LDAP auth, and Cyrus mailboxes..

Mike Beattie mike.beattie at otago.ac.nz
Tue Jun 15 21:42:58 EDT 2004

Hi folks...

I've just discovered some behaviour from our cyrus installation, which
serves ~17000 student accounts, that I don't want.

We have a centralised LDAP directory containing all user accounts that have
ever existed, which I have saslauthd authenticating against. The problem I'm
having is this:

A user account that exists in LDAP, but not as a Cyrus mailbox, can be used
to login.. The following should show this:

mailserver:~# testsaslauthd -u auser -p rightpassword
0: OK "Success."
mailserver:~# testsaslauthd -u auser -p wrongpassword 
0: NO "authentication failed"

mailserver:~# su -c "/usr/sbin/ctl_mboxlist -d" cyrus | \
    grep -q auser && echo "exists" || echo "doesn't exist"
doesn't exist

mailserver:~# echo ". logout" | imtest -a auser -w rightpassword localhost
C: L01 LOGIN auser {..}
S: + go ahead
C: <omitted>
S: L01 OK User logged in

mailserver:~# echo ". logout" | imtest -a auser -w wrongpassword localhost
C: L01 LOGIN auser {..}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: user not found
Authentication failed. generic failure

Ok, I can accept that this is logical, in that a user doesn't need to have a
mailbox to log in - they could conceivably be logging in to a server that
requires authentication, purely to read a shared mailbox.

But, for our environment, we do actually want the situation when the user
doesn't have a mailbox, their login attempts will fail.

Is this possible, and if so, any pointers to documentation?

I've googled for about the last half hour, and found nothing that seems to
match what I'm seeing here. If there is something, and I'm stupid, please
point me in the direction I need to go... :)

Mike Beattie  <mike.beattie at otago.ac.nz>     UNIX Systems Engineer, ITS
Ph: +64 3 479 8597       Fax: +64 3 479 5080      Cell: +64 27 44 80386
* Opinions expressed are my own, not those of the University of Otago *
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list