[Dovecot] LDAP authenticated bind support
Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached.
I have not tested it against all possible configurations one can use, but the basic operation seems to be right.
As documented in the patch, it adds one new option to the dovecot-ldap.conf configuration file:
# Set "auth_bind" to "yes" if you want to use "authenticated binds" # as a login validation mechanism. NOTE: the pass_attrs option # will (naturally) be ignored if you enable this auth_bind = yes
Authenticated bind support is implemented asynchronously. This involves 2 asynchronous calls: the first being 'ldap_search' to find the dn to bind against and the second being the actual 'ldap_bind' call.
I'd love to hear some feedback on this.
Regards, Marc Maurer Better.be B.V.
Hi,
J.M. Maurer escribió:
Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached.
I have not tested it against all possible configurations one can use, but the basic operation seems to be right.
As documented in the patch, it adds one new option to the dovecot-ldap.conf configuration file:
# Set "auth_bind" to "yes" if you want to use "authenticated binds" # as a login validation mechanism. NOTE: the pass_attrs option # will (naturally) be ignored if you enable this auth_bind = yes
Authenticated bind support is implemented asynchronously. This involves 2 asynchronous calls: the first being 'ldap_search' to find the dn to bind against and the second being the actual 'ldap_bind' call.
I'd love to hear some feedback on this.
Great work!
It'd be nice to have also a 'fastbind' implementation. It would avoid the 'ldap_search' call on environments where the dn is predictable and you don't need extra search capabilities.
Then the user_filter setting can be used as the template dn, which once expanded (%u, %d, ...) you have the dn do the 'ldap_bind' call.
An example of this can be found in saslauthd.
Regards, Marc Maurer Better.be B.V.
Regards,
Angel Marin http://anmar.eu.org/
On Fri, 2005-12-02 at 13:28 +0100, J.M. Maurer wrote:
Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached.
Thanks. I'm doing a few small modifications to this, should be in CVS soon.
Is there a reason why ldap_verify_plain_authbind() calls ldap_search() directly instead of using db_ldap_search(), other than the ability to specify scope? Using db_ldap_search() it'll reconnect to LDAP server whenever it needs to.
On Fri, 2005-12-30 at 16:54 +0200, Timo Sirainen wrote:
On Fri, 2005-12-02 at 13:28 +0100, J.M. Maurer wrote:
Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached.
Thanks. I'm doing a few small modifications to this, should be in CVS soon.
Great, thanks. I hate maintaining patches :)
Is there a reason why ldap_verify_plain_authbind() calls ldap_search() directly instead of using db_ldap_search(), other than the ability to specify scope? Using db_ldap_search() it'll reconnect to LDAP server whenever it needs to.
db_ldap_search() can specify the scope too. Think more along the lines of "I didn't had coffee yet when I wrote that line".
Note that when you s/ldap_search/db_ldap_search/, you'll have to tweak handle_request_authbind_search() too, as it will think the ldap_search() call went successfully when res == NULL (while db_ldap_search will return NULL on error).
Cheers, Marc
On Fri, 2005-12-30 at 16:37 +0100, J.M. Maurer wrote:
On Fri, 2005-12-30 at 16:54 +0200, Timo Sirainen wrote:
On Fri, 2005-12-02 at 13:28 +0100, J.M. Maurer wrote:
Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached.
Thanks. I'm doing a few small modifications to this, should be in CVS soon.
Great, thanks. I hate maintaining patches :)
I actually ended up changing things quite a lot, not just your patch but other parts of LDAP code too. It compiles, but I didn't try if it still works. :)
One thing that I know I changed was checking how bind failures are handled. I wanted to separate the invalid password and internal errors. Is checking LDAP_INVALID_CREDENTIALS enough? Maybe LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS?
Great, thanks. I hate maintaining patches :)
I actually ended up changing things quite a lot, not just your patch but other parts of LDAP code too. It compiles, but I didn't try if it still works. :)
Sounds familiar :D
One thing that I know I changed was checking how bind failures are handled. I wanted to separate the invalid password and internal errors. Is checking LDAP_INVALID_CREDENTIALS enough? Maybe LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS?
You mean you want to report an internal error when the ldap_bind result != (LDAP_INVALID_CREDENTIALS | LDAP_INAPPROPRIATE_AUTH | LDAP_INSUFFICIENT_ACCESS) ?
I think that that would suffice for most (all?) cases, yes.
Cheers, Marc
participants (3)
-
Angel Marin
-
J.M. Maurer
-
Timo Sirainen