Re: Authenticate users using their firstname

2018-10-03 Thread admin 



> Am 02.10.2018 um 00:59 schrieb Hendrik Boom :
> 
>> On Mon, Oct 01, 2018 at 11:25:48PM +0200, Admin wrote:
>> 
>> 
>> Von unterwegs gesendet
>> 
>>> Am 01.10.2018 um 18:27 schrieb Aki Tuomi :
>>> 
>>> 
 On 01 October 2018 at 15:19 Steffen Kaiser  wrote:
 
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
> On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
> 
> I'm setting up a Postfic and Dovecot with LDAP email server. My users in 
> LDAP is like this:
> 
>  dn: uid=firstname,ou=People,dc=domain,dc=com
>  uid: firstname
>  uidNumber: 4025
>  gidNumber: 4025
>  givenName: firstname
>  objectClass: top
>  objectClass: person
>  objectClass: posixAccount
>  objectClass: shadowAccount
>  objectClass: organizationalPerson
>  objectClass: inetOrgPerson
>  loginShell: /bin/bash
>  homeDirectory: /home/firstname
>  cn: firstname lastname
>  mail: firstname.lastn...@domain.com
> 
> This is how I connect Dovecot with LDAP
> 
>  hosts = ldapserver
>  ldap_version = 3
>  base = ou=People,dc=domain,dc=com
>  deref = never
>  scope = subtree
>  user_attrs =
>  user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
>  pass_attrs = uid=user,userPassword=password
>  pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
>  default_pass_scheme = SSHA
> 
> When I enter a user's email address and password as the following:
> email: firstname.lastn...@domain.com
> password: password
> 
> and according to my setting which I used "%n" as you see above, the 
> username used to authenticate is "firstname.lastname". I checked the 
> Dovecot variables but I couldn't find something useful in this case to 
> manipulate the "%n" variable.
> 
> I would like to keep using email addresses as 
> "firstname.lastn...@domain.com" but 
> authenticate users using their first name. I really hit a wall here and 
> any help will be much appreciated.
 
 Well, for me, this sounds strange, using firstname only. Why not let your 
 users enter the firstname only? Or:
 
 pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
 
 If firstname is unique, mail should be unique as well.
 
 - -- 
 Steffen Kaiser
>>> 
>>> 
>>> Steffen, I understood their mail addresses are like 
>>> steffen.kai...@domain.com, but uid's are like uid=steffen
>>> 
>>> Aki
>> 
>> I guess this seems to be the desired behaviour as well. Getting interesting 
>> when handling collisions. Not possible to decide by password which account 
>> should be used as far as i can tell, as this would be some sort of brute 
>> force authentication?!?
> 
> Not when a lot of people choose 123456 as their passwords.

I guess at this point the last name would make an excellent password :)
> 
> -- hendrik
> 
>> 
>> -M

