[bug]: Bind Auth result not respected in LDAP backend

[TheLonelinessOfHS]

What happened?

First of all, hope you can bear with me if I am wrong because I am quite new to LDAP and I am not familiar with Rust.

I am trying to develop an LDAP gateway as discussed here. It appears that in the AUTH stage, the result of Bind Auth is not checked before a Name Lookup is executed. Therefore, following a failed Bind Request it relies on an access check on the LDAP server side to ensure that a corresponding account object is not returned. An insufficientAccessRights log will also show up following a failed lookup (i.e. for each failed authentication, which is inappropriate in my opinion). If there is no access check on the LDAP side, the user will be authenticated even when an incorrect password is provided (Not sure if all LDAP server packages enable this by default).

I believe the relevant code is here: mail-server/crates/directory/src/backend/ldap/lookup.rs Line 88

How can we reproduce the problem?

I can reproduce the problem by doing the following steps:

1. Setup an LDAP directory
2. Sign in with a correct username and a wrong password
3. An insufficientAccessRights log is generated if an access check on the LDAP side is enabled.

Version

v0.8.x

What database are you using?

None

What blob storage are you using?

None

Where is your directory located?

LDAP

What operating system are you using?

Linux

Relevant log output

LDAP directory error context="directory" event="error" protocol="ldap" reason=LDAP operation result: rc=50 (insufficientAccessRights), dn: "dc=[hidden],dc=[hidden]", text: ""

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[mdecimus]

Hi, I'm closing as this is not a bug. The SMTP server requires both auth bind and "standard" bind in order to work. Auth bind is used on the AUTH command while a normal bind is done to check for local domains and local recipients.