Home » Download » Modules » LDAP provisioning » Issues

Anonymous bind to the LDAP when sending mail notifications

yoho - January 6, 2009 - 15:36
Project:LDAP provisioning
Version:6.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active
Description

My LDAP server is so that anonymous bind won't be able to see the whole LDAP. But it seems that when LDAP provisionning tries to send mail to registered users (when changing password or when admin validation is needed), it makes an anonymous bind to retrieve the mail address associated with the specific username in the recipients. So this is a problem and mail can't be sent out.

To reproduce, increase ldap server log level so that you see the BIND requests and try to change your drupal password by providing your uid. Here's what I see in my ldap server log file :

Jan 6 14:47:29 * slapd[2523]: conn=27632 fd=3 ACCEPT from IP=127.0.0.1:34900 (IP=127.0.0.1:389)
Jan 6 14:47:29 * slapd[2523]: conn=27632 op=0 BIND dn="" method=128
Jan 6 14:47:29 * slapd[2523]: conn=27632 op=0 RESULT tag=97 err=0 text=
Jan 6 14:47:29 * slapd[2523]: conn=27632 op=1 SRCH base="uid=xx,ou=xx,dc=xx,dc=xx" scope=0 deref=0 filter="(objectClass=*)"
Jan 6 14:47:29 * slapd[2523]: conn=27632 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan 6 14:47:29 * slapd[2523]: conn=27632 op=2 UNBIND
Jan 6 14:47:29 * slapd[2523]: conn=27632 fd=3 closed
Jan 6 14:47:29 * postfix/sendmail[1027]: fatal: apache(14): No recipient addresses found in message header

We can see drupal is actually looking for a valid uid (which actually exists, but can't be seen from an anonymous user)

» Login or register to post comments

#1

miglius - January 7, 2009 - 20:33

Is it really a LDAP provisioning module? If you change your drupal password, it is the ldap data module which does the work and syncs the drupal password with ldap?

> when LDAP provisionning tries to send mail to registered users

Or do you see anonymous bind when a new user has registered with the site and emails are sent to users with account manager permissions? On the creation of the new accounts?

Login or register to post comments

#2

ashledombos - January 9, 2009 - 00:38

As I am working on the same website (yoho more on the ldap part, and i more on the "front" part) I think that this issue is the same than this one : #354672: Ldap data don't read "mail" attribute, but viewed from "the inside". I thought the problem was with the ldap integration module, but maybe is it with the ldap provisionning.

I can't see the binding, but i can see ldap datas :

  • when creating a new account, the mail attribute is correctly created.
  • When modifying an already existing account, we can't see the mail address, however, if we recreate it, it modifies it correctly. It keeps it in "memory" all the session, and after log off and log in, the mail address is not read anymore
  • If we ask for a new pw (so without being connected) with an existing mail address, it says the address don't exist

I also noticed that there is two ways to associate the mail address in drupal and the mail attribute in ldap : one in ldap>authentication and in the paramaters of the ldap server, other in ldap>data and in the drupal fields mapping.

To answer your question, when someone create a new account, we have a "pending" account in account management, and then we validate or reject this account via the account management ui. The new user so has a mail (with temporary password) and when his or her account is validated, a new entry is created in ldap.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.