[Dovecot] Final LDAP issues

Joseba Torre joseba.torre at ehu.es
Thu Feb 22 15:50:32 UTC 2007 

El Jueves, 22 de Febrero de 2007 13:02, Timo Sirainen escribió:
> > For me, the perfect state would be:
> > - bind using the user supplied dn
> > - if successfull, search for pass_attrs, where some user_attrs may be
> > prefetched
> > - unbind
> > - userdb only binds if some needed attrs haven't been already fetched. If
> > so, there's a choice to use the user supplied dn for the bind/search.
>
> What if you just didn't use auth_bind_userdn, put all the attributes in
> pass_attrs and use userdb prefetch?

The ldap log is:

fd=18 ACCEPT from IP=10.0.2.22:38185 (IP=0.0.0.0:636)
op=0 BIND dn="" method=128
op=0 RESULT tag=97 err=0 text=
op=1 SRCH base="ou=People,dc=example,dc=com" scope=2 deref=0 
filter="(uid=testuid)"
op=1 SRCH attr=uid homeDirectory uidNumber gidNumber
op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

So the ldap_attrs search is being doing anonimously -and it's the only way it 
makes sense-, so i'm back in the same problem.

op=2 BIND dn="uid=testuid,ou=people,dc=example,dc=com" method=128
op=2 BIND dn="uid=testuid,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0
op=2 RESULT tag=97 err=0 text=
deferring operation: binding

This is the auth bind

op=3 BIND anonymous mech=implicit ssf=0
op=3 BIND dn="" method=128
op=3 RESULT tag=97 err=0 text=
op=4 SRCH base="ou=People,dc=ehu,dc=es" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=testuid))"
op=4 SRCH attr=uid homeDirectory uidNumber gidNumber
op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

So, even if the uid, gid and homeDirectory are being prefetched (my pass_attrs 
value is

pass_attrs = 
uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

and the line

op=1 SRCH attr=uid homeDirectory uidNumber gidNumber

in the begging of the log shows that they were
)

they are being searched again?
>
> I think that should work as long as you're not using deliver, which
> requires userdb-only query (but then if you don't need the private
> fields use userdb prefetch and userdb ldap).

I wanted to avoid creating a new dn for dovecot to use, but I also want to use 
deliver in the near future. I didn't thought about it before, but it's 
obvious that with my config deliver will need, at least, access to 
homeDirectory, uidNumber and gidNumber. So I'll create the dedicated dn and 
this problem will be gone.

Thanks again.
-- 
Joseba Torre. CIDIR Bizkaia.

More information about the dovecot mailing list