Cyrus IMAPd -> SASL auxprop-plugin: ldapdb -> OpenLDAP

Andreas Winkelmann ml at awinkelmann.de
Sat Sep 30 16:19:02 EDT 2006 

Am Tuesday 26 September 2006 08:09 schrieb Torsten Schlabach:

> Let me start with the same sentence which seems to belong to this
> subject: I have read the archives and docs for days, ...
>
> Let me try to keep my question as simple as possible:
>
> My /etc/imapd.conf:
>
> sasl_pwcheck_method: auxprop
>
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldap://127.0.0.1
> sasl_ldapdb_id: cn=admin,dc=xxxxx,dc=yy

Hmm, I havn't seen a DN here yet. I would guess, this is wrong.
Use a normal Username.

> sasl_ldapdb_pw: *****
>
> Alternatively I tried
>
> sasl_ldapdb_id: admin

Looks better.

Hmm, you should specify a Mechanism which is able to do Authorization, 
something like DIGEST-MD5 or PLAIN.

sasl_ldapdb_mech: DIGEST-MD5

And did you enable sasl-Authorization in slapd.conf and in the LDAP-Objects?

> What I would expect to see happening is:
>
> 1. User logs on to IMAPd and supplies a username and a password. (I am
> trying this using cyradm.)

No, first ldapdb_id and ldapdb_pw is used.

> 2. Username and password are passed on to the SASL layer.

Then the User of cyradm is being searched for and the userPassword is fetched 
from LDAP.

This is compared to that what comes from cyradm.

> 3. The SASL layer finds out that I am using ldapdb, so it passes the
> username / password onto an LDAP bind.
>
> 4. OpenLDAP is supposed to do the sasl-regexp mapping, locate the object
> to authenticate agains and just do it.
>
> Step #4 seems to be ok, as I can test that with
>
> ldapwhoami -U admin
>
> I get an authentication success.
>
> But trying through cyradm I don't even see any activity on the LDAP log.
>   So it appears as if IMAPd completely ignores any of the auxprop_plugin
> settings and goes straight to sasldb, which I guess is the default.
>
> How can I debug that?
>
> How can I make sure the settings I have made in /etc/imapd.conf have an
> effect at all?
>
> As SASL is a library and not a process in itself, I would probably have
> to tell IMAPd to do some more logging, don't I?

-- 
	Andreas

More information about the Cyrus-sasl mailing list