Does Dovecot LDAP auth support LDAP referral

Fri, 02 Feb 2018 00:40:03 -0800 

We using Dovecot with LDAP.
From the beginning, we using GC LDAP query with port 3268 for email accounts. For example, us...@our-organization.org (in the USA) with "base = dc=our-organization, dc=org" works fine. 

But refer to this document:
https://wiki2.dovecot.org/AuthDatabase/LDAP

When we change the LDAP from 3268 to 389 and with TLS, the base should 
be changed like this:

"base = ou=usa, dc=our-organization, dc=org"


But if the user (user2) located in United Kingdom (ou=gbr), the user can 
not login.


When we debug with ldapsearch:

ldapsearch -ZZ -v -h dc.our-organization.org -p 389 -D 
'cn=auth_user,ou=usa,dc=our-organization,dc=org' -W -b 
'dc=our-organization, dc=org' 
'(userPrincipalName=us...@our-organization.org)'

It can return user2 information with some "numReferences".


But in Dovecot, if "base = dc=our-organization, dc=org" it only reported 
auth error with timeout.


Here are the config:
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 9.3
auth_verbose = yes

dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u 
-l%{lock_timeout} -n%{namespace}

imap_id_send =
imapc_user = %u
import_environment = TZ
listen = *
login_log_format_elements = user=u> method=%m rip=%r lip=%l mpid=%e %c
mail_shared_explicit_inbox = yes
managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart extracttext

namespace inbox {
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = " imap sieve"
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 0
}
ssl_ca = /etc/ssl/certs/ca.pem
ssl_cert = </etc/ssl/gameloft/our-organization.org.crt
ssl_key =  # hidden, use -P to show it
ssl_parameters_regenerate = 1 weeks
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}


So my question is: does Dovecot LDAP auth support LDAP referral?
If Dovecot relies on OpenLDAP, it should be support.
If not, why and what is the walkthrough?

Xuan Jia






















					Reply via email to