Remap login before authentication

Miloslav Hůla miloslav.hula at gmail.com
Mon Jan 11 18:28:57 EET 2021


Would be possible following scenario?

1. do the SQL passdb lookup, do the remap & return password = NULL 
without nopassword
2. do the LDAP bind

I think it works, but I'm not sure if there are some security/other flaws.

Milo


Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
> Probably not way for me. I forgot to write, then I cannot change LDAP 
> schema, so bindDN is fixed for me.
> 
> Milo
> 
> Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
>> auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
>>
>> %D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
>>
>> from 
>> https://doc.dovecot.org/configuration_manual/config_file/config_variables/ 
>>
>>
>> Aki
>>
>>> On 11/01/2021 17:58 Miloslav Hůla <miloslav.hula at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> with Dovecot 2.3.4 I would like to allow user to login with two
>>> different usernames:
>>>
>>> - USERNAME (no domain) - now works
>>> - name.surname at domain.tld - would like to add
>>>
>>> Problem is, that the only authentication method I have is LDAP bind by
>>> USERNAME. Now I use:
>>>
>>> ============
>>> passdb {
>>>     driver = ldap
>>>     args = /etc/dovecot/dovecot-ldap.conf.ext
>>> }
>>>
>>> # Args
>>> uris = ldaps://ldap.domain.tld
>>> auth_bind = yes
>>> auth_bind_userdn = uid=%u,dc=domain,dc=tld
>>> base =
>>> ============
>>>
>>> I know passdb can remap user&domain, but I have no password hash at all.
>>> And for example '{SASL}' is not supported password scheme to return e.g.
>>> from SQL passdb.
>>>
>>>
>>> Is there any way how to achive this? Maybe somehow remap username in
>>> first passdb and then continue to LDAP bind?
>>>
>>> 1. login as name.surname at domain.tld
>>> 2. remap to USERNAME
>>> 3. do the LDAP bind
>>>
>>>
>>> Milo


More information about the dovecot mailing list