Fran
2015-Sep-10 11:10 UTC
My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Matthias, thank you very much! that fixed the problem. I had workaround the problem by using "base = ou=xxxx, dc=dom", instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because that also worked (I don't know why, but the problem happen if you use as base just the domain, but not if you add a second level). But that forced to me to use several userdb/passdb blocks definitions, one for each OU in which I have users, so I think that your fix is better. I'm not able to understand the actual reason behind all this though... What's the technical explanation behind this behaviour?? I mean, it seems to be that the problem is that the Domain controller (DC) was sending a "referrals" answer and dovecot auth made a connection to these others DC but something wrong happened (dovecot can't deal correctly with that kind of answers?? I don't know). Anyways, as far as I know: 1) A referral answer should be done by a DC when it can't provide the object that the client are requesting 2) REFERRALS off in ldap.conf means that the client should not follow referrals returned by the DC So, if a referral answer is given from my DC, I think that is because such DC can't provide the object which the client is looking for, so, why works fine just by telling dovecot: "Don't follow referrals"? Regards El 09/09/2015 a las 17:22, Matthias Lay escribi?:> hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Fran <cumc-4361-2 at chguadalquivir.es> wrote: > >> Hello, >> >> my dovecot installation has been working fine against AD till we >> upgrade from AD 2003 to AD 2008. As >> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to >> connect AD through 389 port. The port 3268 works fine though. >> >> (...) >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Error: >> master(imap): Auth request timed out (received 0/12 bytes) >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Internal login >> failure (pid=4846 id=1) (internal failure, 1 successful auths): >> user=<<username>>, method=PLAIN, rip=<clientLAN_IP>, >> lip=<dovecotServer_IP>, TLS, session=<T+grMCsfqgAKHyZV> >> (...) >> Sep 7 19:02:06 <dovecotServer> dovecot: auth: Error: >> ldap(<username>,<clientLAN_IP>,<ZjyONSsf6QAKHyZV>): Connection appears >> to be hanging, reconnecting >> Sep 7 19:02:06 <dovecotServer> dovecot: auth: Error: >> ldap(<username>,<clientLAN_IP>,<T+grMCsfqgAKHyZV>): LDAP search >> returned multiple entries >> (...) >> >> Is there a technical reason for this problem? Does it exist any >> workaround? >> >> The use of Global Catalog (port 3268) is not a solution for me, since >> it misses many attributes. (ex. I use the field "initials" to set the >> quota and this field is not available through port 3268). >> >> I also noticed that, now, it uses any DC available in the domain, it >> doesn't care what I configured in "hosts = " parameter. >> >> This is using "hosts = dc03.domain:389": >> ----------------------------------------------- >> >> [root@<dovecotServer> ~]# netstat -anp | grep dovecot | grep auth >> tcp 22 0 <dovecotServer_IP>:55217 >> <dc03.domain_IP>:389 ESTABLISHED 4872/dovecot/auth >> tcp 22 0 <dovecotServer_IP>:57645 >> <dc06.domain_IP>:389 ESTABLISHED 4872/dovecot/auth >> tcp 0 0 <dovecotServer_IP>:55216 >> <dc03.domain_IP>:389 ESTABLISHED 4872/dovecot/auth >> >> It looks like it does a look up for other domains controller (I don't >> know how nor why) and it connect aleatory to any DC in my domain (in >> this case dc06.domain, but it changes any time), additionally to the >> configured one (dc03.domain). >> >> This is using "hosts = dc03.domain:3268": >> ------------------------------------------------ >> [root@<dovecotServer> ~]# netstat -anp | grep dovecot | grep auth >> tcp 0 0 <dovecotServer_IP>:58485 >> <dc03.domain_IP>:3268 ESTABLISHED 4982/dovecot/auth >> >> In this case, only the configured server in host parameter is used (I >> think this is the right behaviour) >> >> >> Aditional info: >> --------------- >> CentOS Linux release 7.0.1406 (Core) >> >> dovecot 2.2.10 >> >> Build options: ioloop=epoll notify=inotify ipv6 openssl >> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox >> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite >> Passdb: checkpassword ldap pam passwd passwd-file shadow sql >> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql >> >> >> My /etc/dovecot/dovecot-ldap.conf.ext >> -------------------------------------- >> #hosts = dc03.domain:3268 >> hosts = dc03.domain:389 >> #uris = ldap://dc03.domain >> base = DC=domain >> #tls = yes >> tls = no >> ldap_version = 3 >> auth_bind = yes >> auth_bind_userdn = %u at domain >> #auth_bind_userdn = DOMAIN\%u >> dn = cn=<user>,cn=Users,dc=domain >> dnpass = <password> >> >> #scope = subtree >> #deref = never >> >> user_filter >> (&(userPrincipalName=%u at domain)(objectClass=person)(|(mail=%u@<domain>)(othermailbox=%u@<domain>))) >> pass_filter >> (&(userPrincipalName=%u at domain)(objectClass=person)(|(mail=%u@<domain>)(othermailbox=%u@<domain>))) >> pass_attrs = userPassword=password >> user_attrs = Initials=quota_rule=*:storage=%$MB >> --------------- >> >> >> -------------------------- >> Log trace using PORT 389: >> -------------------------- >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x10, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client hello A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server hello A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write certificate A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: Loading modules >> from directory: /usr/lib64/dovecot/auth >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: Module loaded: >> /usr/lib64/dovecot/auth/libdriver_sqlite.so >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: Loading modules >> from directory: /usr/lib64/dovecot/auth >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: Module loaded: >> /usr/lib64/dovecot/auth/libauthdb_ldap.so >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: Read auth token >> secret from /var/run/dovecot/auth-token-secret.dat >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write key exchange A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server done A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: auth client >> connected (pid=4846) >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client key exchange A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read finished A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write session ticket A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write change cipher spec A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write finished A [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x20, ret=1: SSL negotiation finished successfully >> [<clientLAN_IP>] Sep 7 19:00:35 <dovecotServer> dovecot: imap-login: >> Debug: SSL: where=0x2002, ret=1: SSL negotiation finished >> successfully [<clientLAN_IP>] Sep 7 19:00:35 <dovecotServer> >> dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap >> secured session=T+grMCsfqgAKHyZV lip=<dovecotServer_IP> >> rip=<clientLAN_IP> lport=993 rport=59818 Sep 7 19:00:35 >> <dovecotServer> dovecot: auth: Debug: client passdb out: CONT 1 >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: client in: CONT >> 1 AEN1bWMtNDM2MS0yLXBydWViYQBDb3JyZW9DaGcuMTIzNDU2 (previous >> base64 data may contain sensitive data) >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: client passdb >> out: OK 1 user=<username> >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: master in: >> REQUEST 4142792705 4846 1 >> cb2115241ccfd81959c15122ec062a8b session_pid=4849 >> request_auth_token >> Sep 7 19:00:35 <dovecotServer> dovecot: auth: Debug: >> ldap(<username>,<clientLAN_IP>,<T+grMCsfqgAKHyZV>): user search: >> base=DC=domain scope=subtree >> filter=(&(userPrincipalName=<username>@domain)(objectClass=person)(|(mail=<username>@<domain>)(othermailbox=<username>@<domain>))) >> fields=Initials >> >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Error: >> master(imap): Auth request timed out (received 0/12 bytes) >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Internal login >> failure (pid=4846 id=1) (internal failure, 1 successful auths): >> user=<<username>>, method=PLAIN, rip=<clientLAN_IP>, >> lip=<dovecotServer_IP>, TLS, session=<T+grMCsfqgAKHyZV> >> Sep 7 19:02:05 <dovecotServer> dovecot: auth: Debug: client in: >> CANCEL 1 >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL alert: >> close notify [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap: Error: Login client >> disconnected too early >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:02:05 <dovecotServer> dovecot: auth: Debug: auth client >> connected (pid=4868) >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x10, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client hello A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server hello A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write certificate