Global admin fails via saslauthd and ldap

Igor Brezac igor at ipass.net
Thu Aug 19 12:06:10 EDT 2004 

On Wed, 18 Aug 2004 imap at adari.net wrote:

> Hello,
>
> I have done some digging into the code and found the following:
>
> The login process is going thru following function calls:
> cmd_login() -> imapd_canon_user() -> mysasl_canon_user() -> canonify_userid()
> in canonify_userid() for default domain, domain part is getting dropped and
> only mailid is returned as "canonuser". This value is propagated all the way
> to saslauthd_verify_password() where the user_realm is null for the global
> admin case and hence the ldap lookup fails. For all other cases "canonuser"
> gets the complete email address and hence the ldap lookups are succeeding.
>
> Anyone on the list uses 'saslauthd' with 'ldap' backend? Appreciate
> pointers!

You can add a separate entry for your admins in ldap.

Or

Use ldap_default_realm: defaultdomain in saslauthd.conf

-Igor


> Thanks
> __
> Seva
>
>> We are looking to migrate from our existing 2.1.x to the latest ver 2.2.8.
>> We want to use stock virtual hosting feature and have configured the system
>> accordingly. We are able to login via 'cyradm' and create user mailboxes
>> if we use domain specific admin. We have trouble logging in as global admin.
>> We are using 'saslauthd' and 'ldap' for authentication and using the
>> following
>> setting in the imapd.conf file:
>>
>>
>> virtdomains: on
>> admins: globaladmin mailadmin at test.com
>> defaultdomain: xyz.com
>>
>>
>> We are able to login as mailadmin at test.com and create mailboxes for
>> 'test.com'
>> but can't login as 'globaladmin'. Alternatively, if we change the above
>> config
>> to the following:
>>
>>
>> virtdomains: on
>> admins: globaladmin at xyz.com mailadmin
>> defaultdomain: test.com
>>
>>
>> then we can login as globaladmin at xyz.com and create mailboxes for 'xyz.com'
>> but can't login as mailadmin.
>>
>>
>> We found that the default domain is getting discarded by the system and
>> never
>> getting passed to ldap server hence the 'DN' is missing the domain component
>> and hence failing.
>>
>>
>> Is there some config setting we are missing that is causing this?
>
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list