ldap sasl bind and auth_bind

Matwey V. Kornilov matwey.kornilov at gmail.com
Tue Sep 20 18:50:47 UTC 2016


Hello,

I believe there is a bug in logic. The following code snippet from
db_ldap_connect() function:

        if (conn->set.sasl_bind) {
#ifdef HAVE_LDAP_SASL
                struct db_ldap_sasl_bind_context context;

                memset(&context, 0, sizeof(context));
                context.authcid = conn->set.dn;
                context.passwd = conn->set.dnpass;
                context.realm = conn->set.sasl_realm;
                context.authzid = conn->set.sasl_authz_id;

                /* There doesn't seem to be a way to do SASL binding
                   asynchronously.. */
                ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
                                                   conn->set.sasl_mech,
                                                   NULL, NULL,
LDAP_SASL_QUIET,
                                                   sasl_interact, &context);
                if (db_ldap_connect_finish(conn, ret) < 0)
                        return -1;
#else
                i_unreached(); /* already checked at init */
#endif
                conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
        } else {
                if (db_ldap_bind(conn) < 0)
                        return -1;
        }

has to be inside db_ldap_bind() function.
Because db_ldap_bind() is used to return the connection to the initial
state which is sasl bounded as required in config file.

17.09.2016 20:22, Matwey V. Kornilov пишет:
> Hello,
> 
> I am using
> 
> # dovecot --version
> 2.2.18
> 
> # dovecot -n
> # 2.2.18: /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.8 (0c4ae064f307+)
> doveconf: Warning: NOTE: You can get a new clean config file with:
> doveconf -n > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
> 'imaps' protocol can no longer be specified (use protocols=imap). to
> disable non-ssl imap, use service imap-login { inet_listener imap {
> port=0 } }
> doveconf: Warning: NOTE: You can get a new clean config file with:
> doveconf -n > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
> 'imaps' protocol can no longer be specified (use protocols=imap). to
> disable non-ssl imap, use service imap-login { inet_listener imap {
> port=0 } }
> # OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64)
> first_valid_uid = 1
> mail_location = maildir:~/Maildir
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = lmtp imap
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
> }
> ssl = required
> ssl_ca = /etc/pki/trust/anchors/rootCA.pem
> ssl_cert = </etc/openldap/openldap.crt
> ssl_dh_parameters_length = 2048
> ssl_key = </etc/openldap/openldap.key
> ssl_options = no_compression
> ssl_prefer_server_ciphers = yes
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
>   override_fields = uid=vmail gid=vmail home=/var/spool/mail/%d/%n
> }
> 
> I use LDAP for user and passwd databases as the following:
> 
> uris =  ldapi:///
> sasl_bind = yes
> sasl_mech = EXTERNAL
> auth_bind = yes
> 
> And I found that only first authentication after dovecot restart is
> successful, the others always fail with temp.
> The reason is that dovecot rebinds to anonymous bind after succesful
> auth bind instead of rebinding to external sasl bind.
> 




More information about the dovecot mailing list