Remap login before authentication

Aki Tuomi aki.tuomi at open-xchange.com
Mon Jan 11 18:32:02 EET 2021


Not sure if you read my mail wrong, but

if 

user.name works

and

user.name at domain.com does not work,

then why not just write

auth_bind_userdn = uid=%d,dc=domain,dc=tld

note the %d, which means, expand to local part (user.name) instead of user.name at domain.com.

Aki


> On 11/01/2021 18:28 Miloslav Hůla <miloslav.hula at gmail.com> wrote:
> 
>  
> Would be possible following scenario?
> 
> 1. do the SQL passdb lookup, do the remap & return password = NULL 
> without nopassword
> 2. do the LDAP bind
> 
> I think it works, but I'm not sure if there are some security/other flaws.
> 
> Milo
> 
> 
> Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
> > Probably not way for me. I forgot to write, then I cannot change LDAP 
> > schema, so bindDN is fixed for me.
> > 
> > Milo
> > 
> > Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
> >> auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
> >>
> >> %D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
> >>
> >> from 
> >> https://doc.dovecot.org/configuration_manual/config_file/config_variables/ 
> >>
> >>
> >> Aki
> >>
> >>> On 11/01/2021 17:58 Miloslav Hůla <miloslav.hula at gmail.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> with Dovecot 2.3.4 I would like to allow user to login with two
> >>> different usernames:
> >>>
> >>> - USERNAME (no domain) - now works
> >>> - name.surname at domain.tld - would like to add
> >>>
> >>> Problem is, that the only authentication method I have is LDAP bind by
> >>> USERNAME. Now I use:
> >>>
> >>> ============
> >>> passdb {
> >>>     driver = ldap
> >>>     args = /etc/dovecot/dovecot-ldap.conf.ext
> >>> }
> >>>
> >>> # Args
> >>> uris = ldaps://ldap.domain.tld
> >>> auth_bind = yes
> >>> auth_bind_userdn = uid=%u,dc=domain,dc=tld
> >>> base =
> >>> ============
> >>>
> >>> I know passdb can remap user&domain, but I have no password hash at all.
> >>> And for example '{SASL}' is not supported password scheme to return e.g.
> >>> from SQL passdb.
> >>>
> >>>
> >>> Is there any way how to achive this? Maybe somehow remap username in
> >>> first passdb and then continue to LDAP bind?
> >>>
> >>> 1. login as name.surname at domain.tld
> >>> 2. remap to USERNAME
> >>> 3. do the LDAP bind
> >>>
> >>>
> >>> Milo


More information about the dovecot mailing list