saslauthd filter

John Wade jwade at oakton.edu
Mon Aug 16 13:02:29 EDT 2004 

Hi Adi,

The trick is that your filter must be a complete ldap filter to find the
user.   This is documented somewhere in the saslauthd ldap documentation.

The default filter is:

ldap_filter: (cn=%U)

Where %U represents the case unchanged version of the username.   i.e. if  I
am "JWade at oakton.edu" it would be "JWade"   Note that we use %u which
converts to lower case.

Just add your other attributes using the apropriate LDAP syntax:

ldap_filter: (&(cn=%U)(!(myNewUser=true)))

This one means CN equals username and myNewUser is not equal to true.   Be
careful with undefined values, if myNewUser is not a mandatory attribute, you
will not retrieve any users for whom it is not defined using the syntax above

There is a relatively simple way to construct a filter that works properly
with undefined values.   For example, we use the following to search for
users whose "login disabled" property is either undefined or FALSE:   (This
is from a perl script, not saslauthd.conf.)


$filter="(&(cn=$username)(objectclass=user)(passwordExpirationTime=*)(|(loginDisabled=FALSE)(!(logindisabled=*))))";

When in doubt, do a google search for ldap filter syntax and find some good
examples.

Hope this helps,
John



Adi Linden wrote:

> Hi,
>
> I am using saslauthd to control access to a mail server running SMATP
> AUTH. Can I check for the existance or lack of existance of a ldap
> attribute using saslauthd?
>
> Here is what I have in /etc/saslauthd.conf now:
>
> ldap_auth_method: bind
> ldap_servers: ldap://172.28.1.22
> ldap_search_base: ou=people,dc=example,dc=ca
> ldap_use_sasl: no
> ldap_method: simple
>
> If I add a line such as:
>
> ldap_filter: myNewUser=true
>
> I would have expected the authentication to succeed if the user has the
> myNewUser attribute set to true. That doesn't work, that's my first
> problem. The second problem is that once this is working I need to invert
> the meaning in the sense that users with myNewUser=true should not
> authenticate...
>
> Thanks,
> Adi
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list