Re: [Dovecot] Dovecot LDAP issue

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Apr 2014, Deeztek Support wrote:
Date: Tue, 8 Apr 2014 05:36:51 -0400
From: Deeztek Support <supp...@deeztek.com>
Reply-To: Dovecot Mailing List <dovecot@dovecot.org>
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Dovecot LDAP issue

On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does

ldapsearch -H ldap://server.domain.tld:389 \
  -b dc=domain,dc=tld -D ...  -W \
  
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

return the user?

yes it does. The authentication with AD works as it should as long as dovecot 
is pointing to the right OU.

You misunderstood the vivid points of this command:
a) the base DN is the one you want, but is not working with Dovecot
b) you perform a LDAP search in the local DC, not in Global Catalog
c) that you've authentificated correctedly is just a side effect to know

How many domain controllers to you have in the AD? Which of them holds
which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx


I have on domain controller and there is only one domain. I think we are 
getting off track here. There is no problem with authentication. Maybe I need
to be more clear.

Dovecot is able to authenticate with active directory as long as the "base = 
" parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that 
the dovecot users are. However, I have another OU where my Exchange users 
are. So, when I try to send email from a dovecot user to an Exchange user, 
dovecot throws the error "user unknown" because it's not able to find the 
Exchange user since it's in a different OU. When I set the "base =" parameter 
in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it 
say:

base = ou=testou,dc=domain,dc=tld

I set it to:

base = dc=domain,dc=tld

so it can lookup all users in the entire domain

then dovecot stops authenticating with AD altogether

as the page points points out, there are differences between LDAP and GC 
search in the sense of what results are found.

See: http://wiki2.dovecot.org/AuthDatabase/LDAP

"Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all 
LDAP fields are available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx "

The ldapsearch is to verify that your AD searches more than one OU at all.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub
ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM
CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo
pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea
DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX
cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug==
=mWc0
-----END PGP SIGNATURE-----