starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1214] [BUG] Docker Mailserver Integration #432

New issue
Closed
opened 2026-02-27 08:17:16 +03:00 by kerem · 6 comments
kerem commented 2026-02-27 08:17:16 +03:00
Owner
Copy link

Originally created by @MahdiBaghbani on GitHub (Jul 14, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1214

Describe the bug
I'm using docker mailserver and the login into Roundcube is ok but when sending email, I receive error

To Reproduce
Setup RoundCube and docker mailserver and lldap
Login via roundcube (imap is done via dovcot ldap) -> OK
send email -> SASL auth fails

Expected behavior
Email get sent correctly.

Logs

2025-07-14T10:27:45.846756229+00:00  INFO     i [info]: LDAP session start: 33e8fb82-d8b5-4394-a9d0-95650cb84b27
2025-07-14T10:27:45.846783382+00:00  INFO     LDAP request [ 45.3ms | 0.15% / 100.00% ] session_id: 33e8fb82-d8b5-4394-a9d0-95650cb84b27
2025-07-14T10:27:45.846789026+00:00  DEBUG    ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=admin,ou=people,dc=xx,dc=xx,dc=xx", cred: LdapBindCred::Simple }), ctrl: [] }
2025-07-14T10:27:45.846790833+00:00  DEBUG    ┝━ do_bind [ 45.3ms | 0.06% / 99.85% ] dn: uid=admin,ou=people,dc=xx,dc=xx,dc=xx
2025-07-14T10:27:45.846810439+00:00  DEBUG    │  ┕━ bind [ 45.2ms | 0.03% / 99.79% ]
2025-07-14T10:27:45.846812193+00:00  DEBUG    │     ┝━ get_password_file_for_user [ 180µs | 0.40% ] user_id: "admin"
2025-07-14T10:27:45.847483625+00:00  INFO     │     ┝━ i [info]: Login attempt for "admin"
2025-07-14T10:27:45.847485533+00:00  DEBUG    │     ┝━ passwords_match [ 45.0ms | 99.36% ] username: admin
2025-07-14T10:27:45.892530136+00:00  ERROR    │     │  ┕━ 🚨 [error]:  | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification``
2025-07-14T10:27:45.892537151+00:00  ERROR    │     ┕━ 🚨 [error]:  | error: Authentication error for user "admin"
2025-07-14T10:27:45.892549315+00:00  DEBUG    ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: InvalidCredentials, matcheddn: "", message: "", referral: [] }, saslcreds: None })

2025-07-14T10:27:45.799572+00:00 mail postfix/submissions/smtpd[1778]: connect from mail-roundcube.mail-net[172.19.0.4]
2025-07-14T10:27:45.803157+00:00 mail postfix/submissions/smtpd[1778]: Anonymous TLS connection established from mail-roundcube.mail-net[172.19.0.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
2025-07-14T10:27:45.892993+00:00 mail postfix/submissions/smtpd[1778]: warning: mail-roundcube.mail-net[172.19.0.4]: SASL LOGIN authentication failed: authentication failure, sasl_username=mahdi-baghbani@xx.xx.xx
2025-07-14T10:27:45.894198+00:00 mail postfix/submissions/smtpd[1778]: disconnect from mail-roundcube.mail-net[172.19.0.4] ehlo=1 auth=0/1 quit=1 commands=2/3

Additional context
configs:

# >>> Postfix LDAP Integration.
ACCOUNT_PROVISIONER=LDAP
LDAP_SERVER_HOST=ldap://ldap
LDAP_SEARCH_BASE="ou=people,dc=xx,dc=xx,dc=xx"
LDAP_BIND_DN="uid=admin,ou=people,dc=xx,dc=xxxx,dc=xx"
LDAP_BIND_PW=hardpass
LDAP_QUERY_FILTER_USER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))"
LDAP_QUERY_FILTER_GROUP="(&(objectClass=groupOfNames)(enable-mail=true)(|(mail=%s)(mail-alias=%s)))"
LDAP_QUERY_FILTER_ALIAS="(&(objectClass=inetOrgPerson)(enable-mail=true)(mail-alias=%s))"
LDAP_QUERY_FILTER_DOMAIN="(|(mail=*@%s)(mail-alias=*@%s))"
LDAP_QUERY_FILTER_SENDERS="(|(memberOf=cn=admin,ou=groups,dc=*)(memberOf=cn=mailer,ou=groups,dc=*)(&(objectClass=inetOrgPerson)(enable-mail=true)(|(mail=%s)(mail-alias=%s))))"
# <<< Postfix LDAP Integration.

