Dovecot + OpenLDAP

Question

I am trying to get dovecot 2.0.19 authenticate users via LDAP (OpenLDAP 2.4.28) and using Wireshark to debug the process. It looks like the basic configuration of dovecot is fine, but it doesn't pull it off to send the right request to the LDAP server. First of all, this is how my LDAP-entries look:

# ht
dn: dc=ht
objectClass: top
objectClass: dcObject
objectClass: organization
o: ip
dc: ht

# admin, ht
dn: cn=admin,dc=ht
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9cFY1b0ZZVUhack1aRTVvaUg1T3c2cytVWHV4aUNvaHI=

# people, ht
dn: ou=people,dc=ht
objectClass: organizationalUnit
objectClass: top
ou: people

# groups, ht
dn: ou=groups,dc=ht
objectClass: organizationalUnit
objectClass: top
ou: groups

# ipusers, groups, ht
dn: cn=ipusers,ou=groups,dc=ht
gidNumber: 500
cn: ipusers
objectClass: posixGroup
objectClass: top

# Max Mustermann, people, ht
dn: cn=Max Mustermann,ou=people,dc=ht
cn: Max Mustermann
givenName: Max
gidNumber: 500
homeDirectory: /home/users/mmustormann
sn: Mustermann
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: mmustermann
userPassword:: e01ENX1ETUYxdWNEeHRxZ3h3NW5pYVhjbVlRPT0=
loginShell: /bin/bash
mail: mustorm@test.com

Now, I use the following configuration for dovecot:

hosts = 10.1.2.1
dn = cn=admin,dc=ht
dnpass = a
auth_bind = yes
auth_bind_userdn = uid=%u,ou=people,dc=ht
ldap_version = 3
scope = subtree
base = ou=people,dc=ht
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid      
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))

Now what I see in Wireshark:

Dovecot cannot authenticate itself for some reason...

If i change the configuration as follows:

auth_bind = no 
#auth_bind_userdn = uid=%u,ou=people,dc=ht

Then I get following picture:

It doesn't pick up the setting base = ou=people,dc=ht. But what is more crucial is that even looking at the whole tree "<ROOT>" wholeSubTree it can't find the required entry.

I am really desperate and don't know how to make it work. I really just need to make it somehow work.

Here's a detailed view of the request: http://i.stack.imgur.com/ExJtV.png — Danny Lo, May 18 '14 at 00:31

score 0 · Answer 1 · answered May 18 '14 at 19:24

Funny solution... but very annoying on the other hand. The mistake was to take example configuration file dovecot-ldap.conf.ext where everything was commented out. I ASSUMED it was commented out. The only single uncommented line was base =. I found it out after two days of torture...

This is the reason why dovecot sent search request with base=<ROOT>. And this is why it doesn't return any results. And the solution was to comment this line out.

Actual config:

hosts = 10.1.2.1
dn = cn=admin,dc=ht
dnpass = a
base = ou=people,dc=ht
ldap_version = 3
scope = onelevel

Dovecot + OpenLDAP

1 Answers1