Recently at Better.be we implemented LDAP authenticated bind support for dovecot. A patch against CVS HEAD is attached. I have not tested it against all possible configurations one can use, but the basic operation seems to be right. As documented in the patch, it adds one new option to the dovecot-ldap.conf configuration file: # Set "auth_bind" to "yes" if you want to use "authenticated binds" # as a login validation mechanism. NOTE: the pass_attrs option # will (naturally) be ignored if you enable this auth_bind = yes Authenticated bind support is implemented asynchronously. This involves 2 asynchronous calls: the first being 'ldap_search' to find the dn to bind against and the second being the actual 'ldap_bind' call. I'd love to hear some feedback on this. Regards, Marc Maurer Better.be B.V. -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot_authbind_11252005.diff Type: text/x-patch Size: 7110 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20051202/4191a8ea/attachment.bin>
Hi, J.M. Maurer escribi?:> Recently at Better.be we implemented LDAP authenticated bind support for > dovecot. A patch against CVS HEAD is attached. > > I have not tested it against all possible configurations one can use, > but the basic operation seems to be right. > > As documented in the patch, it adds one new option to the > dovecot-ldap.conf configuration file: > > # Set "auth_bind" to "yes" if you want to use "authenticated binds" > # as a login validation mechanism. NOTE: the pass_attrs option > # will (naturally) be ignored if you enable this > auth_bind = yes > > Authenticated bind support is implemented asynchronously. This involves > 2 asynchronous calls: the first being 'ldap_search' to find the dn to > bind against and the second being the actual 'ldap_bind' call. > > I'd love to hear some feedback on this.Great work! It'd be nice to have also a 'fastbind' implementation. It would avoid the 'ldap_search' call on environments where the dn is predictable and you don't need extra search capabilities. Then the user_filter setting can be used as the template dn, which once expanded (%u, %d, ...) you have the dn do the 'ldap_bind' call. An example of this can be found in saslauthd.> Regards, > Marc Maurer > Better.be B.V.Regards, -- Angel Marin http://anmar.eu.org/
On Fri, 2005-12-02 at 13:28 +0100, J.M. Maurer wrote:> Recently at Better.be we implemented LDAP authenticated bind support for > dovecot. A patch against CVS HEAD is attached.Thanks. I'm doing a few small modifications to this, should be in CVS soon. Is there a reason why ldap_verify_plain_authbind() calls ldap_search() directly instead of using db_ldap_search(), other than the ability to specify scope? Using db_ldap_search() it'll reconnect to LDAP server whenever it needs to. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://dovecot.org/pipermail/dovecot/attachments/20051230/3343d72e/attachment.pgp