How do you do Cyrus logins with user@fqdn.com???

[Oliver Jones]

Hmmm.  This seemed to fail to get to the list last time (so I'm posting
again).
---------

I've been beating my head against this for two days now.  First with 2.1
and now with 2.2.  I'm desperate for a solution.

I'm trying to setup Cyrus 2.2 to do virtual domain logins authenticating
off LDAP.

What is happening
-----------------

Cyrus IMAPd doesn't seem to be passing a full user at example.com login id
to SASLAUTHD.

When I use cyradm to login as the cyrus user to do some config this is
what SASLAUTHD sends to my LDAP repository:

conn=28 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OU-FQDN,DC=TLD" method=128
conn=28 op=3 RESULT tag=97 err=0 text=
conn=29 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=cyrus)"
conn=29 op=2 SEARCH RESULT tag=101 err=0 text=

This is all good.  I can login as the cyrus admin user and create
virtual domain mailboxes and Cyrus correctly creates the mailboxes.

However when I use "imtest -m login -a 'user at example.tld' localhost" (or
an IMAP client) to try and login as one of our user at example.tld accounts
it sends this:

conn=26 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OUR-FQDN,DC=TLD" method=128
conn=26 op=3 RESULT tag=97 err=0 text=
conn=27 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=user)"
conn=27 op=2 SEARCH RESULT tag=101 err=0 text=

Note that it is *not* searching for uid=user at example.tld.  Therefore
does not match my customers LDAP entry (see how we have setup the LDAP
dir below).

>From the SASLAUTHD docs it suggests that the ldap_filter defaults to
"uid=%u".  %u is supposed to expand to user at domain.  But it is not doing
this.

If I explicitly set SASLAUTHD's ldap_filter to "uid=%u@%d" the lookup
succeeds however when you don't specify a domain when logging in it
searches for "uid=user@".  This breaks searches for "normal"
non-virtdomain users like the "cyrus" admin user.

Now I'm thinking that this behaviour has something to do with the way
SASL deals with "realms".  I really don't understand SASL that well.  So
I don't even know what a "realm" is supposed to be.  I don't care about
realms I just want the users UID to be their fully qualified email
address.

How can I get this to work correctly???  Please help.  I'm desperate
here!!

Help would be highly appreciated.

Below is how we have things configured.

OpenLDAP Config
---------------
I'm creating IMAP email users auth details in my LDAP hierarchy like
this:

uid=user at example.tld,ou=People,ou=CustomersCompany,ou=Customers,dc=our-fqdn,dc=tld

I've also got a LDAP tree branch with entries like this:

uid=cyrus,ou=People,dc=our-fqdn,dc=tld

This is for users with login accounts to the server and for the default
"cyrus" admin login.

I also have entries like this:

cn=cyrus,ou=Servers,dc=our-fqdn,dc=tld

We use this entry as a simpleSecurityObject for saslauthd bind to the
LDAP dir.  We have a number of these entries for other services that use
LDAP.  This is just to allow us to do funky things with LDAP acls etc.

SASLAUTHD Config
----------------
I've configured SASLAUTHD like this:

ldap_servers: ldap://localhost/
ldap_search_base: dc=our-fqdn,dc=tld
ldap_bind_dn: cn=cyrus,ou=Servers,dc=our-fqdn,dc=tld
ldap_bind_pw: password

Cyrus IMAPd 2.2.2 Config
------------------------
I have Cyrus configured as follows:

configdirectory: /usr/local/cyrus/var/lib/imap
partition-default: /usr/local/cyrus/var/spool/imap
defaultdomain: our-fqdn.tld
loginrealms: example.tld
virtdomains: yes
unixhierarchysep: yes
servername: mail.our-fqdn.tld
admins: cyrus
sievedir: /usr/local/cyrus/var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN