Hello everyone,
Due to the fix for CVE-2025-30189, routines like userdb_ldap_preinit()
call auth_cache_parse_key_and_fields() unconditionally, with the
eventually called auth_cache_parse_key_exclude() erroring if a cache key
could not be constructed.
It's also noteworthy that this call happens regardless of whether
use_cache is set or not, and as of such failing to construct a cache key
would cause an error even if use_cache = no was set for that database.
This is however an issue for user iteration with LDAP, as documented here
[1]LDAP | Dovecot CE. Such a userdb only has iterate_filter fields that
would inherently not be containing any user variables.
The call to auth_cache_parse_key_and_fields() uses a combination of
ldap_base and userdb_ldap_filter anyway (so whatever is in iterate_filter
isn't considered), and for an iteration userdb as described in the
documentation, the latter would be empty.
Alas, I ended up getting the rather confusing error
o auth: Fatal: auth-cache: dc=rev-crew,dc=info: Cache key must contain
at least one variable
With dc=rev-crew,dc=info being my ldap_base setting for the iteration
userdb. I'm not critically dependent on the user iteration, so I've
commented the userdb out for now, but this would need fixing.
Regards,
Christian Pfeiffer
References
Visible links
1.
https://doc.dovecot.org/2.4.2/core/config/auth/databases/ldap.html#user-iteration
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
