> Date: Thu, 4 Nov 2004 18:45:19 +0100
> From: Ralph Roessner <roessner at rbg.informatik.tu-darmstadt.de>
> Subject: Re: using ldap for obtaining group membership information
>
> Cyrus IMAP with LDAP ptloader still uses saslauthd for authentication. But
> before it does authentication, it uses LDAP to canonify the user name. That
> is what you are seeing here:
>
> First it binds with admin rights:
>
> Then it changes uid to the user that is being canonified and asks for its
> own user name. The assumption is that the LDAP server will return the
> canonical user name. (In LDAPish this reads: execute a "who am i" extended
> operation with "proxyauthz" control in place).
>
> Note the error 32. This is called LDAP_NO_SUCH_OBJECT and means in this case
> that the search base ("uid=jon,cn=simple,cn=auth") does not exist. You
> probably need to adjust the SASL -> uid mapping in the LDAP configuration
> so that "The user with authcid 'jon' authenticated by the simple mechanism"
> gets translated to "uid=jon,cn=people,dc=mydomain,dc=com" or whatever your
> user subtree is called. See the slapd.conf man page, keyword "sasl-regexp".
>
> To summarize: The Cyrus IMAP ptloader does not find your users in the LDAP
> tree. Neither authentication nor group lookup is even tried.
OK. That makes sense. What confuses me is that I have "ldap_sasl: 0" in
imapd.conf, no SASL support in my LDAP server, and "sasl-authz-policy
none" in slapd.conf (just for good measure). So why is ptloader trying
to do proxyauth at all?
It looks like I am being forced to use SASL and proxyauthz when using
ptloader. Is this correct?
> Then try turning SASL off: option "ldap_sasl: 0". This may save you the
> trouble of finding a working "sasl-regexp".
Have done, see below
> Date: Thu, 4 Nov 2004 13:46:50 -0500 (EST)
> From: Igor Brezac <igor at ipass.net>
> Subject: Re: using ldap for obtaining group membership information
>
> Show us your config and I can help you from there. There are quite a few
> ways you can configure ptloader.
######## imapd.conf ############
configdirectory: /var/imap
partition-default: /home/cyrus/mail
admins: cyradmin
plaintextloginpause: 0
sieveusehomedir: false
sievedir: /home/cyrus/sieve
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain login
allowplaintext: 0
ptloader_sock: /var/imap/ptclient/ptsock
ldap_base: dc=mydomain,dc=com
ldap_deref: never
lmtp_downcase_rcpt: 1
ldap_filter: "&(objectclass=inetOrgPerson)(uid=%u))"
ldap_group_base: "ou=groups,dc=mydomain,dc=com"
ldap_group_filter: "&(objectclass=posixGroup)(cn=%u)"
ldap_group_scope: sub
ldap_member_base: "ou=groups,dc=mydomain,dc=com"
ldap_member_atttribute: memberUid
ldap_member_method: attribute
ldap_member_scope: sub
ldap_bind_dn: cn=Manager,dc=mydomain,dc=com
ldap_password: p
ldap_uri: ldap://localhost/
ldap_sasl: 0
ldap_authz: 0
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
###### cyrus.conf ############
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3 cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
ptloader cmd="ptloader" listen="/var/imap/ptclient/ptsock" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html