The mailing list for listmasters using Sympa

["Chris Andrews" <address@concealed>]

How about removing the Auth.pm "sub ldap_authentication" section where Sympa
does the LDAP search as the user who is attempting to authenticate?  I did
this in my install (sympa-5.3a.10) and it works.  I commented out the lines
with the "##":

             $cnx = $ldap_passwd->bind($DN[0], password => $pwd);
             unless(defined($cnx) && ($cnx->code() == 0)){
                 do_log('notice', 'Incorrect password for user %s ; host:
%s',$auth, $host);
                 #do_log ('err','Ldap Error : %s, Ldap server error :
%s',$cnx->error,$cnx->server_error);
                 $ldap_passwd->unbind;
                 last;
             }
             # this bind is anonymous and may return
             # $ldap_passwd->bind($DN[0]);
##            $mesg= $ldap_passwd->search ( base => $ldap->{'suffix'},
##                                          filter => "$filter",
##                                          scope => $ldap->{'scope'},
##                                          timeout => $ldap->{'timeout'}
##                                          );
##            if ($mesg->count() == 0) {
##                do_log('notice',"No entry in the Ldap Directory Tree of
%s", $host);
##                $ldap_passwd->unbind;
##                last;
##             }

The $cnx line does the bind as the user - validating the userid/password
combination that was supplied. With the LDAP search and error checking
removed when the $mesg variable is accessed later in the subroutine it is
using the values that were obtained when the exact same query was performed
by the Sympa admin LDAP user.  Is there a reason for doing the LDAP search
as the user?  All it seems to do is check if the user has access to the
attributes is question.

Also while it seems that there is a check for a LDAP search that returns no
matches, there is not a check for returning multiple values.  The attribute
in LDAP should be unique, but I am sure there could be situations where a
mistake is made.

---
 Chris Andrews
 Boston College
 Collaboration Team


-----Original Message-----
From: Olivier Salaün - CRU [mailto:address@concealed] 
Sent: Friday, April 20, 2007 4:02 AM
To: Chris Andrews
Cc: address@concealed
Subject: [sympa-users] Re: LDAP authentication issue

Hi Chris,

You're right, when using Sympa's LDAP authentication backend, Sympa will
fetch the email address and alternate email addresses after the bind was
performed using the user's DN and password. Note that a previous Bind is
used to retrieve the user's DN given his uid or email.

I can't think of a way to fulfill your request in future Sympa releases
without making auth.conf too complex.

Chris Andrews wrote:
> So it looks like when you do LDAP authentication, Sympa uses the users
credentials to query the email_attribute (and I assume the
> alternative_email_attribute) you have set in the auth.conf file.  Is there
any way to configure Sympa to use its own user and password to look this
> value up?  Currently I am having out LDAP team add the self ACL to the
attributes we query for those attributes, but I might get push back from
> management on having user be able to see this information, even if they
can only see it on themselves.
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature