- edited description
ldap works, login works, possible bug, no permission for msg 63016510
Helllo, we migrated from 1.2.0-master build 935
to latest stable version 1.3.11-master build 1001
.
Everything works fine. LDAP is configured like before (AD).
In Version 1.2.0-master build 935
it was not possible to login with user.name
only with user.name@domain.com
In Version 1.3.11-master build 1001
it is possible to login with user.name
, after login im able to se some mails, but not all. Im not able to access this mails. Error no permission for msg 63016510
When i login with user.name@domain.com
everyting works as it should.
Al already searched documentation and Issues. checked config.php
100 times, i can’t find any settings to disable login with user.name
and only allow E-Mail based login user.name@domain.com
Did i miss something or is this a bug?
Comments (10)
-
reporter -
reporter - edited description
-
repo owner When a user logs in to the gui, it queries the ldap database what email addresses this user has? And the gui builds a list of email addresses that applies as a filter to the sphinx query. So your job is to provide such an ldap query that makes this possible.
-
reporter Hello, thanks for reply. LDAP is working on old and new version. maybe im explained it wrong.
On my old mailpiler installation this works as it should, when i try to login withmax.mustermann
it is not possible to login. Cause mailmax.mustermann
doesnt exist on ldap. On ldap he retrievesmax.mustermann@domain.com
under$config['LDAP_MAIL_ATTR'] = 'mail';
so you can login only withmax.mustermann@domain.com
On my new installation it works both, i can login with
max.mustermann
and withmax.mustermann@domain.com
but this should not work, cause loginmax.mustermann
is no mail adress, it is just a username,$config['LDAP_MAIL_ATTR'] = 'mail';
defines a mail address, not sAMAccountName or something!? It should only retrieve mailadresses over ldap and login should only be possible with mailadress …// LDAP Config $config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'myPdc.domain.local'; $config['LDAP_HELPER_DN'] = 'CN=myLdapUser,DC=domain,DC=local'; $config['LDAP_HELPER_PASSWORD'] = 'myPassword'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_AUDITOR_MEMBER_DN'] = ''; $config['LDAP_ADMIN_MEMBER_DN'] = ''; $config['LDAP_BASE_DN'] = 'OU=Users,DC=domain,DC=local'; // AD specific settings // $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user'; $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group'; $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
-
repo owner If the ldap query returns the email addresses of the user properly, then I see no reason why the username login should not work. If the ldap query doesn’t return the email addresses, then check the ldap queries for using both username and email address, and figure out what the difference is.
Also it may be much simpler to tell users to use their email addresses to login.
-
reporter I did a
tail -f /var/log/syslog
Jun 25 16:04:41 mailarchiv piler-webui[474792]: ldap query: base dn='OU=Users,DC=domain,DC=local', filter='(&(objectClass=user)(mail=max.mustermann))', attr='', 0 hits Jun 25 16:05:26 mailarchiv piler-webui[501055]: ldap query: base dn='OU=Users,DC=domain,DC=local', filter='(&(objectClass=user)(mail=max.mustermann@domain.local))', attr='', 1 hits
ldap query says 0 hits, but gui let me login…this should be not possible
-
reporter Also it may be much simpler to tell users to use their email addresses to login.
I did this already but they irgnore what i say and login in without
@domain.local
and are logged in and cant access their mails, so i need a way to block this. -
repo owner The first ldap query is the problem that allows ldap bind using only the username. You need to fix it to only accept it using email address.
-
reporter Okay, i don’t get it, i am to stupid. i think im going to find the correct .php part in the gui and change it.
From my point of view LDAP bind is okay, cause he says 0 hits.
0 hits means that the ldap query don’t deliver a correct mail adress, cause it dont match a mail address.
As result of this, the login should not be possible.
-
reporter - changed status to resolved
- Log in to comment