cyrus-2.2.3 + cyrus-sasl + ldap problem

Igor Brezac igor at ipass.net
Fri May 21 09:56:16 EDT 2004 

On Fri, 21 May 2004, Andrew B. Panphiloff wrote:

> I have strange  behaviour of cyrus-imapd and cyrus-sasl.
>
> imapd config :
>
> --------------------------------------------------------------------------
> tls_ca_file: /etc/ssl/cyrus.pem
> tls_cert_file: /etc/ssl/cyrus.pem
> tls_key_file: /etc/ssl/cyrus.pem
> virtdomains: yes
> defaultdomain: localhost
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> sievedir: /var/imap/sieve
> altnamespace: no
> unixhierarchysep: no
> lmtp_downcase_rcpt: yes
> admins: cyrus
> allowanonymouslogin: no
> popminpoll: 0
> autocreatequota: 100000
> createonpost: yes
> autocreateinboxfolders: Sent | Drafts | Templates | Trash
> autosubscribeinboxfolders: Sent | Drafts
> umask: 077
> sieveusehomedir: false
> hashimapspool: true
> allowplaintext: yes
> sasl_mech_list: plain login
> sasl_minimum_layer: 0
> sasl_pwcheck_method: saslauthd
> sasl_auto_transition: no
> tls_ca_path: /etc/ssl/certs
> tls_session_timeout: 1440
> tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> lmtpsocket: /var/run/cyrus/socket/lmtp
> idlesocket: /var/run/cyrus/socket/idle
> notifysocket: /var/run/cyrus/socket/notify
> ---------------------------------------------------------------------------
>
> saslauthd.conf config:
>
> ---------------------------------------------------------------------------
> ldap_servers: ldap://127.0.0.1
> ldap_bind_dn: cn=admin,o=8ka.mipt.ru
> ldap_bind_pw: xxx
> ldap_version: 3
> ldap_search_base: ou=Mail,o=8ka.mipt.ru
> ldap_filter: mail=%u

Change to

ldap_filter: mail=%u@%r

and things will work.

> why in first case saslauthd get "user=jeka at 8ka.mipt.ru" and "realm="

if you want to emulate imapd behavior, you need to 'testsaslauthd -u jeka
-r 8ka.mipt.ru -p xxx'

> but in second case it get "user=jeka" and "realm=8ka.mipt.ru" ?
> How fix this behaviour ?

libsasl splits fully qualified username before it is passed to saslauthd.

An alternate fix is to download the cvs version of saslauthd and use -r
option which reassembles fully qualified username before it is passed to
authentication mechs.

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list