Remap login before authentication

Miloslav Hůla miloslav.hula at gmail.com
Mon Jan 11 18:37:35 EET 2021


I'm sorry, I explained it wrong.

It is not login with & without domain scenario. I have internal company 
usernames + passwords and e-mail addresses.

I want to achive:
- internal username + password login to work
- email + password login to work

Now works:
     Username: milo
     Password: 123456

Want to allow:
     Username: miloslav.hula at domain.tld
     Password: 123456

which somehow remaps to 'milo' username, so same Maildir access.

Milo


Dne 11.01.2021 v 17:32 Aki Tuomi napsal(a):
> Not sure if you read my mail wrong, but
> 
> if
> 
> user.name works
> 
> and
> 
> user.name at domain.com does not work,
> 
> then why not just write
> 
> auth_bind_userdn = uid=%d,dc=domain,dc=tld
> 
> note the %d, which means, expand to local part (user.name) instead of user.name at domain.com.
> 
> Aki
> 
> 
>> On 11/01/2021 18:28 Miloslav Hůla <miloslav.hula at gmail.com> wrote:
>>
>>   
>> Would be possible following scenario?
>>
>> 1. do the SQL passdb lookup, do the remap & return password = NULL
>> without nopassword
>> 2. do the LDAP bind
>>
>> I think it works, but I'm not sure if there are some security/other flaws.
>>
>> Milo
>>
>>
>> Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):
>>> Probably not way for me. I forgot to write, then I cannot change LDAP
>>> schema, so bindDN is fixed for me.
>>>
>>> Milo
>>>
>>> Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):
>>>> auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see
>>>>
>>>> %D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)
>>>>
>>>> from
>>>> https://doc.dovecot.org/configuration_manual/config_file/config_variables/
>>>>
>>>>
>>>> Aki
>>>>
>>>>> On 11/01/2021 17:58 Miloslav Hůla <miloslav.hula at gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> with Dovecot 2.3.4 I would like to allow user to login with two
>>>>> different usernames:
>>>>>
>>>>> - USERNAME (no domain) - now works
>>>>> - name.surname at domain.tld - would like to add
>>>>>
>>>>> Problem is, that the only authentication method I have is LDAP bind by
>>>>> USERNAME. Now I use:
>>>>>
>>>>> ============
>>>>> passdb {
>>>>>      driver = ldap
>>>>>      args = /etc/dovecot/dovecot-ldap.conf.ext
>>>>> }
>>>>>
>>>>> # Args
>>>>> uris = ldaps://ldap.domain.tld
>>>>> auth_bind = yes
>>>>> auth_bind_userdn = uid=%u,dc=domain,dc=tld
>>>>> base =
>>>>> ============
>>>>>
>>>>> I know passdb can remap user&domain, but I have no password hash at all.
>>>>> And for example '{SASL}' is not supported password scheme to return e.g.
>>>>> from SQL passdb.
>>>>>
>>>>>
>>>>> Is there any way how to achive this? Maybe somehow remap username in
>>>>> first passdb and then continue to LDAP bind?
>>>>>
>>>>> 1. login as name.surname at domain.tld
>>>>> 2. remap to USERNAME
>>>>> 3. do the LDAP bind
>>>>>
>>>>>
>>>>> Milo


More information about the dovecot mailing list