From 5267a3d716a605db3c81cb762e5dc1a5a2a53374 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Mon, 18 Jul 2022 00:36:18 +0200
Subject: [PATCH] Use DN lookup instead of DN template for LDAP auth

In our setup users require a specific LDAP group to login. We enforce this
with an LDAP filter (user_filter). With DN template, authentication always
succeeds for these users, as Dovecot only performs an LDAP BIND request.
Successful auth followed by failed userdb lookup seems to trigger a bug in
Dovecot that causes the handler processes to stay around indefinitely and fill
up the process_limit. Using DN lookup with the LDAP filter set for both
user_filter and pass_filter should cause the authentication to fail for these
users and work around the bug.
---
 templates/dovecot-ldap.conf.ext.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/dovecot-ldap.conf.ext.j2 b/templates/dovecot-ldap.conf.ext.j2
index 91803e0..fdaa311 100644
--- a/templates/dovecot-ldap.conf.ext.j2
+++ b/templates/dovecot-ldap.conf.ext.j2
@@ -25,7 +25,7 @@ tls_ca_cert_file = {{ dovecot.ldap.tls.ca }}
 tls_require_cert = hard
 
 auth_bind = yes
-auth_bind_userdn = uid=%n,{{ dovecot.ldap.base }}
+pass_filter = {{ dovecot.ldap.filter }}
 
 ldap_version = 3
 base = {{ dovecot.ldap.base }}