[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail-ldap
Subject:    Re: anonymous bind for qmailgroup entries?
From:       Claudio Jeker <jeker () n-r-g ! com>
Date:       2006-10-24 16:55:58
Message-ID: 20061024165557.GA28792 () diehard ! n-r-g ! com
[Download RAW message or body]

On Tue, Oct 24, 2006 at 06:43:17PM +0200, Robert Müller wrote:
> Hi all,
> 
> I'm using qmail-ldap on different servers since about more than one
> year. Now I've set up a new one with virtual users environment. My
> qmail-installation uses a dedicated account for retrieving
> LDAP-attributes and I have set the LDAP ACL very restrictive to prevent
> users from seeing other accounts. Mail delivery for normal qmailusers
> works very well, but I observe a strange problem with qmailgroups. The
> following is derived from slapd's logfile:
> qmail binds correctly as the dedicated user to search the mail address.
> After the entry with the corresponding address is found, it retrieves
> all LDAP Attributes for a normal qmailuser within the existing bind and
> therefore succeeds with delivery.
> But for a qmailgroup entry  it unbinds and rebinds anonymously and is
> then not able to read the attribute "entry" and all other attributes
> since this is prohibited by my LDAP-ACLs for anonymous binds.
> 
> Can anyone of you experts tell me if this is desired behaviour and why?
> Or did I miss a simple configuration option?
> Any help greatly appreciated,
> 

Most of the time this happen because ~control/ldappassword is not readably
by the user which runs the qmail-group command.
This is why ~control/ldapgrouplogin and ~control/ldapgrouppassword exist.
Especally it makes it possible to use a different user for the normal mail
lookup then for the group lookups. group lookups only need read access to
some fields (e.g. userPassword is not needed) allowing stricter ACL rules.
Additionally it makes it possible to tune the limits in slapd.

-- 
:wq Claudio
[prev in list] [next in list] [prev in thread] [next in thread]