Use DN lookup instead of DN template for LDAP auth

In our setup users require a specific LDAP group to login. We enforce this with an LDAP filter (user_filter). With DN template, authentication always succeeds for these users, as Dovecot only performs an LDAP BIND request. Successful auth followed by failed userdb lookup seems to trigger a bug in Dovecot that causes the handler processes to stay around indefinitely and fill up the process_limit. Using DN lookup with the LDAP filter set for both user_filter and pass_filter should cause the authentication to fail for these users and work around the bug.

Use DN lookup instead of DN template for LDAP auth
5267a3d7 · Julian · 18ab8dc6 · 5267a3d7
Commit 5267a3d7 authored Jul 17, 2022 by Julian
--- a/templates/dovecot-ldap.conf.ext.j2
+++ b/templates/dovecot-ldap.conf.ext.j2
@@ -25,7 +25,7 @@ tls_ca_cert_file = {{ dovecot.ldap.tls.ca }}
 tls_require_cert = hard
 auth_bind = yes
-auth_bind_userdn = uid=%n,{{ dovecot.ldap.base }}
+pass_filter = {{ dovecot.ldap.filter }}
 ldap_version = 3
 base = {{ dovecot.ldap.base }}