Re: [Dovecot] dovecot-ldap : can't find user in OU subtree

Wed, 30 Oct 2013 13:19:28 -0700 

Hello and thanks for your answer.

Le 30/10/2013 19:32, Steffen Kaiser a écrit :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 30 Oct 2013, m...@electronico.nc wrote:


passdb {
  args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
  driver = ldap
}


/etc/dovecot/dovecot-ldap-passdb.conf.ext:

hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan


You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan


ldap_version = 3
base = ou=users,dc=domain,dc=lan
scope = subtree
pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, 
mail=/media/data/email/%n/mail

user_filter = (&(objectClass=person)(cn=%n)(mail=*))


pass_filter and user_filter differ in %u vs. %n.
I doesn't really matters in this situation as users are connected to an unique AD domain and their credentials are setup with user/password, so in this case %u and %n are identical.
Here is the debug part when user test3 (located in ou=users, ou=administrative) tries to login:
The auth_bind_userdn does not match the ou=administrative location. Drop the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter to search for the DN of the user. 


I have tried a lot of ways to use DN or OU in pass_filter, like :
pass_filter = (&(objectClass=person)(cn=%u)(ou=users)(mail=*))
pass_filter = (&(objectClass=person)(cn=%u)(ou:dn:=rdk_users)(mail=*))
but it seems Active Directory doesn't support OU or DN in filters :-(

Thanks anyway for your help, this is definitively not a Dovecot issue.
Nicolas
Oct 30 18:49:12 serveur dovecot: auth: ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: FAIL#0111#011user=test3 


As soon as I move user 'test3' back to ou=users, it can login ...
Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: OK#0111#011user=test3 


- -- Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm
qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM
2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz
ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH
9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+
kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw==
=mGae
-----END PGP SIGNATURE-----

Reply via email to