ldap sasl bind and auth_bind
Hello,
I am using
# dovecot --version 2.2.18
# dovecot -n # 2.2.18: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (0c4ae064f307+) doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } } doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } } # OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64) first_valid_uid = 1 mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = lmtp imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_ca = /etc/pki/trust/anchors/rootCA.pem ssl_cert =
I use LDAP for user and passwd databases as the following:
uris = ldapi:/// sasl_bind = yes sasl_mech = EXTERNAL auth_bind = yes
And I found that only first authentication after dovecot restart is successful, the others always fail with temp. The reason is that dovecot rebinds to anonymous bind after succesful auth bind instead of rebinding to external sasl bind.
Hello,
I believe there is a bug in logic. The following code snippet from db_ldap_connect() function:
if (conn->set.sasl_bind) {
#ifdef HAVE_LDAP_SASL struct db_ldap_sasl_bind_context context;
memset(&context, 0, sizeof(context));
context.authcid = conn->set.dn;
context.passwd = conn->set.dnpass;
context.realm = conn->set.sasl_realm;
context.authzid = conn->set.sasl_authz_id;
/* There doesn't seem to be a way to do SASL binding
asynchronously.. */
ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
conn->set.sasl_mech,
NULL, NULL,
LDAP_SASL_QUIET, sasl_interact, &context); if (db_ldap_connect_finish(conn, ret) < 0) return -1; #else i_unreached(); /* already checked at init */ #endif conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT; } else { if (db_ldap_bind(conn) < 0) return -1; }
has to be inside db_ldap_bind() function. Because db_ldap_bind() is used to return the connection to the initial state which is sasl bounded as required in config file.
17.09.2016 20:22, Matwey V. Kornilov пишет:
Hello,
I am using
# dovecot --version 2.2.18
# dovecot -n # 2.2.18: /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (0c4ae064f307+) doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } } doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listener imap { port=0 } } # OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64) first_valid_uid = 1 mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = lmtp imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_ca = /etc/pki/trust/anchors/rootCA.pem ssl_cert =
I use LDAP for user and passwd databases as the following:
uris = ldapi:/// sasl_bind = yes sasl_mech = EXTERNAL auth_bind = yes
And I found that only first authentication after dovecot restart is successful, the others always fail with temp. The reason is that dovecot rebinds to anonymous bind after succesful auth bind instead of rebinding to external sasl bind.
participants (1)
-
Matwey V. Kornilov