Closed TheLonelinessOfHS closed 2 weeks ago
Hi, I'm closing as this is not a bug. The SMTP server requires both auth bind and "standard" bind in order to work. Auth bind is used on the AUTH
command while a normal bind is done to check for local domains and local recipients.
What happened?
First of all, hope you can bear with me if I am wrong because I am quite new to LDAP and I am not familiar with Rust.
I am trying to develop an LDAP gateway as discussed here. It appears that in the AUTH stage, the result of Bind Auth is not checked before a Name Lookup is executed. Therefore, following a failed Bind Request it relies on an access check on the LDAP server side to ensure that a corresponding account object is not returned. An insufficientAccessRights log will also show up following a failed lookup (i.e. for each failed authentication, which is inappropriate in my opinion). If there is no access check on the LDAP side, the user will be authenticated even when an incorrect password is provided (Not sure if all LDAP server packages enable this by default).
I believe the relevant code is here: mail-server/crates/directory/src/backend/ldap/lookup.rs Line 88
How can we reproduce the problem?
I can reproduce the problem by doing the following steps:
Version
v0.8.x
What database are you using?
None
What blob storage are you using?
None
Where is your directory located?
LDAP
What operating system are you using?
Linux
Relevant log output
Code of Conduct