Re: Authenticate users using their firstname

2018-10-01 Thread Hendrik Boom 
On Mon, Oct 01, 2018 at 11:25:48PM +0200, Admin wrote:
> 
> 
> Von unterwegs gesendet
> 
> > Am 01.10.2018 um 18:27 schrieb Aki Tuomi :
> > 
> > 
> >> On 01 October 2018 at 15:19 Steffen Kaiser  wrote:
> >> 
> >> 
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >> 
> >>> On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
> >>> 
> >>> I'm setting up a Postfic and Dovecot with LDAP email server. My users in 
> >>> LDAP is like this:
> >>> 
> >>>   dn: uid=firstname,ou=People,dc=domain,dc=com
> >>>   uid: firstname
> >>>   uidNumber: 4025
> >>>   gidNumber: 4025
> >>>   givenName: firstname
> >>>   objectClass: top
> >>>   objectClass: person
> >>>   objectClass: posixAccount
> >>>   objectClass: shadowAccount
> >>>   objectClass: organizationalPerson
> >>>   objectClass: inetOrgPerson
> >>>   loginShell: /bin/bash
> >>>   homeDirectory: /home/firstname
> >>>   cn: firstname lastname
> >>>   mail: 
> >>> firstname.lastn...@domain.com
> >>> 
> >>> This is how I connect Dovecot with LDAP
> >>> 
> >>>   hosts = ldapserver
> >>>   ldap_version = 3
> >>>   base = ou=People,dc=domain,dc=com
> >>>   deref = never
> >>>   scope = subtree
> >>>   user_attrs =
> >>>   user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
> >>>   pass_attrs = uid=user,userPassword=password
> >>>   pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
> >>>   default_pass_scheme = SSHA
> >>> 
> >>> When I enter a user's email address and password as the following:
> >>> email: firstname.lastn...@domain.com
> >>> password: password
> >>> 
> >>> and according to my setting which I used "%n" as you see above, the 
> >>> username used to authenticate is "firstname.lastname". I checked the 
> >>> Dovecot variables but I couldn't find something useful in this case to 
> >>> manipulate the "%n" variable.
> >>> 
> >>> I would like to keep using email addresses as 
> >>> "firstname.lastn...@domain.com" but 
> >>> authenticate users using their first name. I really hit a wall here and 
> >>> any help will be much appreciated.
> >> 
> >> Well, for me, this sounds strange, using firstname only. Why not let your 
> >> users enter the firstname only? Or:
> >> 
> >> pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
> >> 
> >> If firstname is unique, mail should be unique as well.
> >> 
> >> - -- 
> >> Steffen Kaiser
> > 
> > 
> > Steffen, I understood their mail addresses are like 
> > steffen.kai...@domain.com, but uid's are like uid=steffen
> > 
> > Aki
> 
> I guess this seems to be the desired behaviour as well. Getting interesting 
> when handling collisions. Not possible to decide by password which account 
> should be used as far as i can tell, as this would be some sort of brute 
> force authentication?!?

Not when a lot of people choose 123456 as their passwords.

-- hendrik

> 
> -M

Re: Authenticate users using their firstname

2018-10-01 Thread Admin 



Von unterwegs gesendet

> Am 01.10.2018 um 18:27 schrieb Aki Tuomi :
> 
> 
>> On 01 October 2018 at 15:19 Steffen Kaiser  wrote:
>> 
>> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>>> On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
>>> 
>>> I'm setting up a Postfic and Dovecot with LDAP email server. My users in 
>>> LDAP is like this:
>>> 
>>>   dn: uid=firstname,ou=People,dc=domain,dc=com
>>>   uid: firstname
>>>   uidNumber: 4025
>>>   gidNumber: 4025
>>>   givenName: firstname
>>>   objectClass: top
>>>   objectClass: person
>>>   objectClass: posixAccount
>>>   objectClass: shadowAccount
>>>   objectClass: organizationalPerson
>>>   objectClass: inetOrgPerson
>>>   loginShell: /bin/bash
>>>   homeDirectory: /home/firstname
>>>   cn: firstname lastname
>>>   mail: firstname.lastn...@domain.com
>>> 
>>> This is how I connect Dovecot with LDAP
>>> 
>>>   hosts = ldapserver
>>>   ldap_version = 3
>>>   base = ou=People,dc=domain,dc=com
>>>   deref = never
>>>   scope = subtree
>>>   user_attrs =
>>>   user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
>>>   pass_attrs = uid=user,userPassword=password
>>>   pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
>>>   default_pass_scheme = SSHA
>>> 
>>> When I enter a user's email address and password as the following:
>>> email: firstname.lastn...@domain.com
>>> password: password
>>> 
>>> and according to my setting which I used "%n" as you see above, the 
>>> username used to authenticate is "firstname.lastname". I checked the 
>>> Dovecot variables but I couldn't find something useful in this case to 
>>> manipulate the "%n" variable.
>>> 
>>> I would like to keep using email addresses as 
>>> "firstname.lastn...@domain.com" but 
>>> authenticate users using their first name. I really hit a wall here and any 
>>> help will be much appreciated.
>> 
>> Well, for me, this sounds strange, using firstname only. Why not let your 
>> users enter the firstname only? Or:
>> 
>> pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
>> 
>> If firstname is unique, mail should be unique as well.
>> 
>> - -- 
>> Steffen Kaiser
> 
> 
> Steffen, I understood their mail addresses are like 
> steffen.kai...@domain.com, but uid's are like uid=steffen
> 
> Aki

I guess this seems to be the desired behaviour as well. Getting interesting 
when handling collisions. Not possible to decide by password which account 
should be used as far as i can tell, as this would be some sort of brute force 
authentication?!?

