[Dovecot] LDAP as password database - some problems / suggestions

Stefan Palme palme at kapott.org
Thu Feb 18 10:19:12 EET 2010


Hi all,

Using dovecot-1.2.6, I use dovecot with an LDAP backend for user
authentication. In general this works ok, but I have some issues
with this...

In LDAP, I have users like this:

  dn:cn=user1,ou=users,dc=kapott,dc=org
  dn:cn=user2,ou=users,dc=kapott,dc=org
etc.

When authenticating users, I explicitely want to use the 
AUTH_BIND feature (and NOT lookup passwords). 

My problem: not ALL users from the LDAP system should be allowed to 
use the IMAP server. Currently, I have defined an auth_bind_userdn
of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with
this, user1 AND user2 could login (but I don't want user2 to be able
to use dovecot).

Because the LDAP system is used in a larger environment, it is NOT
possible to re-arrange the users like this:

  cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org
  cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org

So my question: are there any plans to support group-based LDAP
authentication? For several other application, I have something
like this:

  dn:cn=dovecot,ou=groups,dc=kapott,dc=org
  objectclass:groupOfNames
  member:cn=user1,ou=users,dc=kapott,dc=org

So I can define groups of user accounts - one group per application.

A nice solution for this in dovecot would be, if I could "mix" password
lookup and authentication bind: First, a search query should be used
to find a valid DN to bind as. In my case, the search query could look
like this:

  base="ou=groups,dc=kapott.org"
  filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))"
  result_attribute="member"

After finding a DN this way (via attribute "member"), I want to use 
auth_bind to use this DN for password verification...

Any hints how to solve this? Any plans to support this in the future?

Thanks and regards
-stefan-




More information about the dovecot mailing list