Stefan Palme
2010-Feb-18 08:19 UTC
[Dovecot] LDAP as password database - some problems / suggestions
Hi all, Using dovecot-1.2.6, I use dovecot with an LDAP backend for user authentication. In general this works ok, but I have some issues with this... In LDAP, I have users like this: dn:cn=user1,ou=users,dc=kapott,dc=org dn:cn=user2,ou=users,dc=kapott,dc=org etc. When authenticating users, I explicitely want to use the AUTH_BIND feature (and NOT lookup passwords). My problem: not ALL users from the LDAP system should be allowed to use the IMAP server. Currently, I have defined an auth_bind_userdn of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with this, user1 AND user2 could login (but I don't want user2 to be able to use dovecot). Because the LDAP system is used in a larger environment, it is NOT possible to re-arrange the users like this: cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org So my question: are there any plans to support group-based LDAP authentication? For several other application, I have something like this: dn:cn=dovecot,ou=groups,dc=kapott,dc=org objectclass:groupOfNames member:cn=user1,ou=users,dc=kapott,dc=org So I can define groups of user accounts - one group per application. A nice solution for this in dovecot would be, if I could "mix" password lookup and authentication bind: First, a search query should be used to find a valid DN to bind as. In my case, the search query could look like this: base="ou=groups,dc=kapott.org" filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" result_attribute="member" After finding a DN this way (via attribute "member"), I want to use auth_bind to use this DN for password verification... Any hints how to solve this? Any plans to support this in the future? Thanks and regards -stefan-
Oliver Eales
2010-Feb-18 08:45 UTC
[Dovecot] LDAP as password database - some problems / suggestions
Stefan Palme schrieb:> Hi all, > > Using dovecot-1.2.6, I use dovecot with an LDAP backend for user > authentication. In general this works ok, but I have some issues > with this... > > In LDAP, I have users like this: > > dn:cn=user1,ou=users,dc=kapott,dc=org > dn:cn=user2,ou=users,dc=kapott,dc=org > > Because the LDAP system is used in a larger environment, it is NOT > possible to re-arrange the users like this: > > cn=user1,ou=dovecot,ou=users,dc=kapott,dc=org > cn=user2,ou=not_dovecot,ou=users,dc=kapott,dc=org >Isn't it possible to just give the each allowed IMAP Users a attribute like imap=1 ? If you really need to do it with the groups, the SUN DSSE Ldap has features like ROLES or COSes where you can set attributes for an entry based on a internal search. Regards, Oliver
Marcio Merlone
2010-Feb-18 13:36 UTC
[Dovecot] LDAP as password database - some problems / suggestions
Em 18/2/2010 06:19, Stefan Palme escreveu:> In LDAP, I have users like this: > > dn:cn=user1,ou=users,dc=kapott,dc=org > dn:cn=user2,ou=users,dc=kapott,dc=org > etc. >(...)> My problem: not ALL users from the LDAP system should be allowed to > use the IMAP server. Currently, I have defined an auth_bind_userdn > of "cn=%u,ou=users,dc=kapott,dc=org" in dovecot-ldap.conf, but with > this, user1 AND user2 could login (but I don't want user2 to be able > to use dovecot). >I use LDAP on PAM, and dovecot uses PAM as auth method, so I can have a separeted /etc/ldap_dovecot.conf wich filters "nss_base_passwd ou=People,dc=xxx?one?objectClass=mailUser" (I have a postfix.schema I downloaded somewhere that implements mailUser, you may use whatever objectclass you find best). That /etc/ldap_dovecot.conf is read by /etc/pam.d/dovecot wich is used by dovecot. This may be tweaked to solve your needs. Regards, -- Marcio Merlone -------------- next part -------------- A non-text attachment was scrubbed... Name: marcio_merlone.vcf Type: text/x-vcard Size: 326 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20100218/3839dd9b/attachment-0002.vcf>
Timo Sirainen
2010-Feb-18 14:38 UTC
[Dovecot] LDAP as password database - some problems / suggestions
On Thu, 2010-02-18 at 09:19 +0100, Stefan Palme wrote:> base="ou=groups,dc=kapott.org" > filter="(&(cn=dovecot)(member=cn=%u,ou=users,dc=kapott,dc=org))" > result_attribute="member" > > After finding a DN this way (via attribute "member"), I want to use > auth_bind to use this DN for password verification...How about if it worked like: pass_attrs = member=bind_dn, ... pass_filter = .. ? Attached patch does that. If it works, I'll commit it. -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-dn.diff Type: text/x-patch Size: 2610 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20100218/cdf818fa/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20100218/cdf818fa/attachment-0005.bin>
Stefan Palme
2010-Feb-18 18:20 UTC
[Dovecot] LDAP as password database - some problems / suggestions
Hi, On Thu, 2010-02-18 at 11:36 -0200, Marcio Merlone wrote:> I use LDAP on PAM, and dovecot uses PAM as auth method, ...Thanks for the tip. This way (dovecot -> PAM -> LDAP (with a dedicated ldap-configuration for the "dovecot" PAM service)) works for me. Regards -stefan-
Stefan Palme
2010-Feb-18 18:21 UTC
[Dovecot] LDAP as password database - some problems / suggestions
On Thu, 2010-02-18 at 16:38 +0200, Timo Sirainen wrote:> How about if it worked like: > > pass_attrs = member=bind_dn, ... > pass_filter = ..Have already solved it via PAM. But will nevertheless try this solution too. But this has to wait until weekend :-) Thanks for support! -stefan-