-M

Re: Authenticate users using their firstname

2018-10-01 Thread Aki Tuomi 


> On 01 October 2018 at 15:19 Steffen Kaiser  wrote:
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Sat, 29 Sep 2018, Fady AL HAYALI wrote:
> 
> > I'm setting up a Postfic and Dovecot with LDAP email server. My users in 
> > LDAP is like this:
> >
> >dn: uid=firstname,ou=People,dc=domain,dc=com
> >uid: firstname
> >uidNumber: 4025
> >gidNumber: 4025
> >givenName: firstname
> >objectClass: top
> >objectClass: person
> >objectClass: posixAccount
> >objectClass: shadowAccount
> >objectClass: organizationalPerson
> >objectClass: inetOrgPerson
> >loginShell: /bin/bash
> >homeDirectory: /home/firstname
> >cn: firstname lastname
> >mail: firstname.lastn...@domain.com
> >
> > This is how I connect Dovecot with LDAP
> >
> >hosts = ldapserver
> >ldap_version = 3
> >base = ou=People,dc=domain,dc=com
> >deref = never
> >scope = subtree
> >user_attrs =
> >user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
> >pass_attrs = uid=user,userPassword=password
> >pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
> >default_pass_scheme = SSHA
> >
> > When I enter a user's email address and password as the following:
> > email: firstname.lastn...@domain.com
> > password: password
> >
> > and according to my setting which I used "%n" as you see above, the 
> > username used to authenticate is "firstname.lastname". I checked the 
> > Dovecot variables but I couldn't find something useful in this case to 
> > manipulate the "%n" variable.
> >
> > I would like to keep using email addresses as 
> > "firstname.lastn...@domain.com" but 
> > authenticate users using their first name. I really hit a wall here and any 
> > help will be much appreciated.
> 
> Well, for me, this sounds strange, using firstname only. Why not let your 
> users enter the firstname only? Or:
> 
> pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))
> 
> If firstname is unique, mail should be unique as well.
> 
> - -- 
> Steffen Kaiser


Steffen, I understood their mail addresses are like steffen.kai...@domain.com, 
but uid's are like uid=steffen

Aki

Re: Authenticate users using their firstname

2018-10-01 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, 29 Sep 2018, Fady AL HAYALI wrote:


I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP 
is like this:

   dn: uid=firstname,ou=People,dc=domain,dc=com
   uid: firstname
   uidNumber: 4025
   gidNumber: 4025
   givenName: firstname
   objectClass: top
   objectClass: person
   objectClass: posixAccount
   objectClass: shadowAccount
   objectClass: organizationalPerson
   objectClass: inetOrgPerson
   loginShell: /bin/bash
   homeDirectory: /home/firstname
   cn: firstname lastname
   mail: firstname.lastn...@domain.com

This is how I connect Dovecot with LDAP

   hosts = ldapserver
   ldap_version = 3
   base = ou=People,dc=domain,dc=com
   deref = never
   scope = subtree
   user_attrs =
   user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
   pass_attrs = uid=user,userPassword=password
   pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
   default_pass_scheme = SSHA

When I enter a user's email address and password as the following:
email: firstname.lastn...@domain.com
password: password

and according to my setting which I used "%n" as you see above, the username used to authenticate 
is "firstname.lastname". I checked the Dovecot variables but I couldn't find something useful in 
this case to manipulate the "%n" variable.

I would like to keep using email addresses as 
"firstname.lastn...@domain.com" but 
authenticate users using their first name. I really hit a wall here and any help will be much 
appreciated.


Well, for me, this sounds strange, using firstname only. Why not let your 
users enter the firstname only? Or:


pass_filter = (&(objectclass=inetOrgPerson)(|(uid=%n)(mail=%n@*)))

If firstname is unique, mail should be unique as well.

