Using LDAP with Cyrus [was: Re: [Diffusion] [Committed] rI0b8b7ab02b36: Documentated several saslauthd ldap options.]

Dan White dwhite at olp.net
Tue Mar 13 14:32:38 EDT 2018 

On 03/13/18 11:44 -0500, Nic Bernstein wrote:
>Dan,
>I am trying for the first time to set up Cyrus (3.0.4 & 3.0.5) with 
>ptloader, sasl auxprop, etc.  Even though I've used LDAP for many 
>years, I've only ever used saslauthd with mech=ldap or mech=pam, and a 
>fairly simple configuration.  For example:
>
>   ldap_servers: ldapi://%2fvar%2frun%2fopenldap%2fldapi
>   ldap_bind_dn: cn=proxyUser,ou=systems,dc=example,dc=com
>   ldap_bind_pw: secret
>   ldap_filter: (|(&(|(uid=%u)(mail=%u)(mailRoutingAddress=%u))(objectClass=person))(&(cn=%u)(objectClass=organizationalRole)))
>   ldap_search_base: dc=example,dc=com
>
>I was hoping to write up some comprehensive documentation on using 
>LDAP with Cyrus, as there is currently nothing beyond the 
>imapd.conf(5) man page.  Any help you could provide would be most 
>welcome.  The only cogent examples I find online are all from you, but 
>are many years old, so I have no frame of reference as to how accurate 
>they still are.  If you would prefer to discuss this off-list, or via 
>phone, please advise.

With regards to the sasl side of things, the options.html
(doc/legacy/options.html) page is the primary documentation, that I'm
familiar with, for ldapdb support. The saslauthd documentation mentioned
below would have referred to out of date documentation in the
LDAP_SASLAUTHD, which was the only place ldap saslauthd support was
documented at the time.

I don't recall if I've used ptloader, and I don't have any input on how
best to document or use it.

>Specifically, I am trying to configure so that users may authenticate 
>with either just UID (i.e. "nic") or email address (i.e. 
>"nic at onlight.com").  The saslauthd example shown above does just this, 
>but Cyrus still only works with the simple user ID, not the email 
>address, which is what leads me to trying ptloader and auxprop.

There are two approaches I've used to allow for "nic" and "nic at onlight.com"
to refer to the same mailbox:

* Set online.com as the default domain

* Configure ldapdb as the canon_user plugin, and return the 'normalized'
  user using the configured ldapdb_canon_attr.

>On 03/14/2016 02:52 AM, Phabricator wrote:
>>Dan White <dwhite at olp.net> committed rI0b8b7ab02b36: Documentated several saslauthd ldap options. (authored by Dan White <dwhite at olp.net>).
>>Herald added auditors: Documentation.
>>
>>Documentated several saslauthd ldap options.

-- 
Dan White

More information about the Cyrus-devel mailing list