El Jueves, 22 de Febrero de 2007 13:02, Timo Sirainen escribió:
For me, the perfect state would be: prefetched
- bind using the user supplied dn
- if successfull, search for pass_attrs, where some user_attrs may be
- unbind
- userdb only binds if some needed attrs haven't been already fetched. If so, there's a choice to use the user supplied dn for the bind/search.
What if you just didn't use auth_bind_userdn, put all the attributes in pass_attrs and use userdb prefetch?
The ldap log is:
fd=18 ACCEPT from IP=10.0.2.22:38185 (IP=0.0.0.0:636) op=0 BIND dn="" method=128 op=0 RESULT tag=97 err=0 text= op=1 SRCH base="ou=People,dc=example,dc=com" scope=2 deref=0 filter="(uid=testuid)" op=1 SRCH attr=uid homeDirectory uidNumber gidNumber op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
So the ldap_attrs search is being doing anonimously -and it's the only way it makes sense-, so i'm back in the same problem.
op=2 BIND dn="uid=testuid,ou=people,dc=example,dc=com" method=128 op=2 BIND dn="uid=testuid,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0 op=2 RESULT tag=97 err=0 text= deferring operation: binding
This is the auth bind
op=3 BIND anonymous mech=implicit ssf=0 op=3 BIND dn="" method=128 op=3 RESULT tag=97 err=0 text= op=4 SRCH base="ou=People,dc=ehu,dc=es" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuid))" op=4 SRCH attr=uid homeDirectory uidNumber gidNumber op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
So, even if the uid, gid and homeDirectory are being prefetched (my pass_attrs value is
pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
and the line
op=1 SRCH attr=uid homeDirectory uidNumber gidNumber
in the begging of the log shows that they were )
they are being searched again?
I think that should work as long as you're not using deliver, which requires userdb-only query (but then if you don't need the private fields use userdb prefetch and userdb ldap).
I wanted to avoid creating a new dn for dovecot to use, but I also want to use deliver in the near future. I didn't thought about it before, but it's obvious that with my config deliver will need, at least, access to homeDirectory, uidNumber and gidNumber. So I'll create the dedicated dn and this problem will be gone.
Thanks again.
Joseba Torre. CIDIR Bizkaia.