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBW7IQ7MQnQQNheMxiAQIqtwgAkswe2jx7rXSJsGI8sh6Bd5d2f0MVx9nw
8IcW23vZlqpZOq9jGe8wD937IwKU1PSmMw7Ac2RiGUDts8rUWLp829DtwgovxGpj
iP6qwxhfp8HcFaH0LE8oqWUnlaxh8Df9Nrwg7DPr/qebepUJAzQU6CAkODUy+osl
z799U6RoI74fZyIT8gaAJ1mI+swOFcdawNMqv8S7+Iab7jtzTdHYN7J/YYM0rvzF
amt+kad1OayunRl7OhV1j0BPqdIFDHaC08KAf2cN+GKAWzWNY/ZWe9Y0nloq++fh
IAHZSDe8CSTS/fT+4IiHXT10aJJQob3AnbJ3264+JZ9cIZjpnn/KnQ==
=sof6
-END PGP SIGNATURE-

Re: Authenticate users using their firstname

2018-09-29 Thread Aki Tuomi 
Why not authenticate users by email address? Using firstname as user identifier 
does not sound very long term solution...

Anyways...

if you insist on using firstname only, you'll need to use Lua auth database to 
split the username (or perform the whole deal)

passdb {
   driver = lua
   args = file="/etc/dovecot/username.lua" blocking=no
}

passdb {
   driver = ldap
   args = /ldap.config
}

and put into username.lua

function auth_passdb_lookup(req)
  firstname = req.username:gsub("^([^.]+)[.].*", "%1")
  return dovecot.auth.PASSDB_RESULT_OK, {firstname=firstname, 
noauthenticate="y"}
end

Aki

> On 29 September 2018 at 11:42 Fady AL HAYALI  wrote:
> 
> 
> Hi,
> 
> I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP 
> is like this:
> 
> dn: uid=firstname,ou=People,dc=domain,dc=com
> uid: firstname
> uidNumber: 4025
> gidNumber: 4025
> givenName: firstname
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> loginShell: /bin/bash
> homeDirectory: /home/firstname
> cn: firstname lastname
> mail: firstname.lastn...@domain.com
> 
> This is how I connect Dovecot with LDAP
> 
> hosts = ldapserver
> ldap_version = 3
> base = ou=People,dc=domain,dc=com
> deref = never
> scope = subtree
> user_attrs =
> user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
> pass_attrs = uid=user,userPassword=password
> pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
> default_pass_scheme = SSHA
> 
> When I enter a user's email address and password as the following:
> email: firstname.lastn...@domain.com
> password: password
> 
> and according to my setting which I used "%n" as you see above, the username 
> used to authenticate is "firstname.lastname". I checked the Dovecot variables 
> but I couldn't find something useful in this case to manipulate the "%n" 
> variable.
> 
> I would like to keep using email addresses as 
> "firstname.lastn...@domain.com" but 
> authenticate users using their first name. I really hit a wall here and any 
> help will be much appreciated.

Authenticate users using their firstname

2018-09-29 Thread Fady AL HAYALI 
Hi,

I'm setting up a Postfic and Dovecot with LDAP email server. My users in LDAP 
is like this:

dn: uid=firstname,ou=People,dc=domain,dc=com
uid: firstname
uidNumber: 4025
gidNumber: 4025
givenName: firstname
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/firstname
cn: firstname lastname
mail: firstname.lastn...@domain.com

This is how I connect Dovecot with LDAP

hosts = ldapserver
ldap_version = 3
base = ou=People,dc=domain,dc=com
deref = never
scope = subtree
user_attrs =
user_filter = (&(objectclass=inetOrgPerson)(uid=%n)
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectclass=inetOrgPerson)(uid=%n))
default_pass_scheme = SSHA

When I enter a user's email address and password as the following:
email: firstname.lastn...@domain.com
password: password

and according to my setting which I used "%n" as you see above, the username 
used to authenticate is "firstname.lastname". I checked the Dovecot variables 
but I couldn't find something useful in this case to manipulate the "%n" 
variable.

I would like to keep using email addresses as 
"firstname.lastn...@domain.com" but 
authenticate users using their first name. I really hit a wall here and any 
help will be much appreciated.