[Dovecot] LDAP as password database - some problems / suggestions
Hi all,
Using dovecot-1.2.6, I use dovecot with an LDAP backend for user authentication. In general this works ok, but I have some issues with this...
In LDAP, I have users like this:
dn:cn=user1,ou=users,dc=kapott,dc=org dn:cn=user2,ou=users,dc=kapott,dc=org etc.
When authenticating users, I explicitely want to use the AUTH_BIND feature (and NOT lookup passwords).
My problem: not ALL users from the LDAP system should be allowed to use the IMAP server. Currently, I have defined an auth_bind_userdn of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with this, user1 AND user2 could login (but I don't want user2 to be able to use dovecot).
Because the LDAP system is used in a larger environment, it is NOT possible to re-arrange the users like this:
cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org
So my question: are there any plans to support group-based LDAP authentication? For several other application, I have something like this:
dn:cn=dovecot,ou=groups,dc=kapott,dc=org objectclass:groupOfNames member:cn=user1,ou=users,dc=kapott,dc=org
So I can define groups of user accounts - one group per application.
A nice solution for this in dovecot would be, if I could "mix" password lookup and authentication bind: First, a search query should be used to find a valid DN to bind as. In my case, the search query could look like this:
base="ou=groups,dc=kapott.org" filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" result_attribute="member"
After finding a DN this way (via attribute "member"), I want to use auth_bind to use this DN for password verification...
Any hints how to solve this? Any plans to support this in the future?
Thanks and regards -stefan-
Stefan Palme schrieb:
Hi all,
Using dovecot-1.2.6, I use dovecot with an LDAP backend for user authentication. In general this works ok, but I have some issues with this...
In LDAP, I have users like this:
dn:cn=user1,ou=users,dc=kapott,dc=org dn:cn=user2,ou=users,dc=kapott,dc=org
Because the LDAP system is used in a larger environment, it is NOT possible to re-arrange the users like this:
cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org
Isn't it possible to just give the each allowed IMAP Users a attribute like imap=1 ?
If you really need to do it with the groups, the SUN DSSE Ldap has features like ROLES or COSes where you can set attributes for an entry based on a internal search.
Regards, Oliver
On 02/18/2010 09:45 AM, Oliver Eales wrote:
Isn't it possible to just give the each allowed IMAP Users a attribute like imap=1 ?
Yes, it would. But this would also require me to use PASSWORD LOOKUP (e.g. with a filter like '(&(objectclass=person)(imap=1))'), but I do not want to use password lookups, but auth binding with a given DN, which is derived from the username.
If you really need to do it with the groups, the SUN DSSE Ldap has features like ROLES or COSes where you can set attributes for an entry based on a internal search.
Same as above - this approach only makes sense when using password lookups.
What I need is a combination of lookup and auth_bind. The lookup is needed to find a DN to authenticate as, after that I want to use this DN for LDAP based authentication...
-stefan-
Em 18/2/2010 06:19, Stefan Palme escreveu:
In LDAP, I have users like this:
dn:cn=user1,ou=users,dc=kapott,dc=org dn:cn=user2,ou=users,dc=kapott,dc=org etc.
(...)
My problem: not ALL users from the LDAP system should be allowed to use the IMAP server. Currently, I have defined an auth_bind_userdn of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with this, user1 AND user2 could login (but I don't want user2 to be able to use dovecot).
I use LDAP on PAM, and dovecot uses PAM as auth method, so I can have a separeted /etc/ldap_dovecot.conf wich filters "nss_base_passwd ou=People,dc=xxx?one?objectClass=mailUser" (I have a postfix.schema I downloaded somewhere that implements mailUser, you may use whatever objectclass you find best). That /etc/ldap_dovecot.conf is read by /etc/pam.d/dovecot wich is used by dovecot. This may be tweaked to solve your needs.
Regards,
-- Marcio Merlone
On Thu, 2010-02-18 at 09:19 +0100, Stefan Palme wrote:
base="ou=groups,dc=kapott.org" filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" result_attribute="member"
After finding a DN this way (via attribute "member"), I want to use auth_bind to use this DN for password verification...
How about if it worked like:
pass_attrs = member=bind_dn, ... pass_filter = ..
?
Attached patch does that. If it works, I'll commit it.
Attached updated patch that actualy uses bind_dn, as pointed out by Edgar Fuß.
On Thu, 2010-02-18 at 16:38 +0200, Timo Sirainen wrote:
On Thu, 2010-02-18 at 09:19 +0100, Stefan Palme wrote:
base="ou=groups,dc=kapott.org" filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" result_attribute="member"
After finding a DN this way (via attribute "member"), I want to use auth_bind to use this DN for password verification...
How about if it worked like:
pass_attrs = member=bind_dn, ... pass_filter = ..
?
Attached patch does that. If it works, I'll commit it.
participants (4)
-
Marcio Merlone
-
Oliver Eales
-
Stefan Palme
-
Timo Sirainen