# >>> Dovecot LDAP Integration.
DOVECOT_AUTH_BIND=yes
DOVECOT_USER_ATTRS="=uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir"
DOVECOT_USER_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))"
DOVECOT_PASS_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))"
DOVECOT_DEFAULT_PASS_SCHEME=SSHA
# <<< Dovecot LDAP Integration.

# >>> SASL LDAP Authentication.
ENABLE_SASLAUTHD=1
SASLAUTHD_LDAP_MECH=PLAIN
SASLAUTHD_MECHANISMS=ldap
SASLAUTHD_LDAP_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(uid=%U))"
Originally created by @MahdiBaghbani on GitHub (Jul 14, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1214 **Describe the bug** I'm using docker mailserver and the login into Roundcube is ok but when sending email, I receive error **To Reproduce** Setup RoundCube and docker mailserver and lldap Login via roundcube (imap is done via dovcot ldap) -> OK send email -> SASL auth fails **Expected behavior** Email get sent correctly. **Logs** ``` 2025-07-14T10:27:45.846756229+00:00 INFO i [info]: LDAP session start: 33e8fb82-d8b5-4394-a9d0-95650cb84b27 2025-07-14T10:27:45.846783382+00:00 INFO LDAP request [ 45.3ms | 0.15% / 100.00% ] session_id: 33e8fb82-d8b5-4394-a9d0-95650cb84b27 2025-07-14T10:27:45.846789026+00:00 DEBUG ┝━ 🐛 [debug]: | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=admin,ou=people,dc=xx,dc=xx,dc=xx", cred: LdapBindCred::Simple }), ctrl: [] } 2025-07-14T10:27:45.846790833+00:00 DEBUG ┝━ do_bind [ 45.3ms | 0.06% / 99.85% ] dn: uid=admin,ou=people,dc=xx,dc=xx,dc=xx 2025-07-14T10:27:45.846810439+00:00 DEBUG │ ┕━ bind [ 45.2ms | 0.03% / 99.79% ] 2025-07-14T10:27:45.846812193+00:00 DEBUG │ ┝━ get_password_file_for_user [ 180µs | 0.40% ] user_id: "admin" 2025-07-14T10:27:45.847483625+00:00 INFO │ ┝━ i [info]: Login attempt for "admin" 2025-07-14T10:27:45.847485533+00:00 DEBUG │ ┝━ passwords_match [ 45.0ms | 99.36% ] username: admin 2025-07-14T10:27:45.892530136+00:00 ERROR │ │ ┕━ 🚨 [error]: | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification`` 2025-07-14T10:27:45.892537151+00:00 ERROR │ ┕━ 🚨 [error]: | error: Authentication error for user "admin" 2025-07-14T10:27:45.892549315+00:00 DEBUG ┕━ 🐛 [debug]: | response: BindResponse(LdapBindResponse { res: LdapResult { code: InvalidCredentials, matcheddn: "", message: "", referral: [] }, saslcreds: None }) ``` ``` 2025-07-14T10:27:45.799572+00:00 mail postfix/submissions/smtpd[1778]: connect from mail-roundcube.mail-net[172.19.0.4] 2025-07-14T10:27:45.803157+00:00 mail postfix/submissions/smtpd[1778]: Anonymous TLS connection established from mail-roundcube.mail-net[172.19.0.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 2025-07-14T10:27:45.892993+00:00 mail postfix/submissions/smtpd[1778]: warning: mail-roundcube.mail-net[172.19.0.4]: SASL LOGIN authentication failed: authentication failure, sasl_username=mahdi-baghbani@xx.xx.xx 2025-07-14T10:27:45.894198+00:00 mail postfix/submissions/smtpd[1778]: disconnect from mail-roundcube.mail-net[172.19.0.4] ehlo=1 auth=0/1 quit=1 commands=2/3 ``` **Additional context** configs: ``` # >>> Postfix LDAP Integration. ACCOUNT_PROVISIONER=LDAP LDAP_SERVER_HOST=ldap://ldap LDAP_SEARCH_BASE="ou=people,dc=xx,dc=xx,dc=xx" LDAP_BIND_DN="uid=admin,ou=people,dc=xx,dc=xxxx,dc=xx" LDAP_BIND_PW=hardpass LDAP_QUERY_FILTER_USER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))" LDAP_QUERY_FILTER_GROUP="(&(objectClass=groupOfNames)(enable-mail=true)(|(mail=%s)(mail-alias=%s)))" LDAP_QUERY_FILTER_ALIAS="(&(objectClass=inetOrgPerson)(enable-mail=true)(mail-alias=%s))" LDAP_QUERY_FILTER_DOMAIN="(|(mail=*@%s)(mail-alias=*@%s))" LDAP_QUERY_FILTER_SENDERS="(|(memberOf=cn=admin,ou=groups,dc=*)(memberOf=cn=mailer,ou=groups,dc=*)(&(objectClass=inetOrgPerson)(enable-mail=true)(|(mail=%s)(mail-alias=%s))))" # <<< Postfix LDAP Integration. # >>> Dovecot LDAP Integration. DOVECOT_AUTH_BIND=yes DOVECOT_USER_ATTRS="=uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir" DOVECOT_USER_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))" DOVECOT_PASS_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(|(uid=%u)(mail=%u)))" DOVECOT_DEFAULT_PASS_SCHEME=SSHA # <<< Dovecot LDAP Integration. # >>> SASL LDAP Authentication. ENABLE_SASLAUTHD=1 SASLAUTHD_LDAP_MECH=PLAIN SASLAUTHD_MECHANISMS=ldap SASLAUTHD_LDAP_FILTER="(&(objectClass=inetOrgPerson)(enable-mail=true)(uid=%U))" ```
kerem 2026-02-27 08:17:16 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@MahdiBaghbani commented on GitHub (Jul 14, 2025):

