The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). sasl_bind = yes sasl_mech = gssapi tls = yes
Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ With `tls = no` errors `encoded packet size too big` becomes sporadic, but still heart auth orepations performance. May be there are two different problems. Has someone encountered this problem before? How can I help to facilitate the issue debugging? [I] net-mail/dovecot Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) On 8/15/19 12:01 AM, Eugene wrote: > Hello! > > Dovecot uses it's own SASL implementation, doesn't it? > > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big > (813804546 > 65536) > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: > LDAP: Can't connect to server: ldap://ipa2.example.com > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: > Aborted USER request for eugene: Lookup timed out > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: > login: request [3847225345]: Login auth request failed: Internal auth failure > (auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362 > client-id=1) > > Looks like cyrus-sasl encountered same problem earlier. > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html > > I never have such an issue with ldapsearch. So, I assume there is a similar > problem in Dovecot SASL implementation. > -- Eugene Bright IT engineer Tel: + 79257289622
signature.asc
Description: OpenPGP digital signature