Re: ldap sasl bind and auth_bind

20 Sep 2016


      Hello,
I believe there is a bug in logic. The following code snippet from
db_ldap_connect() function:
    if (conn->set.sasl_bind) {
#ifdef HAVE_LDAP_SASL
struct db_ldap_sasl_bind_context context;
            memset(&context, 0, sizeof(context));
            context.authcid = conn->set.dn;
            context.passwd = conn->set.dnpass;
            context.realm = conn->set.sasl_realm;
            context.authzid = conn->set.sasl_authz_id;

            /* There doesn't seem to be a way to do SASL binding
               asynchronously.. */
            ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
                                               conn->set.sasl_mech,
                                               NULL, NULL,
LDAP_SASL_QUIET,
sasl_interact, &context);
if (db_ldap_connect_finish(conn, ret) < 0)
return -1;
#else
i_unreached(); /* already checked at init */
#endif
conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
} else {
if (db_ldap_bind(conn) < 0)
return -1;
}
has to be inside db_ldap_bind() function.
Because db_ldap_bind() is used to return the connection to the initial
state which is sasl bounded as required in config file.
17.09.2016 20:22, Matwey V. Kornilov пишет:
...
Hello,
I am using
# dovecot --version
2.2.18
# dovecot -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
'imaps' protocol can no longer be specified (use protocols=imap). to
disable non-ssl imap, use service imap-login { inet_listener imap {
port=0 } }
doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
'imaps' protocol can no longer be specified (use protocols=imap). to
disable non-ssl imap, use service imap-login { inet_listener imap {
port=0 } }
# OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64)
first_valid_uid = 1
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = lmtp imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = required
ssl_ca = /etc/pki/trust/anchors/rootCA.pem
ssl_cert = 
I use LDAP for user and passwd databases as the following:
uris =  ldapi:///
sasl_bind = yes
sasl_mech = EXTERNAL
auth_bind = yes
And I found that only first authentication after dovecot restart is
successful, the others always fail with temp.
The reason is that dovecot rebinds to anonymous bind after succesful
auth bind instead of rebinding to external sasl bind.