ldap sasl bind and auth_bind
Matwey V. Kornilov
matwey.kornilov at gmail.com
Tue Sep 20 18:50:47 UTC 2016
Hello,
I believe there is a bug in logic. The following code snippet from
db_ldap_connect() function:
if (conn->set.sasl_bind) {
#ifdef HAVE_LDAP_SASL
struct db_ldap_sasl_bind_context context;
memset(&context, 0, sizeof(context));
context.authcid = conn->set.dn;
context.passwd = conn->set.dnpass;
context.realm = conn->set.sasl_realm;
context.authzid = conn->set.sasl_authz_id;
/* There doesn't seem to be a way to do SASL binding
asynchronously.. */
ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
conn->set.sasl_mech,
NULL, NULL,
LDAP_SASL_QUIET,
sasl_interact, &context);
if (db_ldap_connect_finish(conn, ret) < 0)
return -1;
#else
i_unreached(); /* already checked at init */
#endif
conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
} else {
if (db_ldap_bind(conn) < 0)
return -1;
}
has to be inside db_ldap_bind() function.
Because db_ldap_bind() is used to return the connection to the initial
state which is sasl bounded as required in config file.
17.09.2016 20:22, Matwey V. Kornilov пишет:
> Hello,
>
> I am using
>
> # dovecot --version
> 2.2.18
>
> # dovecot -n
> # 2.2.18: /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.8 (0c4ae064f307+)
> doveconf: Warning: NOTE: You can get a new clean config file with:
> doveconf -n > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
> 'imaps' protocol can no longer be specified (use protocols=imap). to
> disable non-ssl imap, use service imap-login { inet_listener imap {
> port=0 } }
> doveconf: Warning: NOTE: You can get a new clean config file with:
> doveconf -n > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:24:
> 'imaps' protocol can no longer be specified (use protocols=imap). to
> disable non-ssl imap, use service imap-login { inet_listener imap {
> port=0 } }
> # OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64)
> first_valid_uid = 1
> mail_location = maildir:~/Maildir
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
> plugin {
> sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = lmtp imap
> service imap-login {
> inet_listener imap {
> port = 0
> }
> }
> ssl = required
> ssl_ca = /etc/pki/trust/anchors/rootCA.pem
> ssl_cert = </etc/openldap/openldap.crt
> ssl_dh_parameters_length = 2048
> ssl_key = </etc/openldap/openldap.key
> ssl_options = no_compression
> ssl_prefer_server_ciphers = yes
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> override_fields = uid=vmail gid=vmail home=/var/spool/mail/%d/%n
> }
>
> I use LDAP for user and passwd databases as the following:
>
> uris = ldapi:///
> sasl_bind = yes
> sasl_mech = EXTERNAL
> auth_bind = yes
>
> And I found that only first authentication after dovecot restart is
> successful, the others always fail with temp.
> The reason is that dovecot rebinds to anonymous bind after succesful
> auth bind instead of rebinding to external sasl bind.
>
More information about the dovecot
mailing list