Hello Mailcow Community, I'm experiencing a persistent issue integrating Microsoft Active Directory (LDAP) with my Mailcow instance. Even though the connection seems fine on the backend, actual user logins are being rejected. What I have verified / tested so far: * LDAP connectivity is working: Running ldapsearch directly from the Mailcow host using the dovecot bind account successfully returns the user data. * Mailcow UI Test: In the Mailcow Control Panel -> Configuration -> App Links/Identity Providers, the "Test Connection" button for LDAP returns a Green Success message. * Mailbox Configuration: The specific mailbox (emebit@argus.com.ar) has its "Identity Provider" explicitly set to "LDAP" in the Mailcow UI. Here the screenshot for the Identity Provider config: [upl-image-preview uuid=c7d3dcf2-6033-4aa1-8616-24e20cf0edbd url=https://community.mailcow.email/assets/files/2026-04-06/1775501853-595511-imagen.png alt={TEXT?}] Here some logs: **dovecot-mailcow container log**: dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: lmtp(134): Disconnect from 172.22.1.3: Logged out (state=MAIL FROM) dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250 dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250 dovecot-mailcow-1 | Apr 6 15:56:26 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) dovecot-mailcow-1 | Apr 6 15:57:17 b67cb3644c90 dovecot: lmtp(134): Connect from 172.22.1.3 dovecot-mailcow-1 | Apr 6 15:57:27 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 1 secs): user=, rip=172.22.1.3, lip=172.22.1.250 dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=, rip=172.22.1.3, lip=172.22.1.250 dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: auth-worker(1265): conn unix:auth-worker (pid=131,uid=401): auth-worker: sql(watchdog@invalid,172.22.1.3): unknown user dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: lmtp(134): Disconnect from 172.22.1.3: Connection closed (state=MAIL FROM) **sogo-mailcow container logs** sogo-mailcow-1 | Apr 6 15:47:57 a0d0f3c099f0 sogod[60:60] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. sogo-mailcow-1 | Apr 6 15:47:57 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.011 - - 0 - 12 sogo-mailcow-1 | Apr 6 15:49:04 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.006 - - 0 - 12 sogo-mailcow-1 | Apr 6 15:50:14 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.006 - - 0 - 11 sogo-mailcow-1 | Apr 6 15:50:51 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.006 - - 0 - 11 sogo-mailcow-1 | Apr 6 15:51:46 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.005 - - 0 - 11 sogo-mailcow-1 | Apr 6 15:53:03 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.006 - - 0 - 11 sogo-mailcow-1 | Apr 6 15:53:51 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network "GET /SOGo.index/ HTTP/1.1" 200 2581/0 0.006 - - 0 - 11 in this logs i only found the "NGLdapSearchResultEnumerator", is that the problem? i didnt find more info about that error **php-fpm-mailcow container log** php-fpm-mailcow-1 | [06-Apr-2026 15:32:07] NOTICE: fpm is running, pid 1 php-fpm-mailcow-1 | [06-Apr-2026 15:32:07] NOTICE: ready to handle connections php-fpm-mailcow-1 | [06-Apr-2026 15:32:37] WARNING: [pool web-worker] child 37 said into stderr: "NOTICE: PHP message: mailcow UI: Invalid password for emebit by 200.69.141.133" php-fpm-mailcow-1 | 172.22.1.9 - 06/Apr/2026:15:32:37 -0300 "POST /index.php" 200 php-fpm-mailcow-1 | 172.22.1.9 - 06/Apr/2026:15:32:38 -0300 "GET /json_api.php" 200 php-fpm-mailcow-1 | [06-Apr-2026 15:32:44] WARNING: [pool web-worker] child 39 said into stderr: "NOTICE: PHP message: mailcow UI: Invalid password for emebit by 200.69.141.133" here i found the login error, but the credentials are fine, like I said before, i can run an ldap search with no problems. Another questions that i have. In the mailcow containerized version, I have to configure something in the /opt/mailcow-dockerized/data/conf/ files? Or the ldap is only configured via webgui of mailcow? many thanks

AD/LDAP Integration: UI "Test Connection" succeeds, but WebGUI/SOGo logins fail

soldanes

Hello Mailcow Community,

I’m experiencing a persistent issue integrating Microsoft Active Directory (LDAP) with my Mailcow instance. Even though the connection seems fine on the backend, actual user logins are being rejected.

What I have verified / tested so far:

LDAP connectivity is working: Running ldapsearch directly from the Mailcow host using the dovecot bind account successfully returns the user data.
Mailcow UI Test: In the Mailcow Control Panel -> Configuration -> App Links/Identity Providers, the “Test Connection” button for LDAP returns a Green Success message.
Mailbox Configuration: The specific mailbox (emebit@argus.com.ar) has its “Identity Provider” explicitly set to “LDAP” in the Mailcow UI.

