On Thu, May 19, 2016 at 4:27 PM, Julien Lambot <jlam...@gmail.com> wrote:
> Hello list > > I've been struggling for a while trying to configure multiple domain ldap > authentication with full e-mail address authentication. Which in fact was > not the issue. > There where some discrepancies between the doc and our actual > configuration (see appendix A/ ) Seems that pass_filters and user_filters > don't need much special settings for our setup. > > Now it's working correctly at the sole exception that when an OU contains > "lots" of users (>200) i suspect that the ldapseach query fails. We can > well authenticate when we have 50 users in an OU, but not when the number > raises (I don't have the exact number above which it locks). > After further investigations, seems the issue is caused by the presence of an "_" (underscore) in the OU name. Other OUs are not impacted. If anyone as a suggestion, that would be welcome. In fact, we cannot rename this OU without a wide impact on other configurations. Regards Julien > > Is there a parameter that we can set to increase the result size limit (as > i suspect this to be the cause of this possible bug)? > > If I query manually it's ok (ldapsearch) > if I use "doveadm auth user.n...@domain.tld", it succeed also but I > wonder if it doesn't use the winbind authentication instead. > > > > Here is our ldap-auth configuration > > hosts = master.domain.local:389 > dn = DOMAIN\ro-user > dnpass = password > debug_level = 2 > auth_bind = yes > #auth_bind_userdn = > cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and > without with no better results) > ldap_version = 3 > #deref = never > #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few > users) > base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local > scope = subtree > user_filter = (&(objectclass=person)(mail=%u)) > pass_filter = (&(objectclass=person)(mail=%u)) > > and some logs in appendix B/ > > > Thanks for any hints on this. > > Have a nice day > >
