iterations by doveadm -A runs 
in timeout.

I tried now for three days and get it not to work.

Best regards
   Holger

/etc/dovecot/dovecot-ldap-userdb.conf  is symlink to
/etc/doveconf/doveconf-ldap.conf

debug_level = 0
uris = ldaps://server1.office.hb-os.de:636
dn = cn=BINDUSER,cn=Users,dc=SUBDOM,dc=DOM,dc=de
dnpass = MYPASSWORD
auth_bind = yes
ldap_version = 3
deref = never
base = cn=Users,dc=SUBDOM,dc=DOM,dc=de
scope = subtree
user_attrs = =home=/usr/data/vmail/%d/%n, 
=mail=maildir:/usr/data/vmail/%d/%n/Maildir
user_filter = (&(objectClass=person)(mail=%u))
pass_filter = (&(objectClass=person)(mail=%u))
iterate_attrs = mail=user
iterate_filter = (objectClass=person)


doveconf -n

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.9
auth_mechanisms = plain login
base_dir = /var/run/dovecot/
default_vsz_limit = 512 M
dict {
   expire = mysql:/etc/dovecot/dovecot-dict-expire.conf.ext
}
first_valid_uid = 100
imap_idle_notify_interval = 16 mins
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = vmail
mail_home = /usr/data/vmail/%d/
mail_location = maildir:~/Maildir:LAYOUT=fs
mail_plugins = expire
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
}
plugin {
   antispam_backend = pipe
   antispam_debug_target = syslog
   antispam_pipe_program = /usr/data/vmail/spampipe.sh
   antispam_pipe_program_notspam_arg = --ham
   antispam_pipe_program_spam_arg = --spam
   antispam_pipe_tmp_dir = /tmp
   antispam_spam = Junk;SPAM;Spam
   antispam_trash = Trash
   expire = Trash
   expire2 = Trash/*
   expire3 = Junk
   expire_dict = proxy::expire
   sieve = /usr/data/vmail/%u/sieve/active-script.sieve
   sieve_before = /usr/data/vmail/sieve/spam-global.sieve
   sieve_dir = /usr/data/vmail/%d/%n/sieve/scripts/
   sieve_max_redirects = 4
   sieve_max_script_size = 1M
   sieve_quota_max_scripts = 128
}
postmaster_address = ME at DOMAIN.de
protocols = imap lmtp sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-userdb {
     group = postfix
     mode = 0600
     user = postfix
   }
   user = vmail
}
service dict {
   unix_listener dict {
     group = vmail
     mode = 0600
     user = vmail
   }
}
service imap-login {
   inet_listener imap {
     port = 143
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
   process_min_avail = 10
   service_count = 1
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0600
     user = postfix
   }
}
ssl_cert = </etc/ssl/certs/MY_CERT.crt
ssl_key = </etc/ssl/private/MY_CERT.key
userdb {
   args = /etc/dovecot/dovecot-ldap-userdb.conf
   driver = ldap
}
protocol lmtp {
   mail_plugins = expire sieve
}
protocol lda {
   mail_plugins = expire sieve
}
protocol imap {
   mail_max_userip_connections = 10
   mail_plugins = expire antispam
}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 19 Oct 2017, Holger A. Brinkhaus wrote:
> I have a working ldap authentification for dovecot (with ldap based userdb 
> query) for my Active Directory but iterations by doveadm -A runs in
timeout.
>
> I tried now for three days and get it not to work.
Did you verified that ldapsearch runs through? Depending on the number of 
users AD times out easily by default in my experience.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWemF1Xz1H7kL/d9rAQIGbQf/a9opFEJnAOkPZI2gNmorTbCn7aaovHcK
APg1MshnoUuQE2suHAQpLaEd0ZhiXfiaJoV/jGGj1qYmUshQA6OxgjWqvNHU6d9S
OotsM/YgbdQAZwSQE41Qljr3S4dlpqIfTXcae9xgO4EKvIgMPToM2bvJEtjDj9v0
nW7EFSo9Nk2n0pK4Ey3dtZ7gh5zWMFJezQ06hAv7oR11foYYgkZWwShHCgFrRgo/
SAWrpvMVoBuxDvUuzLMGJsZoVlBtDadpfNC5vcIurg8Fo/e4WBdCPeSkuKDd+9vV
phbeeQmSUb6t5C/wPtS+oS3x3DX2pKkzL8wo0SJy/Kaz3jvr4ca6yQ==oHda
-----END PGP SIGNATURE-----

HI Steffen,

thanks for your reply. I've performed ldapsearch over all users (even 
without person filter) without problems. There are less than 10 persons 
in the directory.

Best regards
   Holger

------ Originalnachricht ------
Von: "Steffen Kaiser" <skdovecot at smail.inf.fh-brs.de>
An: "Holger A. Brinkhaus" <holger at brinkhaus.org>
Cc: dovecot at dovecot.org
Gesendet: 20.10.2017 07:12:53
Betreff: Re: Iteration for ldap userdb does not work
>Signatur hat Probleme
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Thu, 19 Oct 2017, Holger A. Brinkhaus wrote:
>
> > I have a working ldap authentification for dovecot (with ldap based 
>userdb
> > query) for my Active Directory but iterations by doveadm -A runs in 
>timeout.
> >
> > I tried now for three days and get it not to work.
>
>Did you verified that ldapsearch runs through? Depending on the number 
>of
>users AD times out easily by default in my experience.
>
>- --
>Steffen Kaiser
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1
>
>iQEVAwUBWemF1Xz1H7kL/d9rAQIGbQf/a9opFEJnAOkPZI2gNmorTbCn7aaovHcK
>APg1MshnoUuQE2suHAQpLaEd0ZhiXfiaJoV/jGGj1qYmUshQA6OxgjWqvNHU6d9S
>OotsM/YgbdQAZwSQE41Qljr3S4dlpqIfTXcae9xgO4EKvIgMPToM2bvJEtjDj9v0
>nW7EFSo9Nk2n0pK4Ey3dtZ7gh5zWMFJezQ06hAv7oR11foYYgkZWwShHCgFrRgo/
>SAWrpvMVoBuxDvUuzLMGJsZoVlBtDadpfNC5vcIurg8Fo/e4WBdCPeSkuKDd+9vV
>phbeeQmSUb6t5C/wPtS+oS3x3DX2pKkzL8wo0SJy/Kaz3jvr4ca6yQ=>=oHda
>-----END PGP SIGNATURE-----