Hi all,
Using dovecot-1.2.6, I use dovecot with an LDAP backend for user authentication. In general this works ok, but I have some issues with this...
In LDAP, I have users like this:
dn:cn=user1,ou=users,dc=kapott,dc=org dn:cn=user2,ou=users,dc=kapott,dc=org etc.
When authenticating users, I explicitely want to use the AUTH_BIND feature (and NOT lookup passwords).
My problem: not ALL users from the LDAP system should be allowed to use the IMAP server. Currently, I have defined an auth_bind_userdn of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with this, user1 AND user2 could login (but I don't want user2 to be able to use dovecot).
Because the LDAP system is used in a larger environment, it is NOT possible to re-arrange the users like this:
cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org
So my question: are there any plans to support group-based LDAP authentication? For several other application, I have something like this:
dn:cn=dovecot,ou=groups,dc=kapott,dc=org objectclass:groupOfNames member:cn=user1,ou=users,dc=kapott,dc=org
So I can define groups of user accounts - one group per application.
A nice solution for this in dovecot would be, if I could "mix" password lookup and authentication bind: First, a search query should be used to find a valid DN to bind as. In my case, the search query could look like this:
base="ou=groups,dc=kapott.org" filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" result_attribute="member"
After finding a DN this way (via attribute "member"), I want to use auth_bind to use this DN for password verification...
Any hints how to solve this? Any plans to support this in the future?
Thanks and regards -stefan-