A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write key exchange A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server done A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client key exchange A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read finished A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write session ticket A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write change cipher spec A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write finished A [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x20, ret=1: SSL negotiation finished successfully >> [<clientLAN_IP>] Sep 7 19:02:05 <dovecotServer> dovecot: imap-login: >> Debug: SSL: where=0x2002, ret=1: SSL negotiation finished >> successfully [<clientLAN_IP>] Sep 7 19:02:06 <dovecotServer> >> dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap >> secured session=ZjyONSsf6QAKHyZV lip=<dovecotServer_IP> >> rip=<clientLAN_IP> lport=993 rport=59881 Sep 7 19:02:06 >> <dovecotServer> dovecot: auth: Debug: client passdb out: CONT 1 >> Sep 7 19:02:06 <dovecotServer> dovecot: auth: Debug: client in: CONT >> 1 AEN1bWMtNDM2MS0yLXBydWViYQBDb3JyZW9DaGcuMTIzNDU2 (previous >> base64 data may contain sensitive data) >> Sep 7 19:02:06 <dovecotServer> dovecot: auth: Error: >> ldap(<username>,<clientLAN_IP>,<ZjyONSsf6QAKHyZV>): Connection appears >> to be hanging, reconnecting >> Sep 7 19:02:06 <dovecotServer> dovecot: auth: Error: >> ldap(<username>,<clientLAN_IP>,<T+grMCsfqgAKHyZV>): LDAP search >> returned multiple entries >> >> Sep 7 19:03:10 <dovecotServer> dovecot: imap: Error: Auth server >> request timed out after 155 secs (client-pid=4846 client-id=1) >> >> Sep 7 19:04:18 <dovecotServer> dovecot: imap-login: Debug: SSL alert: >> close notify [<clientLAN_IP>] >> Sep 7 19:04:18 <dovecotServer> dovecot: imap-login: Debug: SSL alert: >> close notify [<clientLAN_IP>] >> >> Sep 7 19:04:36 <dovecotServer> dovecot: auth: Error: >> PLAIN(<username>,<clientLAN_IP>,<ZjyONSsf6QAKHyZV>): Request 4868.1 >> timed out after 150 secs, state=1 >> >> Sep 7 19:05:05 <dovecotServer> dovecot: imap-login: Disconnected: >> Inactivity during authentication (disconnected while authenticating, >> waited 179 secs): user=<>, method=PLAIN, rip=<clientLAN_IP>, >> lip=<dovecotServer_IP>, TLS, session=<ZjyONSsf6QAKHyZV> >> Sep 7 19:05:05 <dovecotServer> dovecot: auth: Debug: client in: >> CANCEL >> >> Sep 7 19:06:06 <dovecotServer> dovecot: auth: >> ldap(<username>,<clientLAN_IP>,<T+grMCsfqgAKHyZV>): Shutting down >> Sep 7 19:06:06 <dovecotServer> dovecot: auth: Debug: master userdb >> out: FAIL 4142792705 >> Sep 7 19:06:06 <dovecotServer> dovecot: auth: >> ldap(<username>,<clientLAN_IP>,<ZjyONSsf6QAKHyZV>): Shutting down >> Sep 7 19:06:06 <dovecotServer> dovecot: auth: Debug: client passdb >> out: FAIL 1 user=<username> temp >> >> >> >> >> -------------------------- >> Log trace using PORT 3268: >> -------------------------- >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x10, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: before/accept initialization [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client hello A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server hello A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write certificate A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: Loading modules >> from directory: /usr/lib64/dovecot/auth >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: Module loaded: >> /usr/lib64/dovecot/auth/libdriver_sqlite.so >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: Loading modules >> from directory: /usr/lib64/dovecot/auth >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: Module loaded: >> /usr/lib64/dovecot/auth/libauthdb_ldap.so >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: Read auth token >> secret from /var/run/dovecot/auth-token-secret.dat >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write key exchange A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write server done A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2002, ret=-1: SSLv3 read client certificate A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: auth: Debug: auth client >> connected (pid=4971) >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read client key exchange A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 read finished A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write session ticket A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write change cipher spec