Would be possible following scenario?

1. do the SQL passdb lookup, do the remap & return password = NULL without nopassword
2. do the LDAP bind

I think it works, but I'm not sure if there are some security/other flaws.

Milo

Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):

Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.

Milo

Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):

...

auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see

%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)

from https://doc.dovecot.org/configuration_manual/config_file/config_variables/

Aki

...

On 11/01/2021 17:58 Miloslav Hůla <miloslav.hula@gmail.com> wrote:

Hi,

with Dovecot 2.3.4 I would like to allow user to login with two different usernames:

• USERNAME (no domain) - now works
• name.surname@domain.tld - would like to add

Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:

============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }

Args

uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =

I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.

Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?

1. login as name.surname@domain.tld
2. remap to USERNAME
3. do the LDAP bind

Milo

I'm sorry, I explained it wrong.

It is not login with & without domain scenario. I have internal company usernames + passwords and e-mail addresses.

I want to achive:

• internal username + password login to work
• email + password login to work

Now works: Username: milo Password: 123456

Want to allow: Username: miloslav.hula@domain.tld Password: 123456

which somehow remaps to 'milo' username, so same Maildir access.

Milo

Dne 11.01.2021 v 17:32 Aki Tuomi napsal(a):

Not sure if you read my mail wrong, but

if

user.name works

and

user.name@domain.com does not work,

then why not just write

auth_bind_userdn = uid=%d,dc=domain,dc=tld

note the %d, which means, expand to local part (user.name) instead of user.name@domain.com.

Aki

...

On 11/01/2021 18:28 Miloslav Hůla <miloslav.hula@gmail.com> wrote:

Would be possible following scenario?

1. do the SQL passdb lookup, do the remap & return password = NULL without nopassword
2. do the LDAP bind

I think it works, but I'm not sure if there are some security/other flaws.

Milo

Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):

...

Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.

Milo

Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):

...

auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see

%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)

from https://doc.dovecot.org/configuration_manual/config_file/config_variables/

Aki

...

On 11/01/2021 17:58 Miloslav Hůla <miloslav.hula@gmail.com> wrote:

Hi,

with Dovecot 2.3.4 I would like to allow user to login with two different usernames:

• USERNAME (no domain) - now works
• name.surname@domain.tld - would like to add

Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:

============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }

Args

uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =

I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.

Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?

1. login as name.surname@domain.tld
2. remap to USERNAME
3. do the LDAP bind

Milo