[Dovecot] LDAP: bind to LDAP server instead of retreiving a password from it?
Hi,
Dovecot currently treats an LDAP user/password database the same way as a text or SQL based database: it just tries to retreive the (hashed) password for a given username. LDAP however has the capability to authenticate the user itself: dovecot could try to bind to LDAP with the given username and password, and if authentication succeeded, the LDAP server returns the other info (uid, homedir, ...), but not the password. I know at least qmail's pop3 server uses LDAP this way. Could this authentication mechanism be implemented in Dovecot as well?
Geert
On Fri, 7 Jul 2006, Geert Hendrickx wrote:
Dovecot currently treats an LDAP user/password database the same way as a text or SQL based database: it just tries to retreive the (hashed) password for a given username. LDAP however has the capability to authenticate the user itself: dovecot could try to bind to LDAP with the given username and password, and if authentication succeeded, the LDAP server returns the other info (uid, homedir, ...), but not the password. I know at least qmail's pop3 server uses LDAP this way. Could this authentication mechanism be implemented in Dovecot as well?
Does your dovecot-ldap.conf (the template one that is shipped with Dovecot) mention this:
"# Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # NOTE: pass_attrs option will (naturally) be ignored if you enable this. #auth_bind = no
# If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). For example: # # auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn = "
If not, upgrade.
Bye,
-- Steffen Kaiser
On Mon, Jul 10, 2006 at 09:38:04AM +0200, Steffen Kaiser wrote:
Does your dovecot-ldap.conf (the template one that is shipped with Dovecot) mention this:
[...]
Ah, it does. However I was looking at the documentation (wiki.dovecot.org) which does not mention this.
Thanks for the hint,
Geert
participants (2)
-
Geert Hendrickx
-
Steffen Kaiser