[dovecot-cvs] dovecot/doc dovecot-ldap.conf,1.16,1.17

tss at dovecot.org tss at dovecot.org
Sat Nov 4 15:00:34 UTC 2006


Update of /var/lib/cvs/dovecot/doc
In directory talvi:/tmp/cvs-serv21165/doc

Modified Files:
	dovecot-ldap.conf 
Log Message:
LDAP code changes: If auth binds are used, bind back to the default dn
before doing a search. Otherwise it could fail if user gave an invalid
password. Initial binding is now also done asynchronously. Reconnecting to
LDAP server wasn't working with auth binds. Use pass_attrs even with
auth_bind=yes since it may contain other non-password fields also. Updated
dovecot-ldap.conf to contain sasl_bind settings and reflect these changes.



Index: dovecot-ldap.conf
===================================================================
RCS file: /var/lib/cvs/dovecot/doc/dovecot-ldap.conf,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- dovecot-ldap.conf	11 Sep 2006 19:13:04 -0000	1.16
+++ dovecot-ldap.conf	4 Nov 2006 15:00:32 -0000	1.17
@@ -22,15 +22,37 @@
 # Password for LDAP server
 #dnpass = 
 
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
+# and auth_bind=yes don't work together.
+#sasl_bind = no
+# SASL mechanism name to use.
+#sasl_mech =
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
 # Use authentication binding for verifying password's validity. This works by
 # logging into LDAP server using the username and password given by client.
-# NOTE: pass_attrs option will (naturally) be ignored if you enable this.
+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
+# is still used, only the password field is ignored in it. Before doing any
+# search, the binding is switched back to the default DN.
 #auth_bind = no
 
 # If authentication binding is used, you can save one LDAP request per login
 # if users' DN can be specified with a common template. The template can use
-# the standard %variables (see user_filter). For example:
+# the standard %variables (see user_filter). Note that you can't
+# use any pass_attrs if you use this setting.
 #
+# If you use this setting, it's a good idea to use a different
+# dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the
+# filename is different in userdb's args). That way one connection is used only
+# for LDAP binds and another connection is used for user lookups. Otherwise
+# the binding is changed to the default DN before each user lookup.
+#
+# For example:
 #   auth_bind_userdn = cn=%u,ou=people,o=org
 #
 #auth_bind_userdn =



More information about the dovecot-cvs mailing list