[Dovecot] LDAP as password database - some problems / suggestions
Stefan Palme
palme at kapott.org
Thu Feb 18 10:19:12 EET 2010
Hi all,
Using dovecot-1.2.6, I use dovecot with an LDAP backend for user
authentication. In general this works ok, but I have some issues
with this...
In LDAP, I have users like this:
dn:cn=user1,ou=users,dc=kapott,dc=org
dn:cn=user2,ou=users,dc=kapott,dc=org
etc.
When authenticating users, I explicitely want to use the
AUTH_BIND feature (and NOT lookup passwords).
My problem: not ALL users from the LDAP system should be allowed to
use the IMAP server. Currently, I have defined an auth_bind_userdn
of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with
this, user1 AND user2 could login (but I don't want user2 to be able
to use dovecot).
Because the LDAP system is used in a larger environment, it is NOT
possible to re-arrange the users like this:
cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org
cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org
So my question: are there any plans to support group-based LDAP
authentication? For several other application, I have something
like this:
dn:cn=dovecot,ou=groups,dc=kapott,dc=org
objectclass:groupOfNames
member:cn=user1,ou=users,dc=kapott,dc=org
So I can define groups of user accounts - one group per application.
A nice solution for this in dovecot would be, if I could "mix" password
lookup and authentication bind: First, a search query should be used
to find a valid DN to bind as. In my case, the search query could look
like this:
base="ou=groups,dc=kapott.org"
filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))"
result_attribute="member"
After finding a DN this way (via attribute "member"), I want to use
auth_bind to use this DN for password verification...
Any hints how to solve this? Any plans to support this in the future?
Thanks and regards
-stefan-
More information about the dovecot
mailing list