atom feed4 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Ldap Auth
FromSent OnAttachments
CharlesNov 22, 2002 10:33 pm 
Brian CandlerNov 23, 2002 7:06 am 
CharlesNov 23, 2002 7:12 pm 
Brian CandlerNov 24, 2002 1:57 am 
Subject:Re: [courier-users] Ldap Auth
From:Charles (char@editel.com.br)
Date:Nov 23, 2002 7:12:03 pm
List:net.sourceforge.lists.courier-users

But why Courier authldap need binddn and bindpw ? I don't store courier confs in ldap, why courier need one user to read and search privileges on the database. ? In my systems I disable anonymous acceess to dificults spammers life. I will need add a DN to courier ? That

Brian Candler wrote:

On Sat, Nov 23, 2002 at 04:33:27AM +0300, Charles wrote:

I need auth courier IMAP &POP with Ldap. But without specifying BINDDN and BINDPW I only can auth if my ldap userPassword contains already crypted {crypt} password. I don't want imap bind as root to authenticate users, I want imap authenticating users with users passwords. If userPassword contains 12IbR.gJ8wcpc I dont need need set AUTHBIND/BINDDN/BINDPW only LDAP_CRYPT UserPassword. But with this I can't authenticate with ldapsearch without specifying 12IbR.gJ8wcpc as password. (12IbR.gJ8wcpc is equal = 123 with {crypt}) Using BINDPW/BINDDN/AUTHBIND I can use LDAP passwords and auth in ldapsearch using 123 as password, but courier loose secure using this, and this need two authentications(root & user). I need auth courier withou using BINDDN and BINDPW. Why can I do ?

I am having difficultly parsing the above, but I would point out:

(1) The initial bind does not have to be as 'root'. It can be as any user who has read and search privileges on the database. In many cases an anonymous bind is sufficient.

(2) Using AUTHBIND is, in my opinion, *more* secure that having Courier compare the passwords.

This is because with your LDAP server can be configured not to allow reading of the password field. Courier can do a BIND to say "here is a password for this user, is it valid?" But it cannot say "please tell me the password for this user"

So if someone breaks into your Courier box, they cannot query the LDAP server to download all the passwords for your entire userbase. (If they have root privileges they could install a password sniffer, but nothing is going to protect you against that)

LDAP_BINDDN cn=root,c=BR LDAP_BINDPW 123

The above is the initial login which Courier makes to do a *search* of the database to find the user record. As I said above, it only needs search and read privs.

You can just omit them, in which case it will do an anonymous bind.

LDAP_AUTHBIND 1

With this set, Courier takes the DN of the record it found during the search, plus the password supplied by the user, and does another BIND using those as the credentials.

With this unset, Courier must be able to *read* the password attribute in step one, and then compares it with the password provided by the user.

In this case, I don't know if Courier supports "{crypt}xxxxx" crypted passwords, because I use AUTHBIND. If it doesn't, well then you will have to use plaintext passwords if you wish to work in this way, or modify the code.