Re: Remap login before authentication

Mon, 11 Jan 2021 08:38:05 -0800 

I'm sorry, I explained it wrong.
It is not login with & without domain scenario. I have internal company usernames + passwords and e-mail addresses. 

I want to achive:
- internal username + password login to work
- email + password login to work

Now works:
    Username: milo
    Password: 123456

Want to allow:
    Username: [email protected]
    Password: 123456

which somehow remaps to 'milo' username, so same Maildir access.

Milo


Dne 11.01.2021 v 17:32 Aki Tuomi napsal(a):

Not sure if you read my mail wrong, but

if

user.name works

and

[email protected] does not work,

then why not just write

auth_bind_userdn = uid=%d,dc=domain,dc=tld

note the %d, which means, expand to local part (user.name) instead of 
[email protected].

Aki



On 11/01/2021 18:28 Miloslav Hůla <[email protected]> wrote:


  
Would be possible following scenario?


1. do the SQL passdb lookup, do the remap & return password = NULL
without nopassword
2. do the LDAP bind

I think it works, but I'm not sure if there are some security/other flaws.

Milo


Dne 11.01.2021 v 17:11 Miloslav Hůla napsal(a):

Probably not way for me. I forgot to write, then I cannot change LDAP
schema, so bindDN is fixed for me.

Milo

Dne 11.01.2021 v 17:00 Aki Tuomi napsal(a):

auth_bind_userdn = uid=%d,dc=domain,dc=tld, also see

%D - return “sub.domain.org” as “sub,dc=domain,dc=org” (for LDAP queries)

from
https://doc.dovecot.org/configuration_manual/config_file/config_variables/


Aki


On 11/01/2021 17:58 Miloslav Hůla <[email protected]> wrote:

Hi,

with Dovecot 2.3.4 I would like to allow user to login with two
different usernames:

- USERNAME (no domain) - now works
- [email protected] - would like to add

Problem is, that the only authentication method I have is LDAP bind by
USERNAME. Now I use:

============
passdb {
     driver = ldap
     args = /etc/dovecot/dovecot-ldap.conf.ext
}

# Args
uris = ldaps://ldap.domain.tld
auth_bind = yes
auth_bind_userdn = uid=%u,dc=domain,dc=tld
base =
============

I know passdb can remap user&domain, but I have no password hash at all.
And for example '{SASL}' is not supported password scheme to return e.g.
from SQL passdb.


Is there any way how to achive this? Maybe somehow remap username in
first passdb and then continue to LDAP bind?

1. login as [email protected]
2. remap to USERNAME
3. do the LDAP bind


Milo






















					Reply via email to