using ldap for obtaining group membership information

Jon Wilson jon at phuq.co.uk
Wed Nov 3 12:49:01 EST 2004 

Hi,

I'm trying to migrate all our services to LDAP.

I can get cyrus-imapd to do user authentication against an OpenLDAP 
server working OK, using "sasl_pwcheck_method: saslauthd", and relevant 
saslauthd.conf.

I'm a bit stuck with getting imapd to get group membership out of the 
LDAP server, to use for authorization and access control.

I can build an imap server with LDAP support in "ptloader" but as soon 
as I start using it, imapd seems to stop using saslauthd for 
authentication. In addition I get lines like the following in my ldap 
logs. The BIND looks OK, but I don't understand the rest.

Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 fd=19 ACCEPT from 
IP=127.0.0.1:1749 (IP=0.0.0.0:389)
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND 
dn="cn=Manager,dc=mydomain,dc=com" method=128
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 BIND 
dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=0 RESULT tag=97 
err=0 text=
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=1 PROXYAUTHZ 
dn="uid=jon,cn=simple,cn=auth"
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SRCH 
base="uid=jon,cn=simple,cn=auth" scope=0 deref=0 filter="(objectClass=*)"
Nov  3 16:15:41 <20.7> green slapd[18408]: conn=96 op=2 SEARCH RESULT 
tag=101 err=32 nentries=0 text=
Nov  3 16:23:59 <20.7> green slapd[18408]: conn=96 fd=19 closed

Could someone give a working example, which I think will probably help a 
lot. There is a lack of documentation on how group information is looked 
up - it's not even immediately clear to me that "ptloader" is actually 
for that.

Notes: I plan to use simple binds (with TLS) between the ldap server and 
any of its clients (including the imap server), so I don't require any 
SASL configuration at that stage. I have a free hand about schemas and 
database contents, so the user and group information can be stored in 
the LDAP database in any reasonably sensible manner.

System details:

cyrus-imapd-2.2.8
cyrus-sasl-2.1.19_1
cyrus-sasl-saslauthd-2.1.19
openldap-server-2.2.17
FreeBSD 4.10-PRERELEASE

Thanks,

Jon

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list