Escape comma in the LDAP passdb subquery configuration

Discussion:

Francesco Fiore

2014-09-01 13:27:44 UTC

Hi
I have to configure the LDAP passdb to execute a subquery defining
dinamically the new DN to use.

For example:
pass_attrs = @mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,\
=proxy=y,\
=host=%{ldap:mailHost at mail}

In the previous example, the problem is the use of "," for DN
representation, which is also the separator for the attribute template
in the pass_attr parameter value.
I tried to escape it with '\' or '%' but it doesn't work.
Dovecot version is 2.2.13.
How can I resolve this issue?

Thanks in advance

Giovanni Mancuso

2014-09-04 10:01:30 UTC

Permalink

Hi,

I need the same. Is there a way to do this?

Thanks

Il 01/09/2014 15:27, Francesco Fiore ha scritto:
Hi

Post by Francesco Fiore
I have to configure the LDAP passdb to execute a subquery defining
dinamically the new DN to use.
pass_attrs =
@mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,\
=proxy=y,\
=host=%{ldap:mailHost at mail}
In the previous example, the problem is the use of "," for DN
representation, which is also the separator for the attribute template
in the pass_attr parameter value.
I tried to escape it with '\' or '%' but it doesn't work.
Dovecot version is 2.2.13.
How can I resolve this issue?
Thanks in advance

Jogi Hofmüller

2014-09-10 06:07:05 UTC

Permalink

Hi,

Post by Francesco Fiore
pass_attrs =
@mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,\
=proxy=y,\
=host=%{ldap:mailHost at mail}
In the previous example, the problem is the use of "," for DN
representation, which is also the separator for the attribute template

I see. Have you tried using a different filter instead of dynamic
arguments in pass_attrs?

Cheers,
--
j.hofm?ller

Optimism doesn't alter the laws of physics. - Subcommander T'Pol

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140910/b0316417/attachment.sig>

Francesco Fiore

2014-09-10 08:37:06 UTC

Permalink

Hi,

Post by Jogi HofmÃ¼ller
Hi,

I see. Have you tried using a different filter instead of dynamic
arguments in pass_attrs?

I tried but in this case the passdb is configured to use master
authentication and in this infrastructure there is an N*M association
between users and mailboxes.
This association is implemented in the back-end instances using the user
entries to do authentication, and the mailbox entries to get the
attributes in the userdb.
In the user entries there is a custom attribute.
For example:

dn: uid=myuser,ou=People,dc=example,dc=com
...
uid: myuser
associatedMailbox: mymbox at example.com
userPassword: **********

dn: mail=mymbox at example.com,ou=Mailboxes,dc=example,dc=com
...
mail: mymbox at example.com
mailHost: 192.168.0.1
homeDirectory: /path/to/homedir

In the configuration of the back-end instance I use different filters to
get different LDAP entries in the passdb (user entries) and userdb
(mailbox entries).
The problem is in the proxy configuration because Dovecot must execute a
LDAP bind with the user entry but it needs to get also the mailHost
attribute in the mailbox entry to connect to the correct back-end server.
The complete passdb configuration is:

pass_attrs =@mail=mail=%{login_user},dc=%{login_domain},dc=example,dc=com,\
=proxy=y,\
=host=%{ldap:mailHost at mail}
pass_filter = (&(uid=%{user})(associatedMailbox=%{login_user}))

I'm thinking to implement this authentication using an external auth
daemon and configure Dovecot tu use an auth-dict, but I would avoid to
execute an independent daemon. Can I configure Dovecot to spawn an
external process?
Is this a valid solution for your experience?

Post by Jogi HofmÃ¼ller
Cheers,

Regars