[Dovecot] dovecot-ldap : can't find user in OU subtree

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 30 Oct 2013, me at electronico.nc wrote:

>> passdb {
>>   args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>   driver = ldap
>> }
>
> /etc/dovecot/dovecot-ldap-passdb.conf.ext:
>> hosts = localhost
>> auth_bind = yes
>> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan

You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan

>> ldap_version = 3
>> base = ou=users,dc=domain,dc=lan
>> scope = subtree
>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

>> user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, 
mail=/media/data/email/%n/mail
>> user_filter = (&(objectClass=person)(cn=%n)(mail=*))

pass_filter and user_filter differ in %u vs. %n.

> Here is the debug part when user test3 (located in ou=users, 
> ou=administrative) tries to login:

The auth_bind_userdn does not match the ou=administrative location. Drop 
the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter to 
search for the DN of the user.

>> Oct 30 18:49:12 serveur dovecot: auth: 
>> ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials
>> Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: 
>> FAIL#0111#011user=test3

> As soon as I move user 'test3' back to ou=users, it can login ...
>> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: 
>> OK#0111#011user=test3


- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm
qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM
2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz
ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH
9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+
kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw==
=mGae
-----END PGP SIGNATURE-----