[Dovecot] dovecot with ldap and allow_nets

Marc Cuypers m.cuypers at mgvd.be
Tue Nov 27 12:47:34 EET 2007


Timo Sirainen schreef:
> On Tue, 2007-11-27 at 09:20 +0100, Marc Cuypers wrote:
>> dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): 
>> bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be
> 
> So it binds.
> 
>> auth_bind = no
>> auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be
> 
> I guess setting auth_bind_userdn makes Dovecot ignore auth_bind setting.
> Maybe I should change that.. Or I guess I'll do it only for v1.1.
> Anyway, do you want auth binds?
> 
> The problem is that if you set auth_bind_userdn, Dovecot doesn't do the
> pass_attrs/filter lookup at all, because that's what auth_bind_userdn
> optimization is for.
> 
Commenting out auth_bind_userdn helps.

Now the problem is solved.

Many thanks.

I got a remark.

When allownets doesn't exist in ldap.  The user is allowed to login. 
 From a point of security this is not safe.  When allownets is 
accidently removed from ldap, the user gets access from everywhere.  I 
know that removing allownets should not happen, but it could.

Wouldn't it be safer, to deny access when allownets does not exist?

--
Marc



More information about the dovecot mailing list