On Fri, 7 Jul 2006, Geert Hendrickx wrote:
Dovecot currently treats an LDAP user/password database the same way as a text or SQL based database: it just tries to retreive the (hashed) password for a given username. LDAP however has the capability to authenticate the user itself: dovecot could try to bind to LDAP with the given username and password, and if authentication succeeded, the LDAP server returns the other info (uid, homedir, ...), but not the password. I know at least qmail's pop3 server uses LDAP this way. Could this authentication mechanism be implemented in Dovecot as well?
Does your dovecot-ldap.conf (the template one that is shipped with Dovecot) mention this:
"# Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # NOTE: pass_attrs option will (naturally) be ignored if you enable this. #auth_bind = no
# If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). For example: # # auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn = "
If not, upgrade.
Bye,
-- Steffen Kaiser