[Dovecot] LDAP bind questions
Hello,
I've got dovecot set up to authenticate against our LDAP server. So far seems to work well.
I have two concerns that I haven't been able to find answers for in the documentation or archives.
Is there any intention to support "authentication binds" so you don't have to bind as a user with read privileges to everyone's userPassword attribute? For security purposes I'd like to see this functionality.
And my next concern would become a non-issue if the above was supported, but is there a way to set the dnpass equal to a SSHA password? When I try setting it like this:
dnpass = {SSHA}VhxqnmwCLVQj7g3rQV+g9F3XnaJ6bRXR
in dovecot-ldap.conf
It still tries to do a simple bind and fails. I get this error:
dovecot-auth: LDAP: ldap_simple_bind_s() failed
(dn cn=authadmin,ou=people,dc=domain,dc=com): Invalid credentials
I'd prefer not to have the password for the authentication admin user stored in plain text in the conf file.
Thanks, -jared
And my next concern would become a non-issue if the above was supported, but is there a way to set the dnpass equal to a SSHA password? When I try setting it like this: dnpass = {SSHA}VhxqnmwCLVQj7g3rQV+g9F3XnaJ6bRXR
No, you need to supply the actual password. This password is (presumably) already stored hashed in your LDAP database. Your LDAP server will hash what it receives as the password and compare that with the password stored for that DN. Setting it like you have shown just causes Dovecot to use it as the literal password {SSHA}Vhxqnm.....
I'd prefer not to have the password for the authentication admin user stored in plain text in the conf file.
There's no way to store an encrypted password in a conf file and have a plaintext version of that password used to authenticate (without e.g. manually typing a password each time that config file is read).
The DN used with the current Dovecot LDAP code obviously only needs read access to mail users' details, you don't have to give it any kind of write access, and you don't have to give it the ability to read passwords for non-mail-users (i.e. passwords for DNs with write access to the directory). You can also additionally restrict access to userPassword by IP addresses, too. So, if you aren't already doing this, at least there are a few ways you can reduce the exposure with the current code.
Of course, if someone has sufficient access to the machine running Dovecot that they can read the config file, they will already have some degree of access to user's passwords...
On Tue, 2003-07-08 at 21:53, Jared wrote:
Is there any intention to support "authentication binds" so you don't have to bind as a user with read privileges to everyone's userPassword attribute? For security purposes I'd like to see this functionality.
I probably have to add support for this some day, but it's kind of annoying to implement if I want to do it well. I should use non-blocking LDAP connect calls, but last time I tried it got pretty ugly and I gave up.
--On 09 July 2003 18:28 +0300 Timo Sirainen <tss@iki.fi> wrote:
On Tue, 2003-07-08 at 21:53, Jared wrote:
Is there any intention to support "authentication binds" so you don't have to bind as a user with read privileges to everyone's userPassword attribute? For security purposes I'd like to see this functionality.
I probably have to add support for this some day, but it's kind of annoying to implement if I want to do it well. I should use non-blocking LDAP connect calls, but last time I tried it got pretty ugly and I gave up.
If people really need this now, SASL might be the answer (either via PAM or mailfront) since saslauthd/auth_ldap allows authentication binds.
If people really need this now, SASL might be the answer (either via PAM or mailfront) since saslauthd/auth_ldap allows authentication binds.
Do you have any pointers for using saslauthd with mailfront?
Not really, I just saw these two pages on untroubled.org which I thought suggested it might be worth a try, but they don't explain much (I've never used mailfront so I'm not too well-qualified ;-)
<http://untroubled.org/mailfront/cvm-sasl.html> <http://untroubled.org/mailfront/imapfront.html>
participants (4)
-
Charlie Brady
-
Jared
-
Stuart Henderson
-
Timo Sirainen