Cyrus IMAPd -> SASL auxprop-plugin: ldapdb -> OpenLDAP

Torsten Schlabach tschlabach at gmx.net
Sun Oct 1 09:22:07 EDT 2006 

 > And did you enable sasl-Authorization in slapd.conf and in the
 > LDAP-Objects?

What exactly are you referring to?

a) sasl-Authorization in slapd.conf

I have some sasl-regexp statements in slapd.conf

b) and in the LDAP-Objects

What would I have to do to the objects? authzTo / authzFrom ?

Regards,
Torsten


Andreas Winkelmann schrieb:
> Am Tuesday 26 September 2006 08:09 schrieb Torsten Schlabach:
> 
> 
>>Let me start with the same sentence which seems to belong to this
>>subject: I have read the archives and docs for days, ...
>>
>>Let me try to keep my question as simple as possible:
>>
>>My /etc/imapd.conf:
>>
>>sasl_pwcheck_method: auxprop
>>
>>sasl_auxprop_plugin: ldapdb
>>sasl_ldapdb_uri: ldap://127.0.0.1
>>sasl_ldapdb_id: cn=admin,dc=xxxxx,dc=yy
> 
> 
> Hmm, I havn't seen a DN here yet. I would guess, this is wrong.
> Use a normal Username.
> 
> 
>>sasl_ldapdb_pw: *****
>>
>>Alternatively I tried
>>
>>sasl_ldapdb_id: admin
> 
> 
> Looks better.
> 
> Hmm, you should specify a Mechanism which is able to do Authorization, 
> something like DIGEST-MD5 or PLAIN.
> 
> sasl_ldapdb_mech: DIGEST-MD5
> 
> And did you enable sasl-Authorization in slapd.conf and in the LDAP-Objects?
> 
> 
>>What I would expect to see happening is:
>>
>>1. User logs on to IMAPd and supplies a username and a password. (I am
>>trying this using cyradm.)
> 
> 
> No, first ldapdb_id and ldapdb_pw is used.
> 
> 
>>2. Username and password are passed on to the SASL layer.
> 
> 
> Then the User of cyradm is being searched for and the userPassword is fetched 
>>from LDAP.
> 
> This is compared to that what comes from cyradm.
> 
> 
>>3. The SASL layer finds out that I am using ldapdb, so it passes the
>>username / password onto an LDAP bind.
>>
>>4. OpenLDAP is supposed to do the sasl-regexp mapping, locate the object
>>to authenticate agains and just do it.
>>
>>Step #4 seems to be ok, as I can test that with
>>
>>ldapwhoami -U admin
>>
>>I get an authentication success.
>>
>>But trying through cyradm I don't even see any activity on the LDAP log.
>>  So it appears as if IMAPd completely ignores any of the auxprop_plugin
>>settings and goes straight to sasldb, which I guess is the default.
>>
>>How can I debug that?
>>
>>How can I make sure the settings I have made in /etc/imapd.conf have an
>>effect at all?
>>
>>As SASL is a library and not a process in itself, I would probably have
>>to tell IMAPd to do some more logging, don't I?
> 
>

More information about the Cyrus-sasl mailing list