Dovecot only does a descendent search if base is configured like : base = ou=baseOU,dc=internaldomain,dc=lan
In W2008 Active Directory, I set baseOU the same name as my company, for a better visibility.
Obviously, all users who need mails had to be in this OU, and you can create sub-OU in this OU, the search will works.
Don't have answer to the initial problem, but it's better than nothing.
]]>ldapsearch -x -b 'dc=mydomain,dc=lan' -D 'MYDOMAIN\vmail' -h dc.mydomain.lan -p 389 -W "(&(userPrincipalName=user@publicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"How to "integrate" it in Dovecot queries ? I'm searching for this, but if you've propositions... 
Thanks
It complains "MYDOMAIN\vmail" is a invalid DN. Did you try to use 'vmail' instead? For example:
# ldapsearch ... -D 'vmail' ...
Same Error, invalid DN... Is there a config file for LDAP or something ?
In all cases, ldapsearch doesn't find my @publicdomain.fr users which are in Users group, vmail is in Users group, there's no reason ldapsearch find vmail...?
What is the role of :
"(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"I saw over Internet that everyone put there "what he wants", are those arguments valid for my case ?
Thanks
]]>ldap_bind: Invalid DN syntax (34)
It complains "MYDOMAIN\vmail" is a invalid DN. Did you try to use 'vmail' instead? For example:
# ldapsearch ... -D 'vmail' ...Here's the error :
ldap_bind: Invalid DN syntax (34)
additional info: invalid DNThanks
# ldapsearch -x -b 'dc=mydomain,dc=lan' -D 'MYDOMAIN\vmail' -W "(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"if not, please add '-d 256' after 'ldapsearch' and try again. Paste output of both commands here please (REMOVE sensitive info before posting)
]]> :Apr 19 13:18:42 auth(default): Info: new auth connection: pid=16646
Apr 19 13:18:57 auth(default): Info: client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=60773 resp=AHNtYXJ0aW5AZnJhbm3h5Z2VuZS5mcgBzbTEyMzQ1NiE=
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): bind search: base=cn=users,dc=resfrox,dc=lan filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= memberOf(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= badPwdCount(?unknown?)= codePage(?unknown?)= countryCode(?unknown?)= badPasswordTime(?unknown?)= lastLogoff(?unknown?)= lastLogon(?unknown?)= pwdLastSet(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= accountExpires(?unknown?)= logonCount(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)= dSCorePropagationData(?unknown?)= lastLogonTimestamp(?unknown?)=
Apr 19 13:18:57 auth(default): Info: client out: OK 1 user=user@mypublicdomain.fr
Apr 19 13:18:57 auth(default): Info: master in: REQUEST 2 16624 1
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): user search: base=cn=users,dc=localdomain,dc=lan scope=subtree filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) fields=
Apr 19 13:18:57 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): result: objectClass(?unknown?)= cn(?unknown?)= sn(?unknown?)= givenName(?unknown?)= distinguishedName(?unknown?)= instanceType(?unknown?)= whenCreated(?unknown?)= whenChanged(?unknown?)= displayName(?unknown?)= uSNCreated(?unknown?)= memberOf(?unknown?)= uSNChanged(?unknown?)= name(?unknown?)= objectGUID(?unknown?)= userAccountControl(?unknown?)= badPwdCount(?unknown?)= codePage(?unknown?)= countryCode(?unknown?)= badPasswordTime(?unknown?)= lastLogoff(?unknown?)= lastLogon(?unknown?)= pwdLastSet(?unknown?)= primaryGroupID(?unknown?)= objectSid(?unknown?)= accountExpires(?unknown?)= logonCount(?unknown?)= sAMAccountName(?unknown?)= sAMAccountType(?unknown?)= userPrincipalName(?unknown?)= objectCategory(?unknown?)= dSCorePropagationData(?unknown?)= lastLogonTimestamp(?unknown?)=
Apr 19 13:18:57 auth(default): Info: master out: USER 2 user@mypublicdomain.fr home=/home/mail/mypublicdomain.fr/user/Maildir/ mail=maildir:/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 imap-login: Info: Login: user=<user@mypublicdomain.fr>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Loading modules from directory: /usr/lib/dovecot/modules/imap
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Module loaded: /usr/lib/dovecot/modules/imap/lib20_autocreate_plugin.so
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Effective uid=1000, gid=1000, home=/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota root: name=user backend=dict args=:proxy::quotadict
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota rule: root=user mailbox=* bytes=0 messages=0
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (85%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 85
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (90%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 90
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Quota warning: bytes=0 (95%) messages=0 command=/usr/local/bin/dovecot-quota-warning.sh 95
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: dict quota: user=user@mypublicdomain.fr, uri=proxy::quotadict, noenforcing=0