I know this might not be really related to LLDAP, but I have recently been testing to migrate from OpenLDAP to LLDAP and encountered this problem, Also this issue is very similar to #642, but different in the error part

<!-- gh-comment-id:3068922288 --> @MahdiBaghbani commented on GitHub (Jul 14, 2025): I know this might not be really related to LLDAP, but I have recently been testing to migrate from OpenLDAP to LLDAP and encountered this problem, Also this issue is very similar to #642, but different in the error part
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 14, 2025):

The open LDAP migration tool cannot port over the passwords, so they all have to be reset. The error you're getting is an invalid password for the admin. Have you checked out the section in the FAQ for "I can't log in?"

<!-- gh-comment-id:3068945279 --> @nitnelave commented on GitHub (Jul 14, 2025): The open LDAP migration tool cannot port over the passwords, so they all have to be reset. The error you're getting is an invalid password for the admin. Have you checked out the section in the FAQ for "I can't log in?"
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@MahdiBaghbani commented on GitHub (Jul 14, 2025):

The admin password is hand copied, also i started with a fresh password for admin in LLDAP.
Didn't import anything, everything is new

The login into roundcube also shows that the admin binding succeeds when logging in

so i suspect there is something wrong with the SASL auth

<!-- gh-comment-id:3069090185 --> @MahdiBaghbani commented on GitHub (Jul 14, 2025): The admin password is hand copied, also i started with a fresh password for admin in LLDAP. Didn't import anything, everything is new The login into roundcube also shows that the admin binding succeeds when logging in so i suspect there is something wrong with the SASL auth
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@MahdiBaghbani commented on GitHub (Jul 14, 2025):

There is definitely a problem with saslauthd and lldap, although I don't know what.

Changing the config to force saslauth to use dovecot works

SASLAUTHD_MECHANISMS=rimap
SASLAUTHD_MECH_OPTIONS=127.0.0.1

instead of sasl, dovecot does the binding with lldap and all is good.

<!-- gh-comment-id:3069276616 --> @MahdiBaghbani commented on GitHub (Jul 14, 2025): There is definitely a problem with saslauthd and lldap, although I don't know what. Changing the config to force saslauth to use dovecot works ``` SASLAUTHD_MECHANISMS=rimap SASLAUTHD_MECH_OPTIONS=127.0.0.1 ``` instead of sasl, dovecot does the binding with lldap and all is good.
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 14, 2025):

Lldap itself doesn't support sasl. Maybe that's the answer?

<!-- gh-comment-id:3069508666 --> @nitnelave commented on GitHub (Jul 14, 2025): Lldap itself doesn't support sasl. Maybe that's the answer?
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@MahdiBaghbani commented on GitHub (Jul 14, 2025):

Oh well, I didn't catch that, my bad.
Anyway, thanks for the software its quite helpful.

<!-- gh-comment-id:3070553772 --> @MahdiBaghbani commented on GitHub (Jul 14, 2025): Oh well, I didn't catch that, my bad. Anyway, thanks for the software its quite helpful.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#432
No description provided.