Quoting Timo Sirainen <tss@iki.fi>:
Jan 6 17:48:08 kusanagi dovecot: imap-login: Login: user=<cn=boing,ou=people,o=boing>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
If you make LDAP's userdb query return the DN as "user", and also make sure that you're not using %u in default_mail_env, you could have that.
I'm not sure if I'd want to make a separate "log-user" variable to confuse things..
From a security perspective audit logs or access control mechanisms have what's called SRA or subject resource action. So in the simple case of a website that's as follows:
subject: user, also called user princple. resource: host + url + query string action: get (post, etc)
Or in the case of mail:
subject: user resource: mail file action: read / login / search / select.
However it seems that we have two subjects. We have one for the passdb and one of the userdb. On my setup the passdb's subject is theoretically the ldap dn and the userdb's subject is the /etc/passwd getpwnam type unix account. So we really have two subjects that need to be logged in general unless they match of course. Yeah that can be messy, but perhaps worse not to know about both principles in the event of a security incident.
Just food for thought.
Geff