We using Dovecot with LDAP.
From the beginning, we using GC LDAP query with port 3268 for email
accounts.
For example, user1 at our-organization.org (in the USA) with "base =
dc=our-organization, dc=org" works fine.
But refer to this document:
https://wiki2.dovecot.org/AuthDatabase/LDAP
When we change the LDAP from 3268 to 389 and with TLS, the base should
be changed like this:
"base = ou=usa, dc=our-organization, dc=org"
But if the user (user2) located in United Kingdom (ou=gbr), the user can
not login.
When we debug with ldapsearch:
ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D
'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b
'dc=our-organization, dc=org'
'(userPrincipalName=user2 at our-organization.org)'
It can return user2 information with some "numReferences".
But in Dovecot, if "base = dc=our-organization, dc=org" it only
reported
auth error with timeout.
Here are the config:
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 9.3
auth_verbose = yes
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
-l%{lock_timeout} -n%{namespace}
imap_id_send imapc_user = %u
import_environment = TZ
listen = *
login_log_format_elements = user=u> method=%m rip=%r lip=%l mpid=%e %c
mail_shared_explicit_inbox = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
? location ? mailbox Drafts {
??? special_use = \Drafts
? }
? mailbox Junk {
??? special_use = \Junk
? }
? mailbox Sent {
??? special_use = \Sent
? }
? mailbox "Sent Messages" {
??? special_use = \Sent
? }
? mailbox Trash {
??? special_use = \Trash
? }
? prefix }
passdb {
? args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
? driver = ldap
}
plugin {
? sieve = ~/.dovecot.sieve
? sieve_dir = ~/sieve
}
protocols = " imap sieve"
service managesieve-login {
? inet_listener sieve {
??? port = 4190
? }
? service_count = 0
}
ssl_ca = /etc/ssl/certs/ca.pem
ssl_cert = </etc/ssl/gameloft/our-organization.org.crt
ssl_key =? # hidden, use -P to show it
ssl_parameters_regenerate = 1 weeks
userdb {
? args = /etc/dovecot/dovecot-ldap.conf.ext
? driver = ldap
}
So my question is: does Dovecot LDAP auth support LDAP referral?
If Dovecot relies on OpenLDAP, it should be support.
If not, why and what is the walkthrough?
Xuan Jia
> On 2 Feb 2018, at 10.38, Xuan Jia <xuan.jia at gameloft.com> wrote: > > We using Dovecot with LDAP. > From the beginning, we using GC LDAP query with port 3268 for email accounts. > For example, user1 at our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine. > > But refer to this document: > https://wiki2.dovecot.org/AuthDatabase/LDAP > When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: > "base = ou=usa, dc=our-organization, dc=org" > > But if the user (user2) located in United Kingdom (ou=gbr), the user can not login. > > When we debug with ldapsearch: > ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2 at our-organization.org)' > It can return user2 information with some "numReferences". > > But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout. > > So my question is: does Dovecot LDAP auth support LDAP referral? > If Dovecot relies on OpenLDAP, it should be support. > If not, why and what is the walkthrough?TBH, I don't think that it's supported. Looking at the source code at least it does not look it is. What you could do is to have separate passdb for both ldap bases. one that would query base = ou=usa, dc=our-organization, dc=org and one that would query base = ou=gbr, dc=our-organization, dc=org and then use skip=authenticated on the second passdb if user already found in first passdb. Sami
Hello Sami, Thanks. ------------------------------------------------------------------------ *From:* Sami Ketola *Sent:* Friday, Feb 2, 2018 9:17 GMT *To:* Xuan Jia *Cc:* dovecot at dovecot.org *Subject:* Does Dovecot LDAP auth support LDAP referral>> On 2 Feb 2018, at 10.38, Xuan Jia <xuan.jia at gameloft.com> wrote: >> >> We using Dovecot with LDAP. >> From the beginning, we using GC LDAP query with port 3268 for email accounts. >> For example, user1 at our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine. >> >> But refer to this document: >> https://wiki2.dovecot.org/AuthDatabase/LDAP >> When we change the LDAP from 3268 to 389 and with TLS, the base should be changed like this: >> "base = ou=usa, dc=our-organization, dc=org" >> >> But if the user (user2) located in United Kingdom (ou=gbr), the user can not login. >> >> When we debug with ldapsearch: >> ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 'dc=our-organization, dc=org' '(userPrincipalName=user2 at our-organization.org)' >> It can return user2 information with some "numReferences". >> >> But in Dovecot, if "base = dc=our-organization, dc=org" it only reported auth error with timeout. >> >> So my question is: does Dovecot LDAP auth support LDAP referral? >> If Dovecot relies on OpenLDAP, it should be support. >> If not, why and what is the walkthrough? > TBH, I don't think that it's supported. Looking at the source code at least it does not look it is. > > What you could do is to have separate passdb for both ldap bases. > one that would query base = ou=usa, dc=our-organization, dc=org and one that would query > base = ou=gbr, dc=our-organization, dc=org > > and then use skip=authenticated on the second passdb if user already found in first passdb. > > Sami-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180206/b07a04b8/attachment.html>