Here the screenshot for the Identity Provider config:

Here some logs:

dovecot-mailcow container log:
dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: lmtp(134): Disconnect from 172.22.1.3: Logged out (state=MAIL FROM)
dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250
dovecot-mailcow-1 | Apr 6 15:56:16 b67cb3644c90 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250
dovecot-mailcow-1 | Apr 6 15:56:26 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
dovecot-mailcow-1 | Apr 6 15:57:17 b67cb3644c90 dovecot: lmtp(134): Connect from 172.22.1.3
dovecot-mailcow-1 | Apr 6 15:57:27 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 1 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250
dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.3, lip=172.22.1.250
dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: auth-worker(1265): conn unix:auth-worker (pid=131,uid=401): auth-worker<1>: sql(watchdog@invalid,172.22.1.3): unknown user
dovecot-mailcow-1 | Apr 6 15:57:28 b67cb3644c90 dovecot: lmtp(134): Disconnect from 172.22.1.3: Connection closed (state=MAIL FROM)

sogo-mailcow container logs

sogo-mailcow-1 | Apr 6 15:47:57 a0d0f3c099f0 sogod[60:60] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet ..
sogo-mailcow-1 | Apr 6 15:47:57 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.011 - - 0 - 12
sogo-mailcow-1 | Apr 6 15:49:04 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.006 - - 0 - 12
sogo-mailcow-1 | Apr 6 15:50:14 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.006 - - 0 - 11
sogo-mailcow-1 | Apr 6 15:50:51 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.006 - - 0 - 11
sogo-mailcow-1 | Apr 6 15:51:46 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.005 - - 0 - 11
sogo-mailcow-1 | Apr 6 15:53:03 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.006 - - 0 - 11
sogo-mailcow-1 | Apr 6 15:53:51 a0d0f3c099f0 sogod [60]: mailcowdockerized-watchdog-mailcow-1.mailcowdockerized_mailcow-network “GET /SOGo.index/ HTTP/1.1” 200 2581/0 0.006 - - 0 - 11

in this logs i only found the “NGLdapSearchResultEnumerator”, is that the problem? i didnt find more info about that error

php-fpm-mailcow container log

php-fpm-mailcow-1 | [06-Apr-2026 15:32:07] NOTICE: fpm is running, pid 1
php-fpm-mailcow-1 | [06-Apr-2026 15:32:07] NOTICE: ready to handle connections
php-fpm-mailcow-1 | [06-Apr-2026 15:32:37] WARNING: [pool web-worker] child 37 said into stderr: “NOTICE: PHP message: mailcow UI: Invalid password for emebit by 200.69.141.133”
php-fpm-mailcow-1 | 172.22.1.9 - 06/Apr/2026:15:32:37 -0300 “POST /index.php” 200
php-fpm-mailcow-1 | 172.22.1.9 - 06/Apr/2026:15:32:38 -0300 “GET /json_api.php” 200
php-fpm-mailcow-1 | [06-Apr-2026 15:32:44] WARNING: [pool web-worker] child 39 said into stderr: “NOTICE: PHP message: mailcow UI: Invalid password for emebit by 200.69.141.133”

here i found the login error, but the credentials are fine, like I said before, i can run an ldap search with no problems.

Another questions that i have. In the mailcow containerized version, I have to configure something in the /opt/mailcow-dockerized/data/conf/ files? Or the ldap is only configured via webgui of mailcow?

many thanks

esackbauer

The same errors are made again and again, and have been discussed here already.
Its the misunderstanding of the “attribute field”. Here goes which AD attribute is used for deciding which mailbox template the user will get. You have entered “mail” which would let mailcow searching for a mailbox template which is named as the users email address. If you don’t know what you’re doing, use a attribute/field name from AD which is always empty, so the user gets the default template.
https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-ldap/#example-configuration

soldanes

esackbauer

thanks for your answer.

I tried with another field but i still having the same issue.

diko

Your filter value will not work. Try with “(objectClass=person)” (without “mail=%s”) or leave it empty.

Mailcow automatically adds a filter expression for the attribute you specified in the “Username field” and the value the user entered as username.
So with only “(objectClass=person)” as filter expression, mailcow in the background will do a search for “(&(objectClass=person)(mail=user@example.com))”.

soldanes

diko

The last change suggested here allowed me to finally log in using my AD credentials. However, upon logging in, the entire webmail (SOGo) is extremely slow, laggy, and throwing errors.

Before I start pasting logs and debugging further, I wanted to ask a fundamental question: Do I need to manually edit the sogo.conf file located in /opt/mailcow-dockerized/data/conf/sogo to configure SOGo for LDAP, or is configuring the Identity Provider exclusively through the Mailcow WebGUI enough?

It is not clear to me if manual intervention in that file is required or if doing so actually breaks the integration. Thank you very much!

diko

There’s no need to edit the sogo.conf for LDAP - just configure LDAP in the mailcow admin WebGui for your needs.