Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
from https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
On 11/01/2021 17:58 Miloslav Hůla miloslav.hula@gmail.com wrote:
Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.
Milo
Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
from https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
On 11/01/2021 17:58 Miloslav Hůla miloslav.hula@gmail.com wrote:
Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
Would be possible following scenario?
- do the SQL passdb lookup, do the remap & return password = NULL without nopassword
- do the LDAP bind
I think it works, but I'm not sure if there are some security/other flaws.
Milo
Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.
Milo
Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
from https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
On 11/01/2021 17:58 Miloslav Hůla miloslav.hula@gmail.com wrote:
Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
Not sure if you read my mail wrong, but
if
user.name works
and
user.name@domain.com does not work,
then why not just write
auth_bind_userdn = uid=%d,dc=domain,dc=tld
note the %d, which means, expand to local part (user.name) instead of user.name@domain.com.
Aki
On 11/01/2021 18:28 Miloslav Hůla miloslav.hula@gmail.com wrote:
Would be possible following scenario?
- do the SQL passdb lookup, do the remap & return password = NULL without nopassword
- do the LDAP bind
I think it works, but I'm not sure if there are some security/other flaws.
Milo
Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.
Milo
Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
from https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
On 11/01/2021 17:58 Miloslav Hůla miloslav.hula@gmail.com wrote:
Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
I'm sorry, I explained it wrong.
It is not login with & without domain scenario. I have internal company usernames + passwords and e-mail addresses.
I want to achive:
- internal username + password login to work
- email + password login to work
Now works: Username: milo Password: 123456
Want to allow: Username: miloslav.hula@domain.tld Password: 123456
which somehow remaps to 'milo' username, so same Maildir access.
Milo
Dne 11.01.2021 v 17:32 Aki Tuomi napsal(a):
Not sure if you read my mail wrong, but
if
user.name works
and
user.name@domain.com does not work,
then why not just write
auth_bind_userdn = uid=%d,dc=domain,dc=tld
note the %d, which means, expand to local part (user.name) instead of user.name@domain.com.
Aki
On 11/01/2021 18:28 Miloslav Hůla miloslav.hula@gmail.com wrote:
Would be possible following scenario?
- do the SQL passdb lookup, do the remap & return password = NULL without nopassword
- do the LDAP bind
I think it works, but I'm not sure if there are some security/other flaws.
Milo
Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
Probably not way for me. I forgot to write, then I cannot change LDAP schema, so bindDN is fixed for me.
Milo
Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
from https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
On 11/01/2021 17:58 Miloslav Hůla miloslav.hula@gmail.com wrote:
Hi,
with Dovecot 2.3.4 I would like to allow user to login with two different usernames:
- USERNAME (no domain) - now works
- name.surname@domain.tld - would like to add
Problem is, that the only authentication method I have is LDAP bind by USERNAME. Now I use:
============ passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
# Args uris = ldaps://ldap.domain.tld auth_bind = yes auth_bind_userdn = uid=%u,dc=domain,dc=tld base =
I know passdb can remap user&domain, but I have no password hash at all. And for example '{SASL}' is not supported password scheme to return e.g. from SQL passdb.
Is there any way how to achive this? Maybe somehow remap username in first passdb and then continue to LDAP bind?
- login as name.surname@domain.tld
- remap to USERNAME
- do the LDAP bind
Milo
participants (2)
-
Aki Tuomi
-
Miloslav Hůla