On Tuesday 08 April 2014 05:36:51 Deeztek Support wrote: > On 4/8/2014 2:18 AM, Steffen Kaiser wrote: > > The primary question is: Does > > > > ldapsearch -H ldap://server.domain.tld:389 \ > > > > -b dc=domain,dc=tld -D ... -W \ > > '(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl > > :1.2.840.113556.1.4.803:=2)))'> > > return the user? > > yes it does. The authentication with AD works as it should as long as > dovecot is pointing to the right OU. > > > How many domain controllers to you have in the AD? Which of them holds > > which domains? See > > http://technet.microsoft.com/en-us/library/cc978012.aspx > > I have on domain controller and there is only one domain. I think we are > getting off track here. There is no problem with authentication. Maybe I > need to be more clear. > > Dovecot is able to authenticate with active directory as long as the > "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to > the OU that the dovecot users are. However, I have another OU where my > Exchange users are. So, when I try to send email from a dovecot user to > an Exchange user, dovecot throws the error "user unknown" because it's > not able to find the Exchange user since it's in a different OU. When I > set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain > root i.e. instead of having it say: > > base = ou=testou,dc=domain,dc=tld > > I set it to: > > base = dc=domain,dc=tld > > so it can lookup all users in the entire domain > > then dovecot stops authenticating with AD altogether
As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works. -- Mihai Bădici http://mihai.badici.ro
