[Kolab-devel] [issue3403] Problem authenticating 2 accounts with the same name on different domains and different UID

Mario Ramos kolab-issues at intevation.de
Sun Feb 15 21:23:41 CET 2009 

New submission from Mario Ramos <mario at hummy.org>:

The other day I wrote this email to the users list:

http://kolab.org/pipermail/kolab-users/2009-February/009457.html

regarding a problem I was experiencing with my kolab installation using multiple
domains.

I realised about the problem because the forwarding feature wasn't working, as I
explained on that email.

I've been digging in this error and I think I've fixed it, it's not a sieve
problem, it was an authentication problem.


In /kolab/etc/kolab/templates/saslauthd.conf.template I added:

ldap_size_limit: 0


And then, in the /kolab/var/sasl/log/saslauthd.log when trying to login as
info at domain2.com, I started getting this:


Feb 14 20:35:27 mrburns <debug> saslauthd[24334]: Duplicate entries found
((&(|(mail=info at domain2.com)(mail=info)(uid=info at domain2.com)(uid=info))(!(kolabdeleteflag=*)))).
Feb 14 20:35:27 mrburns <debug> saslauthd[24334]: Authentication failed for
info/domain2.com: User not found (-6)
Feb 14 20:35:27 mrburns <info> saslauthd[24334]: do_auth         : auth failure:
[user=info] [service=imap] [realm=domain2.com] [mech=ldap] [reason=Unknown]
Feb 14 20:35:30 mrburns <debug> saslauthd[24336]: Duplicate entries found
((&(|(mail=info at domain2.com)(mail=info)(uid=info at domain2.com)(uid=info))(!(kolabdeleteflag=*)))).
Feb 14 20:35:30 mrburns <debug> saslauthd[24336]: Authentication failed for
info/domain2.com: User not found (-6)
Feb 14 20:35:30 mrburns <info> saslauthd[24336]: do_auth         : auth failure:
[user=info] [service=imap] [realm=domain2.com] [mech=ldap] [reason=Unknown]


If I create a info at domain1.com and another account info at domain2.com

The original ldap filter will return duplicated entries and will not be able to
authenticate info at domain2.com, although it is still possible to authenticate as
info at domain1.com, I don't know why... I'm not an LDAP expert.

Anyway, the fix was changing the filter to:

#ldap_filter: (&(|(mail=%u@%d)(mail=%u)(uid=%u@%d)(uid=%u))(!(kolabdeleteflag=*)))
ldap_filter: (&(|(mail=%u@%d)(mail=%u)(uid=%u@%d))(!(kolabdeleteflag=*)))


This seems to have fixed the problem.
Now I can authenticate any user by using its UID.

I'm not sure if what I did is the best approach to this problem, or what the
implications of removing "(uid=%u)" from the original ldap_filter could be.

Cheers.
Mario.

----------
messages: 18570
nosy: mariocbgb
priority: bug
status: unread
title: Problem authenticating 2 accounts with the same name on different domains and different UID
___________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://www.intevation.de/roundup/kolab/issue3403>
___________________________________________________

More information about the devel mailing list