cyrus-pop3 and saslauthd. username check in mailbox.db?
Igor Brezac
igor at ipass.net
Thu Dec 16 11:14:18 EST 2004
On Thu, 16 Dec 2004, Thomas Vogt wrote:
> Hello
>
> I've use cyrus-imapd 2.2.10 and saslauthd.
>
> saslauthd works fine:
> testsaslauthd -u pc322 -p testpw
> 0: OK "Success."
>
> testsaslauthd -u test at lan -p testpw
> 0: OK "Success."
>
> (same user in the ldap database. pc322 is uid, test at lan is
> mailacceptinggeneralid)
>
> Thats why I've defined ldap filter. The idea is to check mailboxes with
> uid as username or with the ldap entry in mailacceptinggeneralid as
> username.
>
>
> imapd.conf:
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> servername: testserver.lan
> hashimapspool: true
> poptimeout: 10
> allowplaintext: yes
> sasl_pwcheck_method: saslauthd
> ldap_filter: (|(uid=%u)(mailacceptinggeneralid=%u))
>
>
> saslauthd.conf:
> ldap_servers: ldap://home.lan
> ldap_search_base: ou=people,ou=lan,dc=lan,dc=ch
> ldap_filter: (|(uid=%u)(mailacceptinggeneralid=%u))
>
>
> First of all. Do I've to definied the ldap_filter in imapd.conf and in
> saslauthd.conf? I thought sasl_pwcheck_method: saslauthd for imapd.conf
> is enough.
>
Correct. You can only define ldap_filter in saslauthd.conf.
>
> Login with the uid/mailbox name in ldap (username: pc322) works fine.
>
> Escape character is '^]'.
> +OK mail.lan Cyrus POP3 v2.2.10 server ready
> <2989684599.1103209263 at mail.lan
> user pc322
> +OK Name is a valid mailbox
> pass testpw
> ...
>
>
> Now I tried to login with the username from mailacceptinggeneralid in
> ldap (username: thomas at lan).
>
> Escape character is '^]'.
> +OK mail.lan Cyrus POP3 v2.2.10 server ready
> <2989684599.1403209263 at mail.lan
> user thomas at lan
> -ERR [AUTH] Invalid user
>
>
> This error message returned immediately. There was no check from cyrus
> imapd to saslauthd => ldap.
This is because you do not have user.thomas at lan mailbox.
> Is it not possible to authenticate a user in cyrus-imapd with other
> names than the default uid/mailbox name even if I've set ldap_filter? Is
> the username check limited to the mailbox.db?
> I mean cyrus can always get the uid if a user authenticate itself as
> with another entry in den ldap server.
This is not how it works. saslauthd verifies passwords only.
There are several ways to implement user rewriting functionality. I would
write a custom sasl canon plugin.
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list