dovecot - Jun 2017 - Dovecot LDAP using custom field to allow users to connect

Hi all,

I'd like to know if it's possible to add a custom field when the 
authentification is made by users.

My boolean custom field will be for example "AllowUser" (false/true).

I'm trying to do something like that but it's not working :

/user_filter = 
(&(objectClass=posixAccount)(uid=%u)(objectClass=myclass)(AllowUser=TRUE))/

This is my dovecot/ldap configuration below :

/*# dovecot.conf*
/
/passdb {//
//  driver = ldap//
//  args = /etc/dovecot/dovecot-ldap.conf//
//}/

*# dovecot-ldap.conf*

/hosts = myurl:myport//
//dn = cn=myuser,dc=mydomain,dc=com//
//dnpass = ********//
//a//uth_bind = yes//
//auth_bind_userdn = uid=%u,ou=users,dc=mydomain,dc=com//
//ldap_version = 3//
//base = ou=Users,dc=mydomain,dc=com//
//scope = base//
//default_pass_scheme = SSHA512
/
Do you have an idead ?

Kind regards.

--
Michael

Hi Michael,

We do exactly that see example below:

user_filter = 
(&(&(objectClass=ukFirmGhITPerson)(ukFirmGhITAccSubSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
pass_filter = 
(&(&(objectClass=ukFirmGhITPerson)(ukFirmGhITAccSubSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))

Does it work without the AllowUser section of the search?
Do you get any records back when you do a ldapsearch with your 
user_filter search?

Best Regards

Martin

On 2017-06-07 09:48, Michael JOIGNY wrote:
> Hi all,
> 
> I'd like to know if it's possible to add a custom field when the
> authentification is made by users.
> 
> My boolean custom field will be for example "AllowUser"
(false/true).
> 
> I'm trying to do something like that but it's not working :
> 
> /user_filter >
(&(objectClass=posixAccount)(uid=%u)(objectClass=myclass)(AllowUser=TRUE))/
> 
> This is my dovecot/ldap configuration below :
> 
> /*# dovecot.conf*
> /
> /passdb {//
> //  driver = ldap//
> //  args = /etc/dovecot/dovecot-ldap.conf//
> //}/
> 
> *# dovecot-ldap.conf*
> 
> /hosts = myurl:myport//
> //dn = cn=myuser,dc=mydomain,dc=com//
> //dnpass = ********//
> //a//uth_bind = yes//
> //auth_bind_userdn = uid=%u,ou=users,dc=mydomain,dc=com//
> //ldap_version = 3//
> //base = ou=Users,dc=mydomain,dc=com//
> //scope = base//
> //default_pass_scheme = SSHA512
> /
> Do you have an idead ?
> 
> Kind regards.
> 
> --
> Michael

Hi Michael,

Just noticed you are using auth_bind_userdn which we don't.
I think you may need to use pass_filter rather than user_filter??

Best Regards

Martin

On 2017-06-07 10:59, Martin Wheldon wrote:
> Hi Michael,
> 
> We do exactly that see example below:
> 
> user_filter >
(&(&(objectClass=ukFirmGhITPerson)(ukFirmGhITAccSubSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)(ukFirmGhITAccMailAlias=%u)))
> pass_filter >
(&(&(objectClass=ukFirmGhITPerson)(ukFirmGhITAccSubSrvcs=Email)(ukFirmGhITAccLocked=Email-FALSE))(|(uidNumber=%u)(mail=%u)))
> 
> Does it work without the AllowUser section of the search?
> Do you get any records back when you do a ldapsearch with your
> user_filter search?
> 
> Best Regards
> 
> Martin
> 
> On 2017-06-07 09:48, Michael JOIGNY wrote:
>> Hi all,
>> 
>> I'd like to know if it's possible to add a custom field when
the
>> authentification is made by users.
>> 
>> My boolean custom field will be for example "AllowUser"
(false/true).
>> 
>> I'm trying to do something like that but it's not working :
>> 
>> /user_filter >>
(&(objectClass=posixAccount)(uid=%u)(objectClass=myclass)(AllowUser=TRUE))/
>> 
>> This is my dovecot/ldap configuration below :
>> 
>> /*# dovecot.conf*
>> /
>> /passdb {//
>> //  driver = ldap//
>> //  args = /etc/dovecot/dovecot-ldap.conf//
>> //}/
>> 
>> *# dovecot-ldap.conf*
>> 
>> /hosts = myurl:myport//
>> //dn = cn=myuser,dc=mydomain,dc=com//
>> //dnpass = ********//
>> //a//uth_bind = yes//
>> //auth_bind_userdn = uid=%u,ou=users,dc=mydomain,dc=com//
>> //ldap_version = 3//
>> //base = ou=Users,dc=mydomain,dc=com//
>> //scope = base//
>> //default_pass_scheme = SSHA512
>> /
>> Do you have an idead ?
>> 
>> Kind regards.
>> 
>> --
>> Michael