A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 write finished A [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x2001, ret=1: SSLv3 flush data [<clientLAN_IP>] >> Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: Debug: SSL: >> where=0x20, ret=1: SSL negotiation finished successfully >> [<clientLAN_IP>] Sep 7 19:33:07 <dovecotServer> dovecot: imap-login: >> Debug: SSL: where=0x2002, ret=1: SSL negotiation finished >> successfully [<clientLAN_IP>] Sep 7 19:33:08 <dovecotServer> >> dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap >> secured session=FAKKpCsf0AAKHyZV lip=<dovecotServer_IP> >> rip=<clientLAN_IP> lport=993 rport=61648 Sep 7 19:33:08 >> <dovecotServer> dovecot: auth: Debug: client passdb out: CONT 1 >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: client in: CONT >> 1 AEN1bWMtNDM2MS0yAGZvcnRpbmV0LjIwMTQ= (previous base64 data may >> contain sensitive data) >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: client passdb >> out: OK 1 user=<username> >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: master in: >> REQUEST 3261071361 4971 1 >> 4755688f0bdd33a0fadcc5d3b8664e61 session_pid=4974 >> request_auth_token >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: >> ldap(<username>,<clientLAN_IP>,<FAKKpCsf0AAKHyZV>): user search: >> base=DC=domain scope=subtree >> filter=(&(userPrincipalName=<username>@domain)(objectClass=person)(|(mail=<username>@<domain>)(othermailbox=<username>@<domain>))) >> fields=Initials >> >> [Here start the difference between 389 and 3268 ports] >> >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: >> ldap(<username>,<clientLAN_IP>,<FAKKpCsf0AAKHyZV>): no fields returned >> by the server >> >> [Next line you can see missing attributes, due to I'm using port 3268] >> >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: >> ldap(<username>,<clientLAN_IP>,<FAKKpCsf0AAKHyZV>): result: Initials >> missing >> Sep 7 19:33:08 <dovecotServer> dovecot: auth: Debug: master userdb >> out: USER 3261071361 <username> uid=1000 >> gid=1000 home=/home/mailstorage/<domain>/<username> >> auth_token=9191cdf475600f0a47e185bb65817c0e0f495894 >> Sep 7 19:33:08 <dovecotServer> dovecot: imap-login: Login: >> user=<<username>>, method=PLAIN, rip=<clientLAN_IP>, >> lip=<dovecotServer_IP>, mpid=4974, TLS, session=<FAKKpCsf0AAKHyZV> >> Sep 7 19:33:08 <dovecotServer> dovecot: imap: Debug: Loading modules >> from directory: /usr/lib64/dovecot >> Sep 7 19:33:08 <dovecotServer> dovecot: imap: Debug: Module loaded: >> /usr/lib64/dovecot/lib10_quota_plugin.so >> Sep 7 19:33:08 <dovecotServer> dovecot: imap: Debug: Module loaded: >> /usr/lib64/dovecot/lib11_imap_quota_plugin.so >> Sep 7 19:33:08 <dovecotServer> dovecot: imap(<username>): Debug: >> Effective uid=1000, gid=1000, >> home=/home/mailstorage/<domain>/<username> Sep 7 19:33:08 >> <dovecotServer> dovecot: imap(<username>): Debug: Quota root: >> name=CuotaUsuario backend=maildir args= Sep 7 19:33:08 >> <dovecotServer> dovecot: imap(<username>): Debug: Quota rule: >> root=CuotaUsuario mailbox=* bytes=2097152 messages=0 Sep 7 19:33:08 >> <dovecotServer> dovecot: imap(<username>): Debug: Quota grace: >> root=CuotaUsuario bytes=209715 (10%) Sep 7 19:33:08 <dovecotServer> >> dovecot: imap(<username>): Debug: Namespace inbox: type=private, >> prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes >> location=maildir:~/Maildir Sep 7 19:33:08 <dovecotServer> dovecot: >> imap(<username>): Debug: maildir++: >> root=/home/mailstorage/<domain>/<username>/Maildir, index=, >> indexpvt=, control=, >> inbox=/home/mailstorage/<domain>/<username>/Maildir, alt=
Matthias Lay
2015-Sep-10 13:40 UTC
My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Fran, this is not a dovecot problem, thats a pure dns problem and can only be fixed in your dns environment. referrals are propagated in a "special" dns design in SRV records. so the ldap client performs a dns lookup for this names and this is the point of hanging (as in most "hanging cases", its dns). see: https://technet.microsoft.com/en-us/library/cc978014.aspx https://technet.microsoft.com/en-us/library/cc961719.aspx http://www.mail-archive.com/cas at tp.its.yale.edu/msg00797.html for information. Greetz Matze On Thu, 10 Sep 2015 13:10:57 +0200 Fran <cumc-4361-2 at chguadalquivir.es> wrote:> Hi Matthias, > > thank you very much! that fixed the problem. > > I had workaround the problem by using "base = ou=xxxx, dc=dom", > instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because > that also worked (I don't know why, but