I configured Stalwart to use an LDAP directory (FreeIPA). But I see no log whatsoever in Stalwart that shows any connection/contact with the ldap server. User authentication just fails. On LDAP, no log either. Despite choosing FreeIPA as the authentication store, it doesn’t seem Stalwart contacts FreeIPA. In order to debug this, it would be nice to see what’s going on. Despite using trace logs on Stalwart, I don’t see what’s happening.it seems to me that Stawart doesn’t even try to connect to ldap.
Stalwart Version
v0.16.x
Installation Method
Docker
Database Backend
FoundationDB
Blob Storage
S3-compatible
Search Engine
Internal
Directory Backend
LDAP
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
Here are the most likely causes and things to check when Stalwart appears not to contact your LDAP/FreeIPA server at all:
1. Check that the directory is actually assigned as the authentication backend
Configuring an LDAP Directory object is not enough on its own — it must also be set as the active authentication directory in the WebUI under Settings › Authentication. If no directory is wired in there, Stalwart will fall back to (or simply fail with) the internal directory and will never attempt an LDAP connection, which explains the absence of any LDAP-related log lines even at trace level.
2. Verify the URL and connection fields
The minimum required field is url (e.g. ldap://freeipa.example.org:389). Double-check:
url — hostname/IP and port are correct and reachable from the Docker container.
useTls — set to true if you are connecting on port 636; leave false for plain 389.
allowInvalidCerts — set to true temporarily if FreeIPA uses a self-signed cert, to rule out TLS handshake failures.
timeout — defaults to 30s; a silent failure before the timeout could look like “no contact”.
3. Bind credentials
FreeIPA requires an authenticated bind. If bindDn / bindSecret are missing or wrong, the service-account bind will fail before any user lookup is attempted. Make sure the service account DN is correct for FreeIPA (typically something like uid=stalwart,cn=users,cn=accounts,dc=example,dc=com) and that the account has read access to the relevant tree.
4. Authentication mode for FreeIPA
FreeIPA does not expose password hashes to service accounts, so bindAuthentication must be true (which is the default). If it was accidentally set to false, Stalwart will try to read a userPassword hash that FreeIPA will never return, and authentication will silently fail.
5. Lookup filters
The default filterLogin is (&(objectClass=inetOrgPerson)(mail=?)). FreeIPA uses posixAccount/inetOrgPerson objects but login is typically by uid, not mail. A filter like (&(objectClass=posixAccount)(uid=?)) is usually more appropriate. If the filter returns no results, no bind attempt is made.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.