dovecot - May 2014 - Configuration of dovecot 2.0.19 to authenticate users via LDAP

I am trying to get dovecot 2.0.19 authenticate users via LDAP (OpenLDAP
2.4.28) and using Wireshark to debug the process. It looks like the basic
configuration of dovecot is fine, but it doesn't pull it off to send the
right request to the LDAP server. First of all, this is how my LDAP-entries
look:

    # ht
    dn: dc=ht
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: ip
    dc: ht

    # admin, ht
    dn: cn=admin,dc=ht
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword:: e1NTSEF9cFY1b0ZZVUhack1aRTVvaUg1T3c2cytVWHV4aUNvaHI
    # people, ht
    dn: ou=people,dc=ht
    objectClass: organizationalUnit
    objectClass: top
    ou: people

    # groups, ht
    dn: ou=groups,dc=ht
    objectClass: organizationalUnit
    objectClass: top
    ou: groups

    # ipusers, groups, ht
    dn: cn=ipusers,ou=groups,dc=ht
    gidNumber: 500
    cn: ipusers
    objectClass: posixGroup
    objectClass: top

    # Max Mustermann, people, ht
    dn: cn=Max Mustermann,ou=people,dc=ht
    cn: Max Mustermann
    givenName: Max
    gidNumber: 500
    homeDirectory: /home/users/mmustormann
    sn: Mustermann
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    uidNumber: 1000
    uid: mmustermann
    userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0    loginShell:
/bin/bash
    mail: mustorm at test.com

Now, I use the following configuration for dovecot
(/etc/dovecot/dovecot-ldap.conf.ext)

    hosts = 10.1.2.1
    dn = cn=admin,dc=ht
    dnpass = a
    auth_bind = yes
    auth_bind_userdn = uid=%u,ou=people,dc=ht
    ldap_version = 3
    scope = subtree
    base = ou=people,dc=ht
    user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
    user_filter = (&(objectClass=posixAccount)(uid=%u))
    pass_attrs = uid=user,userPassword=password
    pass_filter = (&(objectClass=posixAccount)(uid=%u))

This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png

Dovecot cannot authenticate itself for some reason...

If i change the configuration as follows:

    auth_bind = no
    #auth_bind_userdn = uid=%u,ou=people,dc=ht

Then I get following picture: http://i.stack.imgur.com/tb5vo.png

It doesn't pick up the setting base = ou=people,dc=ht. But what is more
crucial is that even looking at the whole tree "<ROOT>"
wholeSubTree it
can't find the required entry.

I am really desperate and don't know how to make it work. Can somebody
please give me a clue how to solve this problem?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 18 May 2014, Danylo Esterman wrote:
>    # Max Mustermann, people, ht
>    dn: cn=Max Mustermann,ou=people,dc=ht
>    cn: Max Mustermann
>    givenName: Max
>    gidNumber: 500
>    homeDirectory: /home/users/mmustormann
>    sn: Mustermann
>    objectClass: inetOrgPerson
>    objectClass: posixAccount
>    objectClass: top
>    uidNumber: 1000
>    uid: mmustermann
>    userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0>   
loginShell: /bin/bash
>    mail: mustorm@test.com
>
> Now, I use the following configuration for dovecot
> (/etc/dovecot/dovecot-ldap.conf.ext)
>
>    hosts = 10.1.2.1
>    dn = cn=admin,dc=ht
>    dnpass = a
>    auth_bind = yes
>    auth_bind_userdn = uid=%u,ou=people,dc=ht
>    ldap_version = 3
>    scope = subtree
>    base = ou=people,dc=ht
>    user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
>    user_filter = (&(objectClass=posixAccount)(uid=%u))
>    pass_attrs = uid=user,userPassword=password
>    pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png
>
> Dovecot cannot authenticate itself for some reason...
The Wireshark trace shows that you've tried to authentificate an user 
"uid=mmustermann,ou=people,dc=ht", but no such LDAP item exists. It is
named "cn=Max Mustermann,ou=people,dc=ht".
> If i change the configuration as follows:
>
>    auth_bind = no
>    #auth_bind_userdn = uid=%u,ou=people,dc=ht
>
> Then I get following picture: http://i.stack.imgur.com/tb5vo.png
Well, why auth_bind = no? If you read the comment for that setting:

