Re: [Dovecot] BUG: LDAP extension failed to authenticate if 'base' DN configuration is empty ''
On 29.7.2012, at 15.00, Hendy Irawan wrote: We have several context entries and want to authenticate a user against the whole LDAP server. However when setting base = Dovecot LDAP fails with following message: Jul 29 10:50:59 nitik1 dovecot: auth: Error: ldap(he...@staging.member.berbatik.com,127.0.0.1): ldap_search((virtualMail=he...@staging.member.berbatik.com)) failed: Other (e.g., implementation specific) error Does the attached patch help? If yes, I'll add it to next version. diff Description: Binary data
Re: [Dovecot] BUG: LDAP extension failed to authenticate if 'base' DN configuration is empty ''
Dear Timo, Thank you very much for your kind work. I apologize, my previous statement were wrong. At least on ApacheDS 1.5.7, it doesn't search entries using the '' base DN (it doesn't give error though, just cannot return results, ApacheDS requires the search base to be in a partition). However, your patch would be great for servers who support the '' search base DN. If I may ask, would you improve it further to accept multiple bases? I'm not sure what the proper character separator would be, but I think something like this would work : base = dc=prd,dc=berbatik,dc=com | dc=stg,dc=berbatik,dc=com The proposed configuration above asks to try the two search bases in succession, whichever first succeeds get logged in, else fails like usual. I hope it's okay with you. I'll definitely help with the testing. Hendy Timo Sirainen wrote: On 29.7.2012, at 15.00, Hendy Irawan wrote: We have several context entries and want to authenticate a user against the whole LDAP server. However when setting base = Dovecot LDAP fails with following message: Jul 29 10:50:59 nitik1 dovecot: auth: Error: ldap(he...@staging.member.berbatik.com,127.0.0.1): ldap_search((virtualMail=he...@staging.member.berbatik.com)) failed: Other (e.g., implementation specific) error Does the attached patch help? If yes, I'll add it to next version. - http://www.Soluvas.com/ Soluvas - Making eCommerce Work for You -- View this message in context: http://old.nabble.com/BUG%3A-LDAP-extension-failed-to-authenticate-if-%27base%27-DN-configuration-is-empty-%27%27-tp34226738p34238207.html Sent from the Dovecot mailing list archive at Nabble.com.
Re: [Dovecot] BUG: LDAP extension failed to authenticate if 'base' DN configuration is empty ''
On 1.8.2012, at 1.12, Hendy Irawan wrote: I apologize, my previous statement were wrong. At least on ApacheDS 1.5.7, it doesn't search entries using the '' base DN (it doesn't give error though, just cannot return results, ApacheDS requires the search base to be in a partition). However, your patch would be great for servers who support the '' search base DN. But does my patch actually make it work in some such servers? I did it only as a guess. If it doesn't fix anything I'd rather just drop the patch. If I may ask, would you improve it further to accept multiple bases? I'm not sure what the proper character separator would be, but I think something like this would work : base = dc=prd,dc=berbatik,dc=com | dc=stg,dc=berbatik,dc=com The proposed configuration above asks to try the two search bases in succession, whichever first succeeds get logged in, else fails like usual. You can already do this by creating multiple passdb/userdb ldap sections with different config files. Searching multiple bases requires doing multiple LDAP lookups anyway.
Re: [Dovecot] BUG: LDAP extension failed to authenticate if 'base' DN configuration is empty ''
Dear Timo, Thank you for your information about multiple sections! I didn't realize that was possible. Yes, your patch will work on at least ApacheDS 2.0.0-M7 (see https://issues.apache.org/jira/browse/DIRSERVER-1742 ) and I would appreciate it very much ! Hendy Timo Sirainen wrote: On 1.8.2012, at 1.12, Hendy Irawan wrote: I apologize, my previous statement were wrong. At least on ApacheDS 1.5.7, it doesn't search entries using the '' base DN (it doesn't give error though, just cannot return results, ApacheDS requires the search base to be in a partition). However, your patch would be great for servers who support the '' search base DN. But does my patch actually make it work in some such servers? I did it only as a guess. If it doesn't fix anything I'd rather just drop the patch. If I may ask, would you improve it further to accept multiple bases? I'm not sure what the proper character separator would be, but I think something like this would work : base = dc=prd,dc=berbatik,dc=com | dc=stg,dc=berbatik,dc=com The proposed configuration above asks to try the two search bases in succession, whichever first succeeds get logged in, else fails like usual. You can already do this by creating multiple passdb/userdb ldap sections with different config files. Searching multiple bases requires doing multiple LDAP lookups anyway. - http://www.Soluvas.com/ Soluvas - Making eCommerce Work for You -- View this message in context: http://old.nabble.com/BUG%3A-LDAP-extension-failed-to-authenticate-if-%27base%27-DN-configuration-is-empty-%27%27-tp34226738p34238917.html Sent from the Dovecot mailing list archive at Nabble.com.
[Dovecot] BUG: LDAP extension failed to authenticate if 'base' DN configuration is empty ''
Dear Dovecot developers, We have several context entries and want to authenticate a user against the whole LDAP server. However when setting base = Dovecot LDAP fails with following message: Jul 29 10:50:59 nitik1 dovecot: auth: Error: ldap(he...@staging.member.berbatik.com,127.0.0.1): ldap_search((virtualMail=he...@staging.member.berbatik.com)) failed: Other (e.g., implementation specific) error This limits the search to only one base DN, e.g. base = dc=staging,dc=berbatik,dc=com The ldap client library is able to search entries using an empty base DN, so it should be possible for Dovecot LDAP to do the same. An even more elegant solution will be the ability to specify multiple base DNs, but if Dovecot can search the root DN (empty string) it would be great. Thank you. Hendy - http://www.Soluvas.com/ Soluvas - Making eCommerce Work for You -- View this message in context: http://old.nabble.com/BUG%3A-LDAP-extension-failed-to-authenticate-if-%27base%27-DN-configuration-is-empty-%27%27-tp34226738p34226738.html Sent from the Dovecot mailing list archive at Nabble.com.
