Global admin fails via saslauthd and ldap

imap at adari.net imap at adari.net
Wed Aug 18 20:12:14 EDT 2004 

Hello,

I have done some digging into the code and found the following:

The login process is going thru following function calls:
cmd_login() -> imapd_canon_user() -> mysasl_canon_user() -> canonify_userid()     
in canonify_userid() for default domain, domain part is getting dropped and
only mailid is returned as "canonuser". This value is propagated all the way
to saslauthd_verify_password() where the user_realm is null for the global
admin case and hence the ldap lookup fails. For all other cases "canonuser"
gets the complete email address and hence the ldap lookups are succeeding.

Anyone on the list uses 'saslauthd' with 'ldap' backend? Appreciate
pointers!

Thanks
__
Seva

> We are looking to migrate from our existing 2.1.x to the latest ver 2.2.8.
> We want to use stock virtual hosting feature and have configured the system
> accordingly. We are able to login via 'cyradm' and create user mailboxes
> if we use domain specific admin. We have trouble logging in as global admin.
> We are using 'saslauthd' and 'ldap' for authentication and using the
> following
> setting in the imapd.conf file:
>                                                                              
>   
> virtdomains: on
> admins: globaladmin mailadmin at test.com
> defaultdomain: xyz.com
>                                                                              
>   
> We are able to login as mailadmin at test.com and create mailboxes for
> 'test.com'
> but can't login as 'globaladmin'. Alternatively, if we change the above
> config
> to the following:
>                                                                              
>   
> virtdomains: on
> admins: globaladmin at xyz.com mailadmin
> defaultdomain: test.com
>                                                                              
>   
> then we can login as globaladmin at xyz.com and create mailboxes for 'xyz.com'
> but can't login as mailadmin.
>                                                                              
>   
> We found that the default domain is getting discarded by the system and
> never
> getting passed to ldap server hence the 'DN' is missing the domain component
> and hence failing.
>                                                                              
>   
> Is there some config setting we are missing that is causing this?


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list