- edited description
ldap works, login works, possible bug, no permission for msg 63016510
Issue #1189
resolved
Helllo, we migrated from 1.2.0-master build 935 to latest stable version 1.3.11-master build 1001.
Everything works fine. LDAP is configured like before (AD).
In Version 1.2.0-master build 935 it was not possible to login with user.name only with user.name@domain.com
In Version 1.3.11-master build 1001 it is possible to login with user.name, after login im able to se some mails, but not all. Im not able to access this mails. Error no permission for msg 63016510
When i login with user.name@domain.com everyting works as it should.
Al already searched documentation and Issues. checked config.php 100 times, i can’t find any settings to disable login with user.nameand only allow E-Mail based login user.name@domain.com
Did i miss something or is this a bug?
Comments (10)
-
reporter
-
reporter
- edited description
-
repo owner
When a user logs in to the gui, it queries the ldap database what email addresses this user has? And the gui builds a list of email addresses that applies as a filter to the sphinx query. So your job is to provide such an ldap query that makes this possible.
-
reporter
Hello, thanks for reply. LDAP is working on old and new version. maybe im explained it wrong.
On my old mailpiler installation this works as it should, when i try to login withmax.mustermannit is not possible to login. Cause mailmax.mustermanndoesnt exist on ldap. On ldap he retrievesmax.mustermann@domain.comunder$config['LDAP_MAIL_ATTR'] = 'mail';so you can login only withmax.mustermann@domain.com
On my new installation it works both, i can login with
max.mustermannand withmax.mustermann@domain.combut this should not work, cause loginmax.mustermannis no mail adress, it is just a username,$config['LDAP_MAIL_ATTR'] = 'mail';defines a mail address, not sAMAccountName or something!? It should only retrieve mailadresses over ldap and login should only be possible with mailadress …// LDAP Config $config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'myPdc.domain.local'; $config['LDAP_HELPER_DN'] = 'CN=myLdapUser,DC=domain,DC=local'; $config['LDAP_HELPER_PASSWORD'] = 'myPassword'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_AUDITOR_MEMBER_DN'] = ''; $config['LDAP_ADMIN_MEMBER_DN'] = ''; $config['LDAP_BASE_DN'] = 'OU=Users,DC=domain,DC=local'; // AD specific settings // $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user'; $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group'; $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
-
repo owner
If the ldap query returns the email addresses of the user properly, then I see no reason why the username login should not work. If the ldap query doesn’t return the email addresses, then check the ldap queries for using both username and email address, and figure out what the difference is.
Also it may be much simpler to tell users to use their email addresses to login.
-
reporter
I did a
tail -f /var/log/syslogJun 25 16:04:41 mailarchiv piler-webui[474792]: ldap query: base dn='OU=Users,DC=domain,DC=local', filter='(&(objectClass=user)(mail=max.mustermann))', attr='', 0 hits Jun 25 16:05:26 mailarchiv piler-webui[501055]: ldap query: base dn='OU=Users,DC=domain,DC=local', filter='(&(objectClass=user)(mail=max.mustermann@domain.local))', attr='', 1 hits
ldap query says 0 hits, but gui let me login…this should be not possible
-
reporter
Also it may be much simpler to tell users to use their email addresses to login.
I did this already but they irgnore what i say and login in without
@domain.localand are logged in and cant access their mails, so i need a way to block this. -
repo owner
The first ldap query is the problem that allows ldap bind using only the username. You need to fix it to only accept it using email address.
-
reporter
Okay, i don’t get it, i am to stupid. i think im going to find the correct .php part in the gui and change it.
From my point of view LDAP bind is okay, cause he says 0 hits.
0 hits means that the ldap query don’t deliver a correct mail adress, cause it dont match a mail address.
As result of this, the login should not be possible.
-
reporter
- changed status to resolved
- Log in to comment
