Hi. Seems it's a bug in dovecot auth. I have FreeBSD 8.1-RELEASE-p1 and I tried 1.2.17 and 2.1.7 versions of Dovecot, and still no luck.
The problem: when I set in dovecot-ldap.conf: base = CN=Users,DC=domain,DC=local everything works fine. But if I set: base = DC=domain,DC=local mail client can't authorize. /var/log/dovecot.log says: =============================================== Jun 07 18:07:17 auth: Debug: auth client connected (pid=14611) Jun 07 18:08:11 auth: Debug: client in: AUTH 1 PLAIN service=imap session=G1//aeLB6wAKAABu lip=10.0.0.3 rip=10.0.0.110 lport=143 rport=55787 resp=AGdhdGV3YXkAVU82eUpuUXQ= Jun 07 18:08:11 auth: Debug: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): bind search: base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway)) Jun 07 18:08:11 auth: Debug: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): result: uid missing Jun 07 18:10:18 imap-login: Info: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 127 secs): user=<>, method=PLAIN, rip=10.0.0.110, lip=10.0.0.3, session=<G1//aeLB6wAKAABu> Jun 07 18:10:18 auth: Debug: client in: CANCEL 1 Jun 07 18:10:18 auth: Debug: auth client connected (pid=14706) Jun 07 18:10:26 auth: Debug: client in: AUTH 1 PLAIN service=imap session=n6IBcuLB7AAKAABu lip=10.0.0.3 rip=10.0.0.110 lport=143 rport=55788 resp=AGdhdGV3YXkAVU82eUpuUXQ= Jun 07 18:10:26 auth: Debug: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): bind search: base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway)) Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): Connection appears to be hanging, reconnecting Jun 07 18:10:26 auth: Debug: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): result: uid missing Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<G1//aeLB6wAKAABu>): Request lost Jun 07 18:10:26 auth: Error: ldap(gateway,10.0.0.110,<n6IBcuLB7AAKAABu>): ldap_search(base=DC=domain,DC=local filter=(&(objectClass=person)(sAMAccountName=gateway))) failed: Operations error Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2 Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2 Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2 Jun 07 18:10:26 auth: Error: LDAP: Reply with unknown msgid 2 Jun 07 18:10:28 auth: Debug: client out: FAIL 1 user=gateway temp Jun 07 18:10:28 auth: Debug: client out: FAIL 1 user=gateway temp Jun 07 18:13:18 imap-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 172 secs): user=<gateway>, method=PLAIN, rip=10.0.0.110, lip=10.0.0.3, session=<n6IBcuLB7AAKAABu> ============================================ My dovecot-ldap.conf: =============================== ldap_version = 3 hosts = ad.domain.local base = DC=hrom,DC=local scope = subtree dn = CN=mailserver,CN=Users,DC=domain,DC=local dnpass = here_is_pass auth_bind = yes pass_attrs = uid=user pass_filter = "(&(objectClass=person)(sAMAccountName=%u))" user_attrs = name=mail=maildir:/var/mail/virtual/hrom.local/%n user_filter = "(&(objectClass=person)(sAMAccountName=%u))" =================================================== I need base = DC=domain,DC=local for searching for user's accounts in different OU of my AD. If I set base = CN=Users,DC=domain,DC=local, Dovecot can't authorize user accounts from OU. P.S.: Postfix with base = DC=domain,DC=local works perfectly, so the problem is not with our domain controller (LDAP server as well) .
