[Dovecot] LDAP as password database - some problems / suggestions

Stefan Palme palme at kapott.org
Thu Feb 18 10:19:12 EET 2010

Hi all,

Using dovecot-1.2.6, I use dovecot with an LDAP backend for user
authentication. In general this works ok, but I have some issues
with this...

In LDAP, I have users like this:


When authenticating users, I explicitely want to use the 
AUTH_BIND feature (and NOT lookup passwords). 

My problem: not ALL users from the LDAP system should be allowed to 
use the IMAP server. Currently, I have defined an auth_bind_userdn
of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with
this, user1 AND user2 could login (but I don't want user2 to be able
to use dovecot).

Because the LDAP system is used in a larger environment, it is NOT
possible to re-arrange the users like this:


So my question: are there any plans to support group-based LDAP
authentication? For several other application, I have something
like this:


So I can define groups of user accounts - one group per application.

A nice solution for this in dovecot would be, if I could "mix" password
lookup and authentication bind: First, a search query should be used
to find a valid DN to bind as. In my case, the search query could look
like this:


After finding a DN this way (via attribute "member"), I want to use 
auth_bind to use this DN for password verification...

Any hints how to solve this? Any plans to support this in the future?

Thanks and regards

More information about the dovecot mailing list