Escape comma in the LDAP passdb subquery configuration
Hi I have to configure the LDAP passdb to execute a subquery defining dinamically the new DN to use.
For example:
pass_attrs = @mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,
=proxy=y,
=host=%{ldap:mailHost@mail}
In the previous example, the problem is the use of "," for DN representation, which is also the separator for the attribute template in the pass_attr parameter value. I tried to escape it with '\' or '%' but it doesn't work. Dovecot version is 2.2.13. How can I resolve this issue?
Thanks in advance
Hi,
I need the same. Is there a way to do this?
Thanks
Il 01/09/2014 15:27, Francesco Fiore ha scritto: Hi
I have to configure the LDAP passdb to execute a subquery defining dinamically the new DN to use.
For example: pass_attrs = @mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,
=proxy=y,
=host=%{ldap:mailHost@mail}In the previous example, the problem is the use of "," for DN representation, which is also the separator for the attribute template in the pass_attr parameter value. I tried to escape it with '\' or '%' but it doesn't work. Dovecot version is 2.2.13. How can I resolve this issue?
Thanks in advance
Hi,
Am 2014-09-01 15:27, schrieb Francesco Fiore:
pass_attrs = @mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,
=proxy=y,
=host=%{ldap:mailHost@mail}In the previous example, the problem is the use of "," for DN representation, which is also the separator for the attribute template
I see. Have you tried using a different filter instead of dynamic arguments in pass_attrs?
Cheers,
j.hofmüller
Optimism doesn't alter the laws of physics. - Subcommander T'Pol
Hi,
On 10/09/2014 08:07, Jogi Hofmüller wrote:
Hi,
Am 2014-09-01 15:27, schrieb Francesco Fiore:
pass_attrs = @mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,
=proxy=y,
=host=%{ldap:mailHost@mail}In the previous example, the problem is the use of "," for DN representation, which is also the separator for the attribute template I see. Have you tried using a different filter instead of dynamic arguments in pass_attrs? I tried but in this case the passdb is configured to use master authentication and in this infrastructure there is an N*M association between users and mailboxes. This association is implemented in the back-end instances using the user entries to do authentication, and the mailbox entries to get the attributes in the userdb. In the user entries there is a custom attribute. For example:
dn: uid=myuser,ou=People,dc=example,dc=com ... uid: myuser associatedMailbox: mymbox@example.com userPassword: **********
dn: mail=mymbox@example.com,ou=Mailboxes,dc=example,dc=com ... mail: mymbox@example.com mailHost: 192.168.0.1 homeDirectory: /path/to/homedir
In the configuration of the back-end instance I use different filters to get different LDAP entries in the passdb (user entries) and userdb (mailbox entries). The problem is in the proxy configuration because Dovecot must execute a LDAP bind with the user entry but it needs to get also the mailHost attribute in the mailbox entry to connect to the correct back-end server. The complete passdb configuration is:
pass_attrs =@mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,
=proxy=y,
=host=%{ldap:mailHost@mail}
pass_filter = (&(uid=%{user})(associatedMailbox=%{login_user}))
I'm thinking to implement this authentication using an external auth daemon and configure Dovecot tu use an auth-dict, but I would avoid to execute an independent daemon. Can I configure Dovecot to spawn an external process? Is this a valid solution for your experience?
Cheers,
Regars
participants (3)
-
Francesco Fiore
-
Giovanni Mancuso
-
Jogi Hofmüller