Hello list
I've been struggling for a while trying to configure multiple domain ldap
authentication with full e-mail address authentication. Which in fact was
not the issue.
There where some discrepancies between the doc and our actual configuration
(see appendix A/ ) Seems that pass_filters and user_filters don't need much
special settings for our setup.
Now it's working correctly at the sole exception that when an OU contains
"lots" of users (>200) i suspect that the ldapseach query fails. We
can
well authenticate when we have 50 users in an OU, but not when the number
raises (I don't have the exact number above which it locks).
Is there a parameter that we can set to increase the result size limit (as
i suspect this to be the cause of this possible bug)?
If I query manually it's ok (ldapsearch)
if I use "doveadm auth user.name at domain.tld", it succeed also but I
wonder
if it doesn't use the winbind authentication instead.
Here is our ldap-auth configuration
hosts = master.domain.local:389
dn = DOMAIN\ro-user
dnpass = password
debug_level = 2
auth_bind = yes
#auth_bind_userdn cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
(tried with and
without with no better results)
ldap_version = 3
#deref = never
#base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few
users)
base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local
scope = subtree
user_filter = (&(objectclass=person)(mail=%u))
pass_filter = (&(objectclass=person)(mail=%u))
and some logs in appendix B/
Thanks for any hints on this.
Have a nice day
appendix A/
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
default_vsz_limit = 1 G
disable_plaintext_auth = no
first_valid_gid = 5000
first_valid_uid = 5000
last_valid_gid = 50000
last_valid_uid = 50000
mail_gid = 5000
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = virtmail
mail_uid = 5000
namespace inbox {
hidden = no
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix subscriptions = yes
}
passdb {
args = scheme=plain-md5 username_format=%u /etc/dovecot/users
driver = passwd-file
}
passdb {
args = scheme=plain-md5 username_format=%u /etc/dovecot/users
driver = passwd-file
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/pirisusers-ldap.conf.ext
driver = ldap
}
protocols = imap
service auth {
unix_listener auth-userdb {
mode = 0666
user = virtmail
}
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
userdb {
args = /etc/dovecot/dovecot-ldap-users.conf.ext
driver = ldap
}
userdb {
args = /etc/dovecot/pirisusers-ldap-users.conf.ext
driver = ldap
}
protocol lda {
postmaster_address = postmaster at domain.tld
}
protocol imap {
mail_plugins }
appendix B/
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_select
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 14 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: read1msg: ld
0x7fcc0a585fa0 msgid 11 message type search-reference
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referrals
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_url_parse_ext(ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request: new
msgid 15, new dn <DC=ForestDnsZones,DC=domain,DC=local>
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: re_encode_request new
request is:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_chase_v3referral:
msgid 11, url
"ldap://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=local"
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_connection 0 1
1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_int_open_connection
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
TCP ForestDnsZones.domain.local:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_new_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_prepare_socket: 21
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_connect_to_host:
Trying 10.1.2.34:389
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_pvt_connect: fd:
21 tm: -1 async: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: anonymous rebind via
ldap_sasl_bind("")
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_sasl_bind
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
ldap_send_initial_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_send_server_request
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ldap_result ld
0x7fcc0a585fa0 msgid 16
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg ld
0x7fcc0a585fa0 msgid 16 (timeout 100000 usec)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: wait4msg continue ld
0x7fcc0a585fa0 msgid 16 all 1
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Connections:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
ForestDnsZones.domain.local port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: refcnt: 2 status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
DomainDnsZones.domain.local port: 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: refcnt: 2 status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: rebind in progress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: queue is empty
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * host:
master.domain.local port: 389 (default)
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: refcnt: 4 status:
Connected
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: last used: Thu May 19
12:57:36 2016
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: ** ld 0x7fcc0a585fa0
Outstanding Requests:
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * msgid 16, origid
16, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * msgid 14, origid
14, status InProgress
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: outstanding
referrals 0, parent count 0
May 19 12:57:36 iftstpupimap1 dovecot: auth: Error: * msgid 11, origid
11, status InProgress
May 19 13:00:06 iftstpupimap1 dovecot: auth: Error: PLAIN(): Request 0.1
timeouted after 150 secs, state=1