The following issue has been RESOLVED.
======================================================================
http://www.dbmail.org/mantis/view.php?id=367
======================================================================
Reported By: lkneschke
Assigned To: paul
======================================================================
Project: DBMail
Issue ID: 367
Category: Authentication layer
Reproducibility: always
Severity: major
Priority: normal
Status: resolved
target: 2.1.7
Resolution: fixed
Fixed in Version: 2.1.7
======================================================================
Date Submitted: 16-Jun-06 10:04 CEST
Last Modified: 20-Jul-06 16:21 CEST
======================================================================
Summary: Sometimes LDAP Authentication fails
Description:
>From time to time i'm unable to authenticate against my ldap server. After
some poking in the logfiles i found the source of the problem.
What triggers the problem is, that i try to implement very strict ACL's in
the ldap server. The members of one subtree have no rights on another
subtree.
What you can see from the logfile, is that dbmail first authenticates as
one user(do a bind to validated the imap users password). When the next
search starts to find a user, which resides in another tree, the user can
not found because the ACL do not permit this.
The solution should be to bind as the user defined in dbmail.conf before
searching for uids.
Just have a look at the attached ldap logfile and the inline comments.
======================================================================
----------------------------------------------------------------------
lkneschke - 17-Jun-06 20:39
----------------------------------------------------------------------
This patch solved my problems.
Index: /home/lkneschke/Documents/dbmail-trunk/modules/authldap.c
===================================================================
--- /home/lkneschke/Documents/dbmail-trunk/modules/authldap.c (Revision
2178)
+++ /home/lkneschke/Documents/dbmail-trunk/modules/authldap.c
(Arbeitskopie)
@@ -1361,6 +1361,13 @@
*/
}
+ /* now, rebind as admin again */
+ trace(TRACE_DEBUG, "%s,%s: rebinding as admin [%s] again",
+ __FILE__,__func__,
+ _ldap_cfg.bind_dn);
+
+ ldap_err = ldap_bind_s(_ldap_conn, _ldap_cfg.bind_dn,
_ldap_cfg.bind_pw, LDAP_AUTH_SIMPLE);
+
if (ldap_dn)
ldap_memfree(ldap_dn);
----------------------------------------------------------------------
paul - 21-Jun-06 16:32
----------------------------------------------------------------------
Problem solved using method illustrated in the patch by lkneschke.
Issue History
Date Modified Username Field Change
======================================================================
16-Jun-06 10:04 lkneschke New Issue
16-Jun-06 10:04 lkneschke File Added: dbmail_ldap_problem.txt
17-Jun-06 20:39 lkneschke Note Added: 0001251
21-Jun-06 16:32 paul target => 2.1.7
21-Jun-06 16:32 paul Note Added: 0001257
21-Jun-06 16:32 paul Status new => resolved
21-Jun-06 16:32 paul Resolution open => fixed
21-Jun-06 16:32 paul Fixed in Version => SVN Trunk
20-Jul-06 16:10 paul Fixed in Version SVN Trunk => 2.1.7
20-Jul-06 16:14 paul Status resolved => assigned
20-Jul-06 16:14 paul Assigned To => paul
20-Jul-06 16:21 paul Status assigned => resolved
======================================================================
