dovecot - May 2016 - AD query timeout might be result size limit exceeded

Hello list

I've been struggling for a while trying to configure multiple domain ldap
authentication with full e-mail address authentication. Which in fact was
not the issue.
There where some discrepancies between the doc and our actual configuration
(see appendix A/ ) Seems that pass_filters and user_filters don't need much
special settings for our setup.

Now it's working correctly at the sole exception that when an OU contains
"lots" of users (>200) i suspect that the ldapseach query fails. We
can
well authenticate when we have 50 users in an OU, but not when the number
raises (I don't have the exact number above which it locks).

Is there a parameter that we can set to increase the result size limit (as
i suspect this to be the cause of this possible bug)?

If I query manually it's ok (ldapsearch)
if I use "doveadm auth user.name at domain.tld", it succeed also but I
wonder
if it doesn't use the winbind authentication instead.



Here is our ldap-auth configuration

hosts = master.domain.local:389
dn = DOMAIN\ro-user
dnpass = password
debug_level = 2
auth_bind = yes
#auth_bind_userdn cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
(tried with and
without with no better results)
ldap_version = 3
#deref = never
#base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few
users)
base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
scope = subtree
user_filter = (&(objectclass=person)(mail=%u))
pass_filter =  (&(objectclass=person)(mail=%u))

and some logs in appendix B/


Thanks for any hints on this.

Have a nice day



appendix A/

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
default_vsz_limit = 1 G
disable_plaintext_auth = no
first_valid_gid = 5000
first_valid_uid = 5000
last_valid_gid = 50000
last_valid_uid = 50000
mail_gid = 5000
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = virtmail
mail_uid = 5000
namespace inbox {
  hidden = no
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix   subscriptions = yes
}
passdb {
  args = scheme=plain-md5 username_format=%u /etc/dovecot/users
  driver = passwd-file
}
passdb {
  args = scheme=plain-md5 username_format=%u /etc/dovecot/users
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = /etc/dovecot/pirisusers-ldap.conf.ext
  driver = ldap
}
protocols = imap
service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = virtmail
  }
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
userdb {
  args = /etc/dovecot/dovecot-ldap-users.conf.ext
  driver = ldap
}
userdb {
  args = /etc/dovecot/pirisusers-ldap-users.conf.ext
  driver = ldap
}
protocol lda {
  postmaster_address = postmaster at domain.tld
}
protocol imap {
  mail_plugins }



appendix B/


May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_select
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 14 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 11 message type search-reference
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referrals
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_url_parse_ext(ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request: new
msgid 15, new dn <DC=ForestDnsZones,DC=domain,DC=local>
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request new
request is:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referral:
msgid 11, url
"ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local"
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_connection 0 1
1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_open_connection
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
TCP ForestDnsZones.domain.local:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_prepare_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
Trying 10.1.2.34:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_pvt_connect: fd:
21 tm: -1 async: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: anonymous rebind via
ldap_sasl_bind("")
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_sasl_bind
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_send_initial_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_result ld
0x7fcc0a585fa0 msgid 16
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg ld
0x7fcc0a585fa0 msgid 16 (timeout 100000 usec)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg continue ld
0x7fcc0a585fa0 msgid 16 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Connections:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
ForestDnsZones.domain.local  port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 2  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:     queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
DomainDnsZones.domain.local  port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 2  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:     queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
master.domain.local  port: 389  (default)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   refcnt: 4  status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:   last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Outstanding Requests:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 16,  origid
16, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:    outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 14,  origid
14, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:    outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:  * msgid 11,  origid
11, status InProgress
May 19 13:00:06 iftstpupimap1 dovecot: auth: Error: PLAIN(): Request 0.1
timeouted after 150 secs, state=1

On Thu, May 19, 2016 at 4:27 PM, Julien Lambot <jlambot at gmail.com>
wrote:
> Hello list
>
> I've been struggling for a while trying to configure multiple domain
ldap
> authentication with full e-mail address authentication. Which in fact was
> not the issue.
> There where some discrepancies between the doc and our actual
> configuration (see appendix A/ ) Seems that pass_filters and user_filters
> don't need much special settings for our setup.
>
> Now it's working correctly at the sole exception that when an OU
contains
> "lots" of users (>200) i suspect that the ldapseach query
fails. We can
> well authenticate when we have 50 users in an OU, but not when the number
> raises (I don't have the exact number above which it locks).
>

After further investigations, seems the issue is caused by the presence of
an "_" (underscore) in the OU name. Other OUs are not impacted.

If anyone as a suggestion, that would be welcome.
In fact, we cannot rename this OU without a wide impact on other
configurations.

Regards

Julien


>
> Is there a parameter that we can set to increase the result size limit (as
> i suspect this to be the cause of this possible bug)?
>
> If I query manually it's ok (ldapsearch)
> if I use "doveadm auth user.name at domain.tld", it succeed also
but I
> wonder if it doesn't use the winbind authentication instead.
>
>
>
> Here is our ldap-auth configuration
>
> hosts = master.domain.local:389
> dn = DOMAIN\ro-user
> dnpass = password
> debug_level = 2
> auth_bind = yes
> #auth_bind_userdn >
cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and
> without with no better results)
> ldap_version = 3
> #deref = never
> #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few
> users)
> base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
> scope = subtree
> user_filter = (&(objectclass=person)(mail=%u))
> pass_filter =  (&(objectclass=person)(mail=%u))
>
> and some logs in appendix B/
>
>
> Thanks for any hints on this.
>
> Have a nice day
>
>