How do you do Cyrus logins with

Igor Brezac igor at
Sun Dec 28 08:13:04 EST 2003

On Sun, 28 Dec 2003, Oliver Jones wrote:

> Hmmm.  This seemed to fail to get to the list last time (so I'm posting
> again).
> ---------
> I've been beating my head against this for two days now.  First with 2.1
> and now with 2.2.  I'm desperate for a solution.
> I'm trying to setup Cyrus 2.2 to do virtual domain logins authenticating
> off LDAP.
> What is happening
> -----------------
> Cyrus IMAPd doesn't seem to be passing a full user at login id
> When I use cyradm to login as the cyrus user to do some config this is
> what SASLAUTHD sends to my LDAP repository:
> conn=28 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OU-FQDN,DC=TLD" method=128
> conn=28 op=3 RESULT tag=97 err=0 text=
> conn=29 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=cyrus)"
> conn=29 op=2 SEARCH RESULT tag=101 err=0 text=
> This is all good.  I can login as the cyrus admin user and create
> virtual domain mailboxes and Cyrus correctly creates the mailboxes.
> However when I use "imtest -m login -a 'user at example.tld' localhost" (or
> an IMAP client) to try and login as one of our user at example.tld accounts
> it sends this:
> conn=26 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OUR-FQDN,DC=TLD" method=128
> conn=26 op=3 RESULT tag=97 err=0 text=
> conn=27 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=user)"
> conn=27 op=2 SEARCH RESULT tag=101 err=0 text=
> Note that it is *not* searching for uid=user at example.tld.  Therefore
> does not match my customers LDAP entry (see how we have setup the LDAP
> dir below).
> >From the SASLAUTHD docs it suggests that the ldap_filter defaults to
> "uid=%u".  %u is supposed to expand to user at domain.  But it is not doing
> this.
> If I explicitly set SASLAUTHD's ldap_filter to "uid=%u@%d" the lookup
> succeeds however when you don't specify a domain when logging in it
> searches for "uid=user@".  This breaks searches for "normal"
> non-virtdomain users like the "cyrus" admin user.

ldap_filter: %U@%r

The current version of sasl lib splits a 'fully qualified username' to
userid and realm.  I believe this is a wrong behavior because '@' is a
valid userid character and the domain part is really not a realm
identifier in such instances.

Hope this helps.


More information about the Info-cyrus mailing list