using ldap for obtaining group membership information

Ralph Roessner roessner at rbg.informatik.tu-darmstadt.de
Thu Nov 4 12:45:19 EST 2004


Hi!

On Wed, Nov 03, 2004 at 05:49:01PM +0000,
  Jon Wilson wrote:
> Hi,
> 
> I'm trying to migrate all our services to LDAP.
> 
> I can get cyrus-imapd to do user authentication against an OpenLDAP 
> server working OK, using "sasl_pwcheck_method: saslauthd", and relevant 
> saslauthd.conf.
> 
> I'm a bit stuck with getting imapd to get group membership out of the 
> LDAP server, to use for authorization and access control.
> 
> I can build an imap server with LDAP support in "ptloader" but as soon 
> as I start using it, imapd seems to stop using saslauthd for 
> authentication. In addition I get lines like the following in my ldap 
> logs. The BIND looks OK, but I don't understand the rest.

Cyrus IMAP with LDAP ptloader still uses saslauthd for authentication. But
before it does authentication, it uses LDAP to canonify the user name. That
is what you are seeing here:

First it binds with admin rights:

> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 fd=19 ACCEPT from 
> IP=127.0.0.1:1749 (IP=0.0.0.0:389)
> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND 
> dn="cn=Manager,dc=mydomain,dc=com" method=128
> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND 
> dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 RESULT tag=97 
> err=0 text=

Then it changes uid to the user that is being canonified and asks for its
own user name. The assumption is that the LDAP server will return the
canonical user name. (In LDAPish this reads: execute a "who am i" extended
operation with "proxyauthz" control in place).

> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=1 PROXYAUTHZ 
> dn="uid=jon,cn=simple,cn=auth"
> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SRCH 
> base="uid=jon,cn=simple,cn=auth" scope=0 deref=0 filter="(objectClass=*)"
> Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SEARCH RESULT 
> tag=101 err=32 nentries=0 text=
> Nov  3 16:23:59 <20.7> green slapd[18408]: conn=96 fd=19 closed

Note the error 32. This is called LDAP_NO_SUCH_OBJECT and means in this case
that the search base ("uid=jon,cn=simple,cn=auth") does not exist. You
probably need to adjust the SASL -> uid mapping in the LDAP configuration
so that "The user with authcid 'jon' authenticated by the simple mechanism"
gets translated to "uid=jon,cn=people,dc=mydomain,dc=com" or whatever your
user subtree is called. See the slapd.conf man page, keyword "sasl-regexp".

To summarize: The Cyrus IMAP ptloader does not find your users in the LDAP
tree. Neither authentication nor group lookup is even tried.

> 
> Could someone give a working example, which I think will probably help a 
> lot. There is a lack of documentation on how group information is looked 
> up - it's not even immediately clear to me that "ptloader" is actually 
> for that.

Sorry, I cannot provide an example. Our efforts have not progressed far
enough for that. But the LDAP ptloader is definitely used for group lookup,
and you will need to configure forward lookups, i.e. find the members of a
given group (see man imap.conf, options ldap_group_*) and reverse lookups,
i.e. find the groups a given user is a member of (see man imap.conf, options
ldap_member_*).

> 
> Notes: I plan to use simple binds (with TLS) between the ldap server and 
> any of its clients (including the imap server), so I don't require any 
> SASL configuration at that stage. I have a free hand about schemas and 
(...)

Then try turning SASL off: option "ldap_sasl: 0". This may save you the
trouble of finding a working "sasl-regexp".

Good luck,
   Ralph Rößner

-- 
   Ralph Rößner                                      TU Darmstadt
   EMail: roessner at rbg.informatik.tu-darmstadt.de    FB Informatik
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list