Hi,
I use a OpenLDAP for authentication. To authenticate a full DN as the user name
must be used, like "cn=jim,ou=users,dc=example,dc=com". There are
several domains, like example2.com and example3.com. I want to use Dovecot with
ldap and authentication binds. For testing I use "auth_bind_userdn =
cn=%n,ou=users,dc=%d" and the user name must provide as "jim at
example,dc=com". To allow the special chars ("=,") in user name,
I extend "auth_username_chars".
Now my questions. Exists a real chance to attack the ldap directory with the
extended "auth_username_chars"? And it's possible to use
authentication binds with the regular "auth_username_chars" and a
provided user names like "jim at example.com" in my special ldap
directory structure?
Thanks in advance
- Patrick
Patrick Hemmen
2009-May-27 17:59 UTC
[Dovecot] (no subject) LDAP authentication binds with special chars
Sorry for the missing subject.>Hi, > >I use a OpenLDAP for authentication. To authenticate a full DN as the user name must be used, like "cn=jim,ou=users,dc=example,dc=com". There are several domains, like example2.com and example3.com. I want to use Dovecot with ldap and >authentication binds. For testing I use "auth_bind_userdn = cn=%n,ou=users,dc=%d" and the user name must provide as "jim at example,dc=com". To allow the special chars ("=,") in user name, I extend "auth_username_chars". >Now my questions. Exists a real chance to attack the ldap directory with the extended "auth_username_chars"? And it's possible to use authentication binds with the regular "auth_username_chars" and a provided user names like >"jim at example.com" in my special ldap directory structure? > >Thanks in advance >- Patrick
On Wed, 2009-05-27 at 17:38 +0000, Patrick Hemmen wrote:> Hi, > > I use a OpenLDAP for authentication. To authenticate a full DN as the > user name must be used, like "cn=jim,ou=users,dc=example,dc=com". > There are several domains, like example2.com and example3.com. I want > to use Dovecot with ldap and authentication binds. For testing I use > "auth_bind_userdn = cn=%n,ou=users,dc=%d" and the user name must > provide as "jim at example,dc=com". To allow the special chars ("=,") in > user name, I extend "auth_username_chars". > Now my questions. Exists a real chance to attack the ldap directory > with the extended "auth_username_chars"? And it's possible to use > authentication binds with the regular "auth_username_chars" and a > provided user names like "jim at example.com" in my special ldap > directory structure?Use: auth_bind_userdn = cn=%n,ou=users,dc=%Dd See %D in http://wiki.dovecot.org/Variables -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090528/08846fc8/attachment-0002.bin>
Thank you a lot for the tip. ----- Original Message ---- From: Timo Sirainen <tss at iki.fi> To: Patrick Hemmen <patrick.hemmen at yahoo.de> Cc: dovecot at dovecot.org Sent: Friday, May 29, 2009 12:00:36 AM Subject: Re: [Dovecot] (no subject) On Wed, 2009-05-27 at 17:38 +0000, Patrick Hemmen wrote:> Hi, > > I use a OpenLDAP for authentication. To authenticate a full DN as the > user name must be used, like "cn=jim,ou=users,dc=example,dc=com". > There are several domains, like example2.com and example3.com. I want > to use Dovecot with ldap and authentication binds. For testing I use > "auth_bind_userdn = cn=%n,ou=users,dc=%d" and the user name must > provide as "jim at example,dc=com". To allow the special chars ("=,") in > user name, I extend "auth_username_chars". > Now my questions. Exists a real chance to attack the ldap directory > with the extended "auth_username_chars"? And it's possible to use > authentication binds with the regular "auth_username_chars" and a > provided user names like "jim at example.com" in my special ldap > directory structure?Use: auth_bind_userdn = cn=%n,ou=users,dc=%Dd See %D in http://wiki.dovecot.org/Variables