How do you do Cyrus logins with

Oliver Jones oliver at
Sun Dec 28 02:49:48 EST 2003

Hmmm.  This seemed to fail to get to the list last time (so I'm posting

I've been beating my head against this for two days now.  First with 2.1
and now with 2.2.  I'm desperate for a solution.

I'm trying to setup Cyrus 2.2 to do virtual domain logins authenticating
off LDAP.

What is happening

Cyrus IMAPd doesn't seem to be passing a full user at login id

When I use cyradm to login as the cyrus user to do some config this is
what SASLAUTHD sends to my LDAP repository:

conn=28 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OU-FQDN,DC=TLD" method=128
conn=28 op=3 RESULT tag=97 err=0 text=
conn=29 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=cyrus)"
conn=29 op=2 SEARCH RESULT tag=101 err=0 text=

This is all good.  I can login as the cyrus admin user and create
virtual domain mailboxes and Cyrus correctly creates the mailboxes.

However when I use "imtest -m login -a 'user at example.tld' localhost" (or
an IMAP client) to try and login as one of our user at example.tld accounts
it sends this:

conn=26 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OUR-FQDN,DC=TLD" method=128
conn=26 op=3 RESULT tag=97 err=0 text=
conn=27 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=user)"
conn=27 op=2 SEARCH RESULT tag=101 err=0 text=

Note that it is *not* searching for uid=user at example.tld.  Therefore
does not match my customers LDAP entry (see how we have setup the LDAP
dir below).

>From the SASLAUTHD docs it suggests that the ldap_filter defaults to
"uid=%u".  %u is supposed to expand to user at domain.  But it is not doing

If I explicitly set SASLAUTHD's ldap_filter to "uid=%u@%d" the lookup
succeeds however when you don't specify a domain when logging in it
searches for "uid=user@".  This breaks searches for "normal"
non-virtdomain users like the "cyrus" admin user.

Now I'm thinking that this behaviour has something to do with the way
SASL deals with "realms".  I really don't understand SASL that well.  So
I don't even know what a "realm" is supposed to be.  I don't care about
realms I just want the users UID to be their fully qualified email

How can I get this to work correctly???  Please help.  I'm desperate

Help would be highly appreciated.

Below is how we have things configured.

OpenLDAP Config
I'm creating IMAP email users auth details in my LDAP hierarchy like

uid=user at example.tld,ou=People,ou=CustomersCompany,ou=Customers,dc=our-fqdn,dc=tld

I've also got a LDAP tree branch with entries like this:


This is for users with login accounts to the server and for the default
"cyrus" admin login.

I also have entries like this:


We use this entry as a simpleSecurityObject for saslauthd bind to the
LDAP dir.  We have a number of these entries for other services that use
LDAP.  This is just to allow us to do funky things with LDAP acls etc.

I've configured SASLAUTHD like this:

ldap_servers: ldap://localhost/
ldap_search_base: dc=our-fqdn,dc=tld
ldap_bind_dn: cn=cyrus,ou=Servers,dc=our-fqdn,dc=tld
ldap_bind_pw: password

Cyrus IMAPd 2.2.2 Config
I have Cyrus configured as follows:

configdirectory: /usr/local/cyrus/var/lib/imap
partition-default: /usr/local/cyrus/var/spool/imap
defaultdomain: our-fqdn.tld
loginrealms: example.tld
virtdomains: yes
unixhierarchysep: yes
servername: mail.our-fqdn.tld
admins: cyrus
sievedir: /usr/local/cyrus/var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

More information about the Info-cyrus mailing list