using ldap for obtaining group membership information

Thu Nov 4 13:46:50 EST 2004

On Thu, 4 Nov 2004, Ralph Roessner wrote:

> Hi!
>
> On Wed, Nov 03, 2004 at 05:49:01PM +0000,
>  Jon Wilson wrote:
>> Hi,
>>
>> I'm trying to migrate all our services to LDAP.
>>
>> I can get cyrus-imapd to do user authentication against an OpenLDAP
>> server working OK, using "sasl_pwcheck_method: saslauthd", and relevant
>> saslauthd.conf.
>>
>> I'm a bit stuck with getting imapd to get group membership out of the
>> LDAP server, to use for authorization and access control.
>>
>> I can build an imap server with LDAP support in "ptloader" but as soon
>> as I start using it, imapd seems to stop using saslauthd for
>> authentication. In addition I get lines like the following in my ldap
>> logs. The BIND looks OK, but I don't understand the rest.
>
> Cyrus IMAP with LDAP ptloader still uses saslauthd for authentication. But
> before it does authentication, it uses LDAP to canonify the user name. That
> is what you are seeing here:
>
> First it binds with admin rights:
>
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 fd=19 ACCEPT from
>> IP=127.0.0.1:1749 (IP=0.0.0.0:389)
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND
>> dn="cn=Manager,dc=mydomain,dc=com" method=128
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND
>> dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 RESULT tag=97
>> err=0 text=
>
> Then it changes uid to the user that is being canonified and asks for its
> own user name. The assumption is that the LDAP server will return the
> canonical user name. (In LDAPish this reads: execute a "who am i" extended
> operation with "proxyauthz" control in place).
>
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=1 PROXYAUTHZ
>> dn="uid=jon,cn=simple,cn=auth"
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SRCH
>> base="uid=jon,cn=simple,cn=auth" scope=0 deref=0 filter="(objectClass=*)"
>> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SEARCH RESULT
>> tag=101 err=32 nentries=0 text=
>> Nov  3 16:23:59 <20.7> green slapd[18408]: conn=96 fd=19 closed
>
> Note the error 32. This is called LDAP_NO_SUCH_OBJECT and means in this case
> that the search base ("uid=jon,cn=simple,cn=auth") does not exist. You
> probably need to adjust the SASL -> uid mapping in the LDAP configuration
> so that "The user with authcid 'jon' authenticated by the simple mechanism"
> gets translated to "uid=jon,cn=people,dc=mydomain,dc=com" or whatever your
> user subtree is called. See the slapd.conf man page, keyword "sasl-regexp".
>
> To summarize: The Cyrus IMAP ptloader does not find your users in the LDAP
> tree. Neither authentication nor group lookup is even tried.
>
>>
>> Could someone give a working example, which I think will probably help a
>> lot. There is a lack of documentation on how group information is looked
>> up - it's not even immediately clear to me that "ptloader" is actually
>> for that.
>
> Sorry, I cannot provide an example. Our efforts have not progressed far
> enough for that. But the LDAP ptloader is definitely used for group lookup,
> and you will need to configure forward lookups, i.e. find the members of a
> given group (see man imap.conf, options ldap_group_*) and reverse lookups,
> i.e. find the groups a given user is a member of (see man imap.conf, options
> ldap_member_*).

Show us your config and I can help you from there.  There are quite a few 
ways you can configure ptloader.

>>
>> Notes: I plan to use simple binds (with TLS) between the ldap server and
>> any of its clients (including the imap server), so I don't require any
>> SASL configuration at that stage. I have a free hand about schemas and
> (...)
>
> Then try turning SASL off: option "ldap_sasl: 0". This may save you the
> trouble of finding a working "sasl-regexp".

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html