How do you do Cyrus logins with email@example.com???
oliver at deeper.co.nz
Sun Dec 28 02:49:48 EST 2003
Hmmm. This seemed to fail to get to the list last time (so I'm posting
I've been beating my head against this for two days now. First with 2.1
and now with 2.2. I'm desperate for a solution.
I'm trying to setup Cyrus 2.2 to do virtual domain logins authenticating
What is happening
Cyrus IMAPd doesn't seem to be passing a full user at example.com login id
When I use cyradm to login as the cyrus user to do some config this is
what SASLAUTHD sends to my LDAP repository:
conn=28 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OU-FQDN,DC=TLD" method=128
conn=28 op=3 RESULT tag=97 err=0 text=
conn=29 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=cyrus)"
conn=29 op=2 SEARCH RESULT tag=101 err=0 text=
This is all good. I can login as the cyrus admin user and create
virtual domain mailboxes and Cyrus correctly creates the mailboxes.
However when I use "imtest -m login -a 'user at example.tld' localhost" (or
an IMAP client) to try and login as one of our user at example.tld accounts
it sends this:
conn=26 op=3 BIND dn="UID=CYRUS,OU=PEOPLE,DC=OUR-FQDN,DC=TLD" method=128
conn=26 op=3 RESULT tag=97 err=0 text=
conn=27 op=2 SRCH base="dc=our-fqdn,dc=tld" scope=2 filter="(uid=user)"
conn=27 op=2 SEARCH RESULT tag=101 err=0 text=
Note that it is *not* searching for uid=user at example.tld. Therefore
does not match my customers LDAP entry (see how we have setup the LDAP
>From the SASLAUTHD docs it suggests that the ldap_filter defaults to
"uid=%u". %u is supposed to expand to user at domain. But it is not doing
If I explicitly set SASLAUTHD's ldap_filter to "uid=%u@%d" the lookup
succeeds however when you don't specify a domain when logging in it
searches for "uid=user@". This breaks searches for "normal"
non-virtdomain users like the "cyrus" admin user.
Now I'm thinking that this behaviour has something to do with the way
SASL deals with "realms". I really don't understand SASL that well. So
I don't even know what a "realm" is supposed to be. I don't care about
realms I just want the users UID to be their fully qualified email
How can I get this to work correctly??? Please help. I'm desperate
Help would be highly appreciated.
Below is how we have things configured.
I'm creating IMAP email users auth details in my LDAP hierarchy like
uid=user at example.tld,ou=People,ou=CustomersCompany,ou=Customers,dc=our-fqdn,dc=tld
I've also got a LDAP tree branch with entries like this:
This is for users with login accounts to the server and for the default
"cyrus" admin login.
I also have entries like this:
We use this entry as a simpleSecurityObject for saslauthd bind to the
LDAP dir. We have a number of these entries for other services that use
LDAP. This is just to allow us to do funky things with LDAP acls etc.
I've configured SASLAUTHD like this:
Cyrus IMAPd 2.2.2 Config
I have Cyrus configured as follows:
More information about the Info-cyrus