Skip to Content.
Sympa Menu

en - Re: [sympa-users] Sympa 5.4.6 ldap authentication issue

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: David Verdin <address@concealed>
  • To: Simon Gao <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-users] Sympa 5.4.6 ldap authentication issue
  • Date: Mon, 23 Feb 2009 11:25:42 +0100

Hi Simon,

If this query worked with your previous Sympa version, it should work now. We didn't change much in this part of Sympa.

Actually, you don't need to crop the "corp.com" part of the mail address. As you use the "get_dn_by_email_filter" argument, if users provide an email address, Sympa will look for it in the "mail" LDAP attribute of your directory.
As I understand it, the "address@concealed" email doesn't correspond to the "mail" LDAP attribute. Otherwise, the login would be successful. This email must be stored in another attribute.
The query can work if the email address is stored somewhere in the LDAP directory. If it is the case, you should extend the filter associated to this alternate email address. Something like : (| (mail = [sender])(alternate_email = [sender]) ) should do it (use the relevant name for the alternate email attribute).

Actually, the doc about LDAP authentication doesn't seem to be very easy to understand. I'll fix it ASAP.

Cheers,

Simon Gao a écrit :
I've configured Sympa 5.4.6 and it works fine so far. However, I have one question.
In the login section, only user ID asked is his email address. This is fine. However, Sympa 5.4.6 seems not able to strip the domain part of the email address and get correct uid for LDAP authentication.
For example, if user Bob has address@concealed and types in his email address and password, Sympa should figure out Bob's uid is "bob" from the email address and use "bob" as uid. But instead Sympa sends "address@concealed" as uid which leads to authentication failure. If Bob jus types in "bob" for the email address field, then ldap auth works fine.
Maybe this problem is caused by incorrect setup in auth.conf. Can anyone see any issue with the following auth.conf?

ldap
regexp corp\.com
host ldap1.corp.com:636
timeout 20
suffix dc=corp,dc=com
get_dn_by_uid_filter (uid=[sender])
get_dn_by_email_filter (mail=[sender])
email_attribute mail
scope sub
use_ssl 1
ssl_version sslv3
ssl_ciphers MEDIUM:HIGH

Simon

--
David Verdin
Comité réseau des universités




Archive powered by MHonArc 2.6.19+.

Top of Page