Thank again for the solution and for the explanation. Fran
El 10/09/2015 a las 15:40, Matthias Lay escribió: > Hi Fran, > > > this is not a dovecot problem, thats a pure dns problem and can only > be fixed in your dns environment. > > > referrals are propagated in a "special" dns design in SRV records. > so the ldap client performs a dns lookup for this names and this is the > point of hanging (as in most "hanging cases", its dns). > > see: > https://technet.microsoft.com/en-us/library/cc978014.aspx > https://technet.microsoft.com/en-us/library/cc961719.aspx > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html > > for information. > > > Greetz Matze > > > > > On Thu, 10 Sep 2015 13:10:57 +0200 > Fran <cumc-436...@chguadalquivir.es> wrote: > >> Hi Matthias, >> >> thank you very much! that fixed the problem. >> >> I had workaround the problem by using "base = ou=xxxx, dc=dom", >> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because >> that also worked (I don't know why, but the problem happen if you use >> as base just the domain, but not if you add a second level). But that >> forced to me to use several userdb/passdb blocks definitions, one for >> each OU in which I have users, so I think that your fix is better. >> >> I'm not able to understand the actual reason behind all this though... >> >> What's the technical explanation behind this behaviour?? I mean, it >> seems to be that the problem is that the Domain controller (DC) was >> sending a "referrals" answer and dovecot auth made a connection to >> these others DC but something wrong happened (dovecot can't deal >> correctly with that kind of answers?? I don't know). >> >> Anyways, as far as I know: >> >> 1) A referral answer should be done by a DC when it can't provide the >> object that the client are requesting >> 2) REFERRALS off in ldap.conf means that the client should not follow >> referrals returned by the DC >> >> So, if a referral answer is given from my DC, I think that is because >> such DC can't provide the object which the client is looking for, so, >> why works fine just by telling dovecot: "Don't follow referrals"? >> >> Regards >> >> >> >> El 09/09/2015 a las 17:22, Matthias Lay escribió: >>> hi, >>> >>> check your >>> >>> /etc/openldap/ldap.conf >>> >>> for >>> >>> REFERRALS off >>> >>> I had this errors with "referrals on" in misconfigured dns >>> environments. >>> >>> >>> you can debug the dns packets by strace-ing the auth process >>> >>> >>> >>> >>> On Tue, 8 Sep 2015 11:00:37 +0200