Cyrus-sasl & LDAP saslRegexp
Igor Brezac
igor at ipass.net
Thu Sep 8 12:14:00 EDT 2005
On Thu, 8 Sep 2005, Edward Ashley wrote:
> Hi,
> I was wondering if someone out there knows the solution to my problem. I have
> configured a OpenLDAP with multiple DIT's. And so there are effectively 2
> sets of users at the moment, ou=Users,ou=OxObjects,dc=example.net &
> ou=Users,ou=OxObjects,dc=example2.com.
> I have also got the command ldapwhoami to work correctly for the default
> domain. So when I run:
>
> ldapwhoami -Y DIGEST-MD5 -U mailadmin
>
> and put in the password, it's successful.
>
> I'm using the expression:
>
> saslRegexp uid=(.*),cn=DIGEST-MD5,cn=auth
> ldap:///ou=Users,ou=OxObjects,dc=example.net??sub?uid=$1
>
> obviously this doesn't take account of the realm, so that I can use the
> command:
>
> ldapwhoami -Y DIGEST-MD5 -U mailadmin -R test.com
>
> and it authenticates. However I would like to add another regexp expression
> so that I could get people authenticating using the realm/domain of
> example2.com. I have tried adding a regexp expression like this:
>
>
> saslRegexp uid=(.*),cn=example2.com,cn=DIGEST-MD5,cn=auth
> ldap:///ou=Users,ou=OxObjects,dc=example2.com??sub?uid=$1
>
> however this doesn't seem to change any behaviour. When I try the command:
>
> ldapwhoami -Y DIGEST-MD5 -U mailadmin -R example2.com
> or
> ldapwhoami -Y DIGEST-MD5 -U mailadmin at example2.com
>
> the first expression will only authenticate with the default domains
> mailadmin password, and the second one doesn't authenticate at all.
The second one does not work becuase you do not have
uid=mailadmin at example2.com entry.
Something like this may work:
saslRegexp uid=([^@]+)@([^,]+),cn=DIGEST-MD5,cn=auth
ldap:///ou=Users,ou=OxObjects,dc=$2??sub?uid=$1
saslRegexp uid=([^,]+),cn=([^,]+),cn=DIGEST-MD5,cn=auth
ldap:///ou=Users,ou=OxObjects,dc=$2??sub?uid=$1
Note that this example will not work for
ldapwhoami -Y DIGEST-MD5 -U mailadmin at example2.com -R example2.com
You need to decide what takes precedece, -R param or domain part of the
userid and develop saslregexp accordingly.
This is really OT for this list. You'll probably get a better response on
the openldap-software list.
--
Igor
More information about the Cyrus-sasl
mailing list