Hi, A company have a active directory with sub-domains and when postfix query the main ldap server, if user don't present on this server, its receive referrals for sub-domains ldap servers. When turn on chase_referrals, postfix try connect to sub-domain ldap servers, but don't do bind operation, and can't query the servers.
ldap_domain = example.com ldap_bind = yes ldap_bind_dn = r...@example.com ldap_bind_pw = password ldap_server_host = 192.168.4.13 ldap_version = 3 ldap_chase_referrals = yes ldap_search_base = DC=cdp ldap_query_filter = (&(objectClass=person)(sAMAccountName=%u)) ldap_result_attribute = sAMAccountName ldap_result_format = %...@example.com Tcpdump... 192.168.4.13 is a master ldap server 192.168.2.7 is a sub-domain ldap server 16:46:07.484330 IP 192.168.4.23.41888 > 192.168.4.13.389: P 1:42(41) ack 1 win 92 <nop,nop,timestamp 3415653 0> ......RAi......\....... .4.e....0'...`"........@example.com. password 16:46:07.485520 IP 192.168.4.13.389 > 192.168.4.23.41888: P 1:23(22) ack 42 win 65494 <nop,nop,timestamp 15278934 3415653> ........i.....Rj.....j..... ..#V.4.e0........a..... ...... ###### BIND OK ON MASTER ####### 16:46:07.485546 IP 192.168.4.23.41888 > 192.168.4.13.389: . ack 23 win 92 <nop,nop,timestamp 3415654 15278934> ......Rji..,...\....... .4.f..#V 16:46:07.486064 IP 192.168.4.23.41888 > 192.168.4.13.389: P 42:152(110) ack 23 win 92 <nop,nop,timestamp 3415654 15278934> ......Rji..,...\.;..... .4.f..#V0l...cg..DC=cdp .. ....... ..../....objectClass..person....sAMAccountName..rei0...sAMAccountName 16:46:07.486304 IP 192.168.4.13.389 > 192.168.4.23.41888: P 23:355(332) ack 152 win 65384 <nop,nop,timestamp 15278934 3415654> ........i..,..R....hM...... ..#V.4.f0....;...s....2.0ldap://192.168.2.7/DC=pvc,DC=cdp0....Q...s....H.Fldap://ForestDnsZones.cdp/DC=ForestDnsZones,DC=cdp0....Q...s....H.Fldap://DomainDnsZones.cdp/DC=DomainDnsZones,DC=cdp0....A...s....8.6ldap://cdp/CN=Configuration,DC=cdp0........e..... ...... 16:46:07.486735 IP 192.168.4.23.37455 > 192.168.2.7.389: S 3745197042:3745197042(0) win 5840 <mss 1460,sackOK,timestamp 3415654 0,nop,wscale 6> E..<5...@.@.}..........O...;+..........%......... ###### GOT REFERRALS FROM MASTER ####### e.....@.@.}H.........O...;,...z4...\....... .4......0s...cn..DC=pvc,DC=cdp .. ....... ..../....objectClass..person....sAMAccountName..rei0...sAMAccountName 16:46:07.685929 IP 192.168.2.7.389 > 192.168.4.23.37455: P 23:196(173) ack 132 win 64109 <nop,nop,timestamp 13548259 3415688> e.....@.}.a............o..z4.;,v...m....... .....4..0........e..... ..........00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece. ###### DON'T BIND ON 192.168.2.7 ####### -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net
