This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.


There are two ways to do LDAP authentication:

Both of these have their own advantages and disadvantages.

Configuration common to LDAP passdb and userdb


There are two alternative ways to specify what LDAP server(s) to connect to:

If multiple LDAP servers are specified, it's decided by the LDAP library how the server connections are handled. Typically the first working server is used, and it's never disconnected from. So there is no load balancing or automatic reconnecting to the "primary" server.


You can enable TLS in two alternative ways:

See the tls_* settings in dovecot-ldap-example.conf for how to configure TLS. (I think they apply to ldaps too?)

Getting Dovecot to talk to a LDAPS signed against a custom certificate of authority

If you need to connect to ldaps secured against a custom certificate of authority (CA), you will need to install the custom CA on your system. On Red Hat Enterprise Linux 6, Dovecot uses the OpenLDAP library. By default, the CA must be installed under the directory specified in the TLS_CACERTDIR option found under /etc/openldap/ldap.conf (default value is /etc/openldap/certs). After copying the CA, you'll need to run "c_rehash ." inside the directory, this will create a symlink pointing to the CA.

You can test the CA installation with this: openssl s_client -connect -CApath /etc/openldap/certs -showcerts

This should report "Verify return code: 0 (ok)".

SASL binds

It's possible to use SASL binds instead of the regular plaintext binds if your LDAP library supports them. See the sasl_* settings in dovecot-ldap-example.conf. Note that SASL binds are currently incompatible with authentication binds.

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works.

None: AuthDatabase/LDAP (last edited 2014-06-05 13:42:41 by swa)