Timo Sirainen schreef:
On Tue, 2007-11-27 at 09:20 +0100, Marc Cuypers wrote:
dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be
So it binds.
auth_bind = no auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be
I guess setting auth_bind_userdn makes Dovecot ignore auth_bind setting. Maybe I should change that.. Or I guess I'll do it only for v1.1. Anyway, do you want auth binds?
The problem is that if you set auth_bind_userdn, Dovecot doesn't do the pass_attrs/filter lookup at all, because that's what auth_bind_userdn optimization is for.
Commenting out auth_bind_userdn helps.
Now the problem is solved.
Many thanks.
I got a remark.
When allownets doesn't exist in ldap. The user is allowed to login. From a point of security this is not safe. When allownets is accidently removed from ldap, the user gets access from everywhere. I know that removing allownets should not happen, but it could.
Wouldn't it be safer, to deny access when allownets does not exist?
-- Marc