You need to disable referral following in /etc/ldap/ldap.conf (or whatever applies to your system)
Aki On 13.09.2017 14:34, Garry Glendown wrote: > Hi, > > I had to start using Dovecot on a machine as the new OS does not come > with Cyrus IMAP anymore. After multiple problems, I managed to get > everything working, including LDAP authentication against the (old) > Novell LDAP server. > Anyway, the authentication is supposed to be migrated to the new Windows > AD. For other tools, I successfully migrated the config to use AD, but > somehow Dovecot does not work as it should. > > I've been going back and forth, trying everything I could think of, but > still can't get it to work. > > Here's the excerpt from the config file: > > hosts = 10.10.10.210 > uris = ldap://10.10.10.210:389 > dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net > dnpass = PASSWORD > tls = no > debug_level = -1 > auth_bind = yes > ldap_version = 3 > base = DC=srv,dc=SLD,dc=net > deref = never > scope = subtree > user_attrs = sAMAccountName=user > user_filter = (&(sAMAccountName=%n)(objectclass=person)) > pass_attrs = sAMAccountName=user > pass_filter = (&(sAMAccountName=%n)(objectclass=person)) > iterate_attrs = mail=user > iterate_filter = (objectclass=person) > default_pass_scheme = PLAIN > > The problem might be caused by the referal-info sent by the AD, which I > can see both in the results dovecot gets (checked with tcpdump), as well > as in ldapsearch ... apart from the actual search result, I always get > three additional results: > > # > refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net > > # > refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net > > # refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net > > From what I can see in the pcap as well as some of the logs, dovecot > binds to the AD, sends out the LDAP query correctly, gets the lookup > result with the user queried plus the above three referrals, then > unbinds from the (named) bind, attempts a simple bind without dn/dnpass > (multiple times), and finally sends three additional search requests > under the search bases > > cn=Configuration,DC=srv,DC=SLD,DC=net > DC=ForestDnsZones,DC=srv,DC=SLD,DC=net > DC=DomainDnsZones,DC=srv,DC=SLD,DC=net > > These three requests are denied by the AD as they are not permitted > without a successful prior bind. > Dovecot then fails the auth process. > > Is there a way to stop Dovecot from using the referals? Openldap seems > to have an option to disable referals, but Dovecot does not allow that > option in its LDAP config, and having the option set in the global > ldap.conf doesn't seem to help any, either. Is there possibly a way to > disable the referal information on the AD side? > > Thanks, Garry >
