[Dovecot] dovecot-ldap : can't find user in OU subtree
me at electronico.nc
me at electronico.nc
Wed Oct 30 22:17:14 EET 2013
Hello and thanks for your answer.
Le 30/10/2013 19:32, Steffen Kaiser a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 30 Oct 2013, me at electronico.nc wrote:
>
>>> passdb {
>>> args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
>>> driver = ldap
>>> }
>>
>> /etc/dovecot/dovecot-ldap-passdb.conf.ext:
>>> hosts = localhost
>>> auth_bind = yes
>>> auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
>
> You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan
>
>>> ldap_version = 3
>>> base = ou=users,dc=domain,dc=lan
>>> scope = subtree
>>> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
>
>>> user_attrs = uid=20001, gid=20001, home=/media/data/email/%n,
> mail=/media/data/email/%n/mail
>>> user_filter = (&(objectClass=person)(cn=%n)(mail=*))
>
> pass_filter and user_filter differ in %u vs. %n.
I doesn't really matters in this situation as users are connected to an
unique AD domain and their credentials are setup with user/password, so
in this case %u and %n are identical.
>
>> Here is the debug part when user test3 (located in ou=users,
>> ou=administrative) tries to login:
>
> The auth_bind_userdn does not match the ou=administrative location.
> Drop the auth_bind_userdn, IMHO, so Dovecot actually uses pass_filter
> to search for the DN of the user.
>
I have tried a lot of ways to use DN or OU in pass_filter, like :
pass_filter = (&(objectClass=person)(cn=%u)(ou=users)(mail=*))
pass_filter = (&(objectClass=person)(cn=%u)(ou:dn:=rdk_users)(mail=*))
but it seems Active Directory doesn't support OU or DN in filters :-(
Thanks anyway for your help, this is definitively not a Dovecot issue.
Nicolas
>>> Oct 30 18:49:12 serveur dovecot: auth:
>>> ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials
>>> Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out:
>>> FAIL#0111#011user=test3
>
>> As soon as I move user 'test3' back to ou=users, it can login ...
>>> Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out:
>>> OK#0111#011user=test3
>
>
> - -- Steffen Kaiser
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBUnDECl3r2wJMiz2NAQLEJQgAp/fECmujABG7xDI4nSkyn7ZcDp5xOqLm
> qa+t2O+DPmEqC9EI+MIBaM8XOzKBG7iAVHpVtJJ06WA/Sn0aupyWxq6mAFEIYTtM
> 2byKy4eSWexZU3XbhvggqMVaRJTBGHV31f2d05ZXjLzFeU4nzczN7xZ4DKVRqzhz
> ii72NyMDf1bUhEx+1O7irMLnitOtpBlxsI5Xws6qrc1T4xlv0jjEkaqXEQAnPLWH
> 9F4x+t1mKks+UcMMl6wOUQ/Siozg4GBVjnyNd8F7bLVRznntkhxzOY0apCC8Df9+
> kC2OhOF9ItHXKR2QI9w/emdqeKjbGQHEdrqC3Von2T/ntUA3yYHrCw==
> =mGae
> -----END PGP SIGNATURE-----
>
More information about the dovecot
mailing list