[Dovecot] dovecot with ldap and allow_nets
Marc Cuypers
m.cuypers at mgvd.be
Tue Nov 27 12:47:34 EET 2007
Timo Sirainen schreef:
> On Tue, 2007-11-27 at 09:20 +0100, Marc Cuypers wrote:
>> dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110):
>> bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be
>
> So it binds.
>
>> auth_bind = no
>> auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be
>
> I guess setting auth_bind_userdn makes Dovecot ignore auth_bind setting.
> Maybe I should change that.. Or I guess I'll do it only for v1.1.
> Anyway, do you want auth binds?
>
> The problem is that if you set auth_bind_userdn, Dovecot doesn't do the
> pass_attrs/filter lookup at all, because that's what auth_bind_userdn
> optimization is for.
>
Commenting out auth_bind_userdn helps.
Now the problem is solved.
Many thanks.
I got a remark.
When allownets doesn't exist in ldap. The user is allowed to login.
From a point of security this is not safe. When allownets is
accidently removed from ldap, the user gets access from everywhere. I
know that removing allownets should not happen, but it could.
Wouldn't it be safer, to deny access when allownets does not exist?
--
Marc
More information about the dovecot
mailing list