saslauthd filter

John Wade jwade at
Mon Aug 16 13:02:29 EDT 2004

Hi Adi,

The trick is that your filter must be a complete ldap filter to find the
user.   This is documented somewhere in the saslauthd ldap documentation.

The default filter is:

ldap_filter: (cn=%U)

Where %U represents the case unchanged version of the username.   i.e. if  I
am "JWade at" it would be "JWade"   Note that we use %u which
converts to lower case.

Just add your other attributes using the apropriate LDAP syntax:

ldap_filter: (&(cn=%U)(!(myNewUser=true)))

This one means CN equals username and myNewUser is not equal to true.   Be
careful with undefined values, if myNewUser is not a mandatory attribute, you
will not retrieve any users for whom it is not defined using the syntax above

There is a relatively simple way to construct a filter that works properly
with undefined values.   For example, we use the following to search for
users whose "login disabled" property is either undefined or FALSE:   (This
is from a perl script, not saslauthd.conf.)


When in doubt, do a google search for ldap filter syntax and find some good

Hope this helps,

Adi Linden wrote:

> Hi,
> I am using saslauthd to control access to a mail server running SMATP
> AUTH. Can I check for the existance or lack of existance of a ldap
> attribute using saslauthd?
> Here is what I have in /etc/saslauthd.conf now:
> ldap_auth_method: bind
> ldap_servers: ldap://
> ldap_search_base: ou=people,dc=example,dc=ca
> ldap_use_sasl: no
> ldap_method: simple
> If I add a line such as:
> ldap_filter: myNewUser=true
> I would have expected the authentication to succeed if the user has the
> myNewUser attribute set to true. That doesn't work, that's my first
> problem. The second problem is that once this is working I need to invert
> the meaning in the sense that users with myNewUser=true should not
> authenticate...
> Thanks,
> Adi
> ---
> Cyrus Home Page:
> Cyrus Wiki/FAQ:
> List Archives/Info:

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list