Authenticate users using their firstname
Hi,
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com
uid: firstname
uidNumber: 4025
gidNumber: 4025
givenName: firstname
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/firstname
cn: firstname lastname
mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver
ldap_version = 3
base = ou=People,dc=domain,dc=com
deref = never
scope = subtree
user_attrs =
user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Why not authenticate users by email address? Using firstname as user identifier does not sound very long term solution...
Anyways...
if you insist on using firstname only, you'll need to use Lua auth database to split the username (or perform the whole deal)
passdb { driver = lua args = file="/etc/dovecot/username.lua" blocking=no }
passdb { driver = ldap args = /ldap.config }
and put into username.lua
function auth_passdb_lookup(req) firstname = req.username:gsub("^([^.]+)[.].*", "%1") return dovecot.auth.PASSDB_RESULT_OK, {firstname=firstname, noauthenticate="y"} end
Aki
On 29 September 2018 at 11:42 Fady AL HAYALI <codeforger@outlook.com> wrote:
Hi,
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Well, for me, this sounds strange, using firstname only. Why not let your users enter the firstname only? Or:
pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
If firstname is unique, mail should be unique as well.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBW7IQ7MQnQQNheMxiAQIqtwgAkswe2jx7rXSJsGI8sh6Bd5d2f0MVx9nw 8IcW23vZlqpZOq9jGe8wD937IwKU1PSmMw7Ac2RiGUDts8rUWLp829DtwgovxGpj iP6qwxhfp8HcFaH0LE8oqWUnlaxh8Df9Nrwg7DPr/qebepUJAzQU6CAkODUy+osl z799U6RoI74fZyIT8gaAJ1mI+swOFcdawNMqv8S7+Iab7jtzTdHYN7J/YYM0rvzF amt+kad1OayunRl7OhV1j0BPqdIFDHaC08KAf2cN+GKAWzWNY/ZWe9Y0nloq++fh IAHZSDe8CSTS/fT+4IiHXT10aJJQob3AnbJ3264+JZ9cIZjpnn/KnQ== =sof6 -----END PGP SIGNATURE-----
On 01 October 2018 at 15:19 Steffen Kaiser <skdovecot@inf.h-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Well, for me, this sounds strange, using firstname only. Why not let your users enter the firstname only? Or:
pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
If firstname is unique, mail should be unique as well.
Steffen Kaiser
Steffen, I understood their mail addresses are like steffen.kaiser@domain.com, but uid's are like uid=steffen
Aki
Von unterwegs gesendet
Am 01.10.2018 um 18:27 schrieb Aki Tuomi <aki.tuomi@open-xchange.com>:
On 01 October 2018 at 15:19 Steffen Kaiser <skdovecot@inf.h-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Well, for me, this sounds strange, using firstname only. Why not let your users enter the firstname only? Or:
pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
If firstname is unique, mail should be unique as well.
Steffen Kaiser
Steffen, I understood their mail addresses are like steffen.kaiser@domain.com, but uid's are like uid=steffen
Aki
I guess this seems to be the desired behaviour as well. Getting interesting when handling collisions. Not possible to decide by password which account should be used as far as i can tell, as this would be some sort of brute force authentication?!?
-M
On Mon, Oct 01, 2018 at 11:25:48PM +0200, Admin wrote:
Von unterwegs gesendet
Am 01.10.2018 um 18:27 schrieb Aki Tuomi <aki.tuomi@open-xchange.com>:
On 01 October 2018 at 15:19 Steffen Kaiser <skdovecot@inf.h-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Well, for me, this sounds strange, using firstname only. Why not let your users enter the firstname only? Or:
pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
If firstname is unique, mail should be unique as well.
Steffen Kaiser
Steffen, I understood their mail addresses are like steffen.kaiser@domain.com, but uid's are like uid=steffen
Aki
I guess this seems to be the desired behaviour as well. Getting interesting when handling collisions. Not possible to decide by password which account should be used as far as i can tell, as this would be some sort of brute force authentication?!?
Not when a lot of people choose 123456 as their passwords.
-- hendrik
-M
Am 02.10.2018 um 00:59 schrieb Hendrik Boom <hendrik@topoi.pooq.com>:
On Mon, Oct 01, 2018 at 11:25:48PM +0200, Admin wrote:
Von unterwegs gesendet
Am 01.10.2018 um 18:27 schrieb Aki Tuomi <aki.tuomi@open-xchange.com>:
On 01 October 2018 at 15:19 Steffen Kaiser <skdovecot@inf.h-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP is like this:
dn: uid=firstname,ou=People,dc=domain,dc=com uid: firstname uidNumber: 4025 gidNumber: 4025 givenName: firstname objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/firstname cn: firstname lastname mail: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com>
This is how I connect Dovecot with LDAP
hosts = ldapserver ldap_version = 3 base = ou=People,dc=domain,dc=com deref = never scope = subtree user_attrs = user_filter = (&(objectclass=inetOrgPerson)(uid=%n) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectclass=inetOrgPerson)(uid=%n)) default_pass_scheme = SSHA
When I enter a user's email address and password as the following: email: firstname.lastname@domain.com<mailto:firstname.lastname@domain.com> password: password
and according to my setting which I used "%n" as you see above, the username used to authenticate is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in this case to manipulate the "%n" variable.
I would like to keep using email addresses as "firstname.lastname@domain.com"<mailto:firstname.lastname@domain.com> but authenticate users using their first name. I really hit a wall here and any help will be much appreciated.
Well, for me, this sounds strange, using firstname only. Why not let your users enter the firstname only? Or:
pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
If firstname is unique, mail should be unique as well.
Steffen Kaiser
Steffen, I understood their mail addresses are like steffen.kaiser@domain.com, but uid's are like uid=steffen
Aki
I guess this seems to be the desired behaviour as well. Getting interesting when handling collisions. Not possible to decide by password which account should be used as far as i can tell, as this would be some sort of brute force authentication?!?
Not when a lot of people choose 123456 as their passwords.
I guess at this point the last name would make an excellent password :)
-- hendrik
-M
participants (6)
-
admin
-
Admin
-
Aki Tuomi
-
Fady AL HAYALI
-
Hendrik Boom
-
Steffen Kaiser