# Use authentication binding for verifying password's validity. This works
by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
auth_bind = yes
> I am really desperate and don't know how to make it work. Can somebody
> please give me a clue how to solve this problem?
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU3mrOHz1H7kL/d9rAQJP3Qf/S4FMF1R1ZSvs1vpul3S2pN1stNlEKvjU
9O5hemGYbjfXJjZzY0Htp1rfDHz35GkYkfIxNOmf9pH7WVS9BXK+3wx0jNXVOMVh
3OPnbe7UNZmj5MMx/xtCs6MrC010aOvZ0semBEaoyosUaZA11nyi+Ju2rYtxmZqG
4GNWxMjlXl98qzt8LPqSdnYzLJ+uzkmdh8CNQLOS5e86bwcxV5Fd5V3CbuT40/A0
odEtyvoe8czpnfOBM1CImwwoOnyK0lBi4Pk5SGwLA3qyDlac7bsNnNahUx22Nozd
VYQ3ixZODp3f3/VIloqdVmTFHly8S2vLFDZOmWo4Tc0FEYsLHqR+iA==fy/V
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 18 May 2014, Danylo Esterman wrote:
>    # Max Mustermann, people, ht
>    dn: cn=Max Mustermann,ou=people,dc=ht
>    cn: Max Mustermann
>    givenName: Max
>    gidNumber: 500
>    homeDirectory: /home/users/mmustormann
>    sn: Mustermann
>    objectClass: inetOrgPerson
>    objectClass: posixAccount
>    objectClass: top
>    uidNumber: 1000
>    uid: mmustermann
>    userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0>   
loginShell: /bin/bash
>    mail: mustorm at test.com
>
> Now, I use the following configuration for dovecot
> (/etc/dovecot/dovecot-ldap.conf.ext)
>
>    hosts = 10.1.2.1
>    dn = cn=admin,dc=ht
>    dnpass = a
>    auth_bind = yes
>    auth_bind_userdn = uid=%u,ou=people,dc=ht
>    ldap_version = 3
>    scope = subtree
>    base = ou=people,dc=ht
>    user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
>    user_filter = (&(objectClass=posixAccount)(uid=%u))
>    pass_attrs = uid=user,userPassword=password
>    pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> This is what I see in Wireshark: http://i.stack.imgur.com/ICzDe.png
>
> Dovecot cannot authenticate itself for some reason...
The Wireshark trace shows that you've tried to authentificate an user 
"uid=mmustermann,ou=people,dc=ht", but no such LDAP item exists. It is
named "cn=Max Mustermann,ou=people,dc=ht".
> If i change the configuration as follows:
>
>    auth_bind = no
>    #auth_bind_userdn = uid=%u,ou=people,dc=ht
>
> Then I get following picture: http://i.stack.imgur.com/tb5vo.png
Well, why auth_bind = no? If you read the comment for that setting:

# Use authentication binding for verifying password's validity. This works
by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
auth_bind = yes
> I am really desperate and don't know how to make it work. Can somebody
> please give me a clue how to solve this problem?
- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU3mrOHz1H7kL/d9rAQJP3Qf/S4FMF1R1ZSvs1vpul3S2pN1stNlEKvjU
9O5hemGYbjfXJjZzY0Htp1rfDHz35GkYkfIxNOmf9pH7WVS9BXK+3wx0jNXVOMVh
3OPnbe7UNZmj5MMx/xtCs6MrC010aOvZ0semBEaoyosUaZA11nyi+Ju2rYtxmZqG
4GNWxMjlXl98qzt8LPqSdnYzLJ+uzkmdh8CNQLOS5e86bwcxV5Fd5V3CbuT40/A0
odEtyvoe8czpnfOBM1CImwwoOnyK0lBi4Pk5SGwLA3qyDlac7bsNnNahUx22Nozd
VYQ3ixZODp3f3/VIloqdVmTFHly8S2vLFDZOmWo4Tc0FEYsLHqR+iA==fy/V
-----END PGP SIGNATURE-----