Hi,
I'm new to the list; excuse me if this has been asked recently/before.
running:
# dovecot --version
1.0.8
Output of dovecot -n:
base_dir: /var/run/dovecot
protocols: none
ssl_disable: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/dovecot/libexec/dovecot/imap-login
auth default:
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: ldap
args: /usr/local/dovecot/etc/dovecot-ldap.conf
userdb:
driver: ldap
args: /usr/local/dovecot/etc/dovecot-ldap.conf
socket:
type: listen
client:
path: /usr/local/postfix/spool/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot-auth-master
mode: 438
Using dovecot only for the purpose of providing SMTP AUTH service for
Postfix, using Active Directory (AD) as authentication source. As you
can see from the config, connectivity between Dovecot and AD is
implemented using LDAP.
Contents of /usr/local/dovecot/etc/dovecot-ldap.conf (some site-specific
info masqueraded):
auth_bind = yes
pass_filter = (sAMAccountName=%u)
hosts = AD1.domain.com:3268 AD2.domain.com:3268
dn = CN=Service Account Postfix,OU=Services,DC=domain,DC=com
dnpass = secret
ldap_version = 3
base = DC=domain,DC=com
scope = subtree
Now, this works fine and authentication via SMTP AUTH + Dovecot works
perfect. Yet, every 15 minutes I get the following warning in the syslog
logfile:
Dec 24 07:20:00 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Dec 24 07:35:01 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Dec 24 07:50:01 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Dec 24 08:05:02 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Dec 24 08:20:02 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
Dec 24 08:35:03 hostname dovecot: auth(default): LDAP: ldap_result()
failed: Can't contact LDAP server
I've looked through the archives and it seems that this problem is
caused by the fact that Dovecot (using the OpenLDAP client libraries?)
keeps the LDAP connection open; after (in our case) 15 minutes Active
Directory closes the connection and Dovecot signals this in the syslog
(and presumably automatically will create a new connection to AD).
I'm pretty sure that the OpenLDAP client libraries provide options to
use a client-side timeout for LDAP connections. My questions are:
* is there a reason that Dovecot wants to keep the LDAP connection open?
* Will the new V1.1 version have a config parameter to set the LDAP
client timeout or a default timeout value to close the connection?
* If there's no 'fix' foreseen for V1.1, I'd like to file a request
to add such a parameter. How can I file such a request?
The warning is annoying; the sysadmin will create a filter, to filter
the warning out from the syslog, but I'm afraid that if there's a real
problem with authentication, that will be filtered too and the real
problem is not noticed, before users start to complain.
/rolf
