Cyrus IMAPd -> SASL auxprop-plugin: ldapdb -> OpenLDAP
Torsten Schlabach
tschlabach at gmx.net
Sun Oct 1 09:22:07 EDT 2006
> And did you enable sasl-Authorization in slapd.conf and in the
> LDAP-Objects?
What exactly are you referring to?
a) sasl-Authorization in slapd.conf
I have some sasl-regexp statements in slapd.conf
b) and in the LDAP-Objects
What would I have to do to the objects? authzTo / authzFrom ?
Regards,
Torsten
Andreas Winkelmann schrieb:
> Am Tuesday 26 September 2006 08:09 schrieb Torsten Schlabach:
>
>
>>Let me start with the same sentence which seems to belong to this
>>subject: I have read the archives and docs for days, ...
>>
>>Let me try to keep my question as simple as possible:
>>
>>My /etc/imapd.conf:
>>
>>sasl_pwcheck_method: auxprop
>>
>>sasl_auxprop_plugin: ldapdb
>>sasl_ldapdb_uri: ldap://127.0.0.1
>>sasl_ldapdb_id: cn=admin,dc=xxxxx,dc=yy
>
>
> Hmm, I havn't seen a DN here yet. I would guess, this is wrong.
> Use a normal Username.
>
>
>>sasl_ldapdb_pw: *****
>>
>>Alternatively I tried
>>
>>sasl_ldapdb_id: admin
>
>
> Looks better.
>
> Hmm, you should specify a Mechanism which is able to do Authorization,
> something like DIGEST-MD5 or PLAIN.
>
> sasl_ldapdb_mech: DIGEST-MD5
>
> And did you enable sasl-Authorization in slapd.conf and in the LDAP-Objects?
>
>
>>What I would expect to see happening is:
>>
>>1. User logs on to IMAPd and supplies a username and a password. (I am
>>trying this using cyradm.)
>
>
> No, first ldapdb_id and ldapdb_pw is used.
>
>
>>2. Username and password are passed on to the SASL layer.
>
>
> Then the User of cyradm is being searched for and the userPassword is fetched
>>from LDAP.
>
> This is compared to that what comes from cyradm.
>
>
>>3. The SASL layer finds out that I am using ldapdb, so it passes the
>>username / password onto an LDAP bind.
>>
>>4. OpenLDAP is supposed to do the sasl-regexp mapping, locate the object
>>to authenticate agains and just do it.
>>
>>Step #4 seems to be ok, as I can test that with
>>
>>ldapwhoami -U admin
>>
>>I get an authentication success.
>>
>>But trying through cyradm I don't even see any activity on the LDAP log.
>> So it appears as if IMAPd completely ignores any of the auxprop_plugin
>>settings and goes straight to sasldb, which I guess is the default.
>>
>>How can I debug that?
>>
>>How can I make sure the settings I have made in /etc/imapd.conf have an
>>effect at all?
>>
>>As SASL is a library and not a process in itself, I would probably have
>>to tell IMAPd to do some more logging, don't I?
>
>
More information about the Cyrus-sasl
mailing list