the problem happen if you use > as base just the domain, but not if you add a second level). But that > forced to me to use several userdb/passdb blocks definitions, one for > each OU in which I have users, so I think that your fix is better. > > I'm not able to understand the actual reason behind all this though... > > What's the technical explanation behind this behaviour?? I mean, it > seems to be that the problem is that the Domain controller (DC) was > sending a "referrals" answer and dovecot auth made a connection to > these others DC but something wrong happened (dovecot can't deal > correctly with that kind of answers?? I don't know). > > Anyways, as far as I know: > > 1) A referral answer should be done by a DC when it can't provide the > object that the client are requesting > 2) REFERRALS off in ldap.conf means that the client should not follow > referrals returned by the DC > > So, if a referral answer is given from my DC, I think that is because > such DC can't provide the object which the client is looking for, so, > why works fine just by telling dovecot: "Don't follow referrals"? > > Regards > > > > El 09/09/2015 a las 17:22, Matthias Lay escribi?: > > hi, > > > > check your > > > > /etc/openldap/ldap.conf > > > > for > > > > REFERRALS off > > > > I had this errors with "referrals on" in misconfigured dns > > environments. > > > > > > you can debug the dns packets by strace-ing the auth process > > > > > > > > > > On Tue, 8 Sep 2015 11:00:37 +0200
Fran
2015-Sep-10 15:14 UTC
My dovecot works fine against Active Directory 2003, but not against AD2008
Thank again for the solution and for the explanation. Fran El 10/09/2015 a las 15:40, Matthias Lay escribi?:> Hi Fran, > > > this is not a dovecot problem, thats a pure dns problem and can only > be fixed in your dns environment. > > > referrals are propagated in a "special" dns design in SRV records. > so the ldap client performs a dns lookup for this names and this is the > point of hanging (as in most "hanging cases", its dns). > > see: > https://technet.microsoft.com/en-us/library/cc978014.aspx > https://technet.microsoft.com/en-us/library/cc961719.aspx > http://www.mail-archive.com/cas at tp.its.yale.edu/msg00797.html > > for information. > > > Greetz Matze > > > > > On Thu, 10 Sep 2015 13:10:57 +0200 > Fran <cumc-4361-2 at chguadalquivir.es> wrote: > >> Hi Matthias, >> >> thank you very much! that fixed the problem. >> >> I had workaround the problem by using "base = ou=xxxx, dc=dom", >> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because >> that also worked (I don't know why, but the problem happen if you use >> as base just the domain, but not if you add a second level). But that >> forced to me to use several userdb/passdb blocks definitions, one for >> each OU in which I have users, so I think that your fix is better. >> >> I'm not able to understand the actual reason behind all this though... >> >> What's the technical explanation behind this behaviour?? I mean, it >> seems to be that the problem is that the Domain controller (DC) was >> sending a "referrals" answer and dovecot auth made a connection to >> these others DC but something wrong happened (dovecot can't deal >> correctly with that kind of answers?? I don't know). >> >> Anyways, as far as I know: >> >> 1) A referral answer should be done by a DC when it can't provide the >> object that the client are requesting >> 2) REFERRALS off in ldap.conf means that the client should not follow >> referrals returned by the DC >> >> So, if a referral answer is given from my DC, I think that is because >> such DC can't provide the object which the client is looking for, so, >> why works fine just by telling dovecot: "Don't follow referrals"? >> >> Regards >> >> >> >> El 09/09/2015 a las 17:22, Matthias Lay escribi?: >>> hi, >>> >>> check your >>> >>> /etc/openldap/ldap.conf >>> >>> for >>> >>> REFERRALS off >>> >>> I had this errors with "referrals on" in misconfigured dns >>> environments. >>> >>> >>> you can debug the dns packets by strace-ing the auth process >>> >>> >>> >>> >>> On Tue, 8 Sep 2015 11:00:37 +0200
Apparently Analagous Threads
- My dovecot works fine against Active Directory 2003, but not against AD2008
- My dovecot works fine against Active Directory 2003, but not against AD2008
- My dovecot works fine against Active Directory 2003, but not against AD2008
- My dovecot works fine against Active Directory 2003, but not against AD2008
- My dovecot works fine against Active Directory 2003, but not against AD2008