Skip to Content.
Sympa Menu

en - [sympa-users] Question on LDAP filter in auth.conf

Subject: The mailing list for listmasters using Sympa

List archive

[sympa-users] Question on LDAP filter in auth.conf

Chronological Thread  
    < Chronological >       < Thread >
  • From: "Rolf E. Sonneveld" <address@concealed>
  • To: address@concealed
  • Subject: [sympa-users] Question on LDAP filter in auth.conf
  • Date: Tue, 11 May 2010 15:15:50 +0200
Hi,

in auth.conf I have an ldap source:

ldap
host localhost:389
bind_dn uid=sympa,ou=Applications,dc=domain,dc=nl
bind_password <some secret password>
suffix dc=domain,dc=nl
get_dn_by_email_filter (&(userRole=listmanager)(|(mail=[sender])(mailAlternateAddress=[sender])(mailEquivalentAddress=[sender])))
email_attribute mail
alternative_email_attribute mailEquivalentAddress,mailAlternateAddress
scope sub
timeout 20

For your information: userRole is defined in the schema as part of a company-specific user objectclass. An entry has a primary mail address (mail attribute), and two types of secondary mail addresses (mailEquivalentAddress and mailAlternateAddress). Now this works, when authenticating with the primary address. However, if using one of the values of the other two attributes (mailEquivalentAddress or mailAlternateAddress) then the authentication fails.

Corresponding log entry when the authentication fails:

May 11 14:59:45 dev slapd[2340]: conn=35 fd=17 ACCEPT from IP=127.0.0.1:50957 (IP=0.0.0.0:389)
May 11 14:59:45 dev slapd[2340]: conn=35 op=0 BIND dn="uid=sympa,ou=Applications,dc=domain,dc=nl" method=128
May 11 14:59:45 dev slapd[2340]: conn=35 op=0 BIND dn="uid=sympa,ou=Applications,dc=domain,dc=nl" mech=SIMPLE ssf=0
May 11 14:59:45 dev slapd[2340]: conn=35 op=0 RESULT tag=97 err=0 text=
May 11 14:59:45 dev slapd[2340]: conn=35 op=1 SRCH base="dc=domain,dc=nl" scope=2 deref=2 filter="(&(userRole=listmanager)(|(address@concealed)(?address@concealed)(?address@concealed)))"
May 11 14:59:45 dev slapd[2340]: <= bdb_equality_candidates: (userRole) not indexed
May 11 14:59:45 dev slapd[2340]: <= bdb_equality_candidates: (mail) not indexed
May 11 14:59:45 dev slapd[2340]: conn=35 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 11 14:59:45 dev wwsympa[6494]: Auth::ldap_authentication() No entry in the Ldap Directory Tree of localhost:389 for address@concealed
May 11 14:59:45 dev slapd[2340]: conn=35 op=2 UNBIND
May 11 14:59:45 dev slapd[2340]: conn=35 fd=17 closed
May 11 14:59:45 dev wwsympa[6494]: Auth::authentication() authentication: incorrect password for user address@concealed
May 11 14:59:45 dev wwsympa[6494]: main::do_login() Authentication failed
May 11 14:59:45 dev wwsympa[6494]: [robot domain.nl] [session 36661425966163] [client IP.ad.dr.ess] main::do_renewpasswd() do_renewpasswd(address@concealed)
May 11 14:59:45 dev slapd[2340]: conn=36 fd=17 ACCEPT from IP=127.0.0.1:50958 (IP=0.0.0.0:389)
May 11 14:59:45 dev slapd[2340]: conn=36 op=0 BIND dn="uid=sympa,ou=Applications,dc=domain,dc=nl" method=128
May 11 14:59:45 dev slapd[2340]: conn=36 op=0 BIND dn="uid=sympa,ou=Applications,dc=domain,dc=nl" mech=SIMPLE ssf=0
May 11 14:59:45 dev slapd[2340]: conn=36 op=0 RESULT tag=97 err=0 text=
May 11 14:59:45 dev slapd[2340]: conn=36 op=1 SRCH base="dc=domain,dc=nl" scope=2 deref=2 filter="(&(userRole=listmanager)(|(address@concealed)(?address@concealed)(?address@concealed)))"
May 11 14:59:45 dev slapd[2340]: <= bdb_equality_candidates: (userRole) not indexed
May 11 14:59:45 dev slapd[2340]: <= bdb_equality_candidates: (mail) not indexed
May 11 14:59:45 dev slapd[2340]: conn=36 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 11 14:59:45 dev wwsympa[6494]: [robot domain.nl] [session 36661425966163] [client IP.ad.dr.ess] main::is_ldap_user() No entry in the Ldap Directory Tree of localhost:389 for address@concealed
May 11 14:59:45 dev slapd[2340]: conn=36 op=2 UNBIND
May 11 14:59:45 dev slapd[2340]: conn=36 fd=17 closed

(and yes, I know I still need to enable indexing for some attributes, but this is a simple small test environment).

As far as I can tell the LDAP filter in auth.conf is compliant with RFC2254. When I simplify the LDAP filter in auth.conf to:

get_dn_by_email_filter (&(userRole=listmanager)(mail=[sender]))

and I use the primary mail address of the user, it works without any problem. What's wrong here?

/rolf


  • [sympa-users] Question on LDAP filter in auth.conf, Rolf E. Sonneveld, 05/11/2010

Archive powered by MHonArc 2.6.19+.

Top of Page