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: maildir: data=/home/mail/mypublicdomain.fr/user/Maildir/
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: maildir++: root=/home/mail/mypublicdomain.fr/user/Maildir, index=, control=, inbox=/home/mail/mypublicdomain.fr/user/Maildir
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace: type=shared, prefix=Shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: shared: root=, index=, control=, inbox=
Apr 19 13:18:57 IMAP(user@mypublicdomain.fr): Info: Namespace : Using permissions from /home/mail/mypublicdomain.fr/user/Maildir: mode=0700 gid=-1Apr 19 13:01:37 auth(default): Info: new auth connection: pid=16300
Apr 19 13:01:50 auth(default): Info: client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=60724 resp=AHNtYXJ0aW5AZnJbmNlb3h5Z2VuZS5gBzbTEyMzQ1NiE=
Apr 19 13:01:50 auth(default): Info: ldap(user@mypublicdomain.fr,127.0.0.1): bind search: base=dc=LOCALDOMAIN,dc=lan filter=(&(userPrincipalName=user@mypublicdomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))And the dovecot-ldap.conf :
hosts = dc.mydomain.lan:389
ldap_version = 3
auth_bind = yes
dn = MYDOMAIN\vmail
dnpass = passwd_vmail
base = dc=mydomain,dc=lan
scope = subtree
deref = never
user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = userPassword=password
default_pass_scheme = CRYPT
user_attrs = =home=/home/mail/%Ld/%Ln/Maildir/,=mail=maildir:/home/mail/%Ld/%Ln/Maildir/The problem is, now, users I don't move to an OU, which is always in "Users" don't work since I changed "base" in dovecot-ldap.conf. I think "Users" group is considerate like an OU to the mail side.
Thanks
Why does it work with ldapsearch command but not with dovecot ?
if it works with ldapsearch, then it should work in Dovecot too.
Did you try to set 'mail_debug = yes' in Dovecot, restart Dovecot, then monitor Dovecot log file?
Could you please paste the whole dovecot-ldap.conf? REPLACE password by 'xxx' to hide sensitive information before posting.
nicolasfo wrote:nicolasfo wrote:What's the advantage of iRedAdmin with active directory configuration ?
iRedAdmin doesn't work with Active Directory, sorry.
It works with OpenLDAP, MySQL, and PostgreSQL (will be available in next release).
Ok, thx for information
Sure. Change 'base =' in dovecot-ldap.conf to the one you want. For example:
# OLD SETTING #base = cn=users,dc=example,dc=com # NEW SETTING base = dc=example,dc=com
I've already done this, but it doesn't work. 
Note: Please make sure your Active Directory server is allowed to search 'dc=example,dc=com'. As i remember, it's not allowed by default. (maybe i was wrong, just a kindly remind.)
I use this tutorial, and it doesn't work.
The Dovecot' log said nothing, no error. But in the telnet shell, it told me
* OK Waiting for authentication process to respond..but after a little time, I get timeout inactivity and get disconnected. I already have this "error" before make change in Windows Server.
I admit, I don't understand what you're talking about when you said allowed to search 'dc=example,dc=com'. The problem is, I don't know what to search on Google, I understand it deals with Windows restriction but nothing more...
Why does it work with ldapsearch command but not with dovecot ?
Thnaks
Is there a way that dovecot, don't only search users in CN=users but in the whole domain ?
Sure. Change 'base =' in dovecot-ldap.conf to the one you want. For example:
# OLD SETTING
#base = cn=users,dc=example,dc=com
# NEW SETTING
base = dc=example,dc=comNote: Please make sure your Active Directory server is allowed to search 'dc=example,dc=com'. As i remember, it's not allowed by default. (maybe i was wrong, just a kindly remind.)
What's the advantage of iRedAdmin with active directory configuration ?
iRedAdmin doesn't work with Active Directory, sorry.
It works with OpenLDAP, MySQL, and PostgreSQL (will be available in next release).
Today is new day, I come with 2 questions :
Is there a way that dovecot, don't only search users in CN=users but in the whole domain ?
For example, I've created an OU (organisationnal unit ), and put a user which "worked" when it was in CN=users. With telnet command, I can't log in with this account...
In dovecot ldap config files, I deleted CN=users, but it doesn't work...
But when I use ldapsearch command with this account, it works normally. So, it's a Dovecot "problem", I think.
What's the advantage of iRedAdmin with active directory configuration ?
Thanks
PS : I forgot the log file :
Apr 18 15:41:49 auth(default): Error: ldap(myuser@mydomain.fr,127.0.0.1): ldap_search((&(userPrincipalName=myuser@mydomain.fr)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))) failed: No such objectIt seems all is OK, but in the Adress Book, I've only groups (like grp_mail_test) but no users.
No errors, nowhere..
Is Adress book must show AD users ?
Thanks
EDIT : OK, my fault, same error than before, I must put an email adress in the user's properties.
]]>