Virtual domain problem - POP/IMAP, SASL & LDAP

Julian W H Osborne josborne at imsmaxims.com
Tue Mar 15 13:00:27 EST 2005 

Igor Brezac wrote:
> 
> On Tue, 15 Mar 2005, Julian W H Osborne wrote:
> 
>> Dear All,
>>
>> I'm having some problems getting Cyrus imap to work correctly with 
>> sasl and ldap.  Using the testsaslauthd command all is okay, username 
>> and domain
>> is passed through.  However, when using the imap or pop client only 
>> the user part of the login name is passed through, e.g. if username is
>> test at imsmaxims.com only test is being passed through.  I've pasted 
>> everything I think is useful.
>>
>> System details are:
>>
>> Linux localhost.localdomain 2.6.10-1.770_FC2 #1 Sat Feb 26 21:40:22 
>> EST 2005 i686 i686 i386 GNU/Linux
>> Fedora Core release 2 (Tettnang)
>> cyrus-imapd-2.2.10-3.fc2
>> cyrus-sasl-2.1.18-2.2
>>
>>
>> Thanks
>>
>> Julian
>>
>>
>> testsaslauthd
>> =============
>>
>> testsaslauthd -u test at imsmaxims.com -p password
>> 0: OK "Success."
>>
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND anonymous 
>> mech=implicit ssf=0
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND 
>> dn="cn=manager,o=virtual_domain" method=128
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND 
>> dn="cn=Manager,o=virtual_domain" mech=SIMPLE ssf=0
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 RESULT tag=97 
>> err=0 text=
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SRCH 
>> base="o=virtual_domain" scope=2 filter="(uid=test at imsmaxims.com)"
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SRCH attr=dn
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SEARCH RESULT 
>> tag=101 err=0 nentries=1 text=
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND anonymous 
>> mech=implicit ssf=0
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND 
>> dn="uid=test at imsmaxims.com,ou=it-dept,ou=uk,ou=imsmaxims.com,o=virtual_domain" 
>> method=128
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND 
>> dn="uid=test at imsmaxims.com,ou=it-dept,ou=uk,ou=imsmaxims.com,o=virtual_domain" 
>> mech=SIMPLE ssf=0
>> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 RESULT tag=97 
>> err=0 text=
>>
>>
>> IMAP Connection
>> ===============
>> telnet localhost 143
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> * OK IMAP
>> . login test at imsmaxims.com password
>> . NO Login failed: authentication failure
>> . logout
>> * BYE LOGOUT received
>> . OK Completed
>> Connection closed by foreign host.
>>
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND anonymous 
>> mech=implicit ssf=0
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND 
>> dn="cn=manager,o=virtual_domain" method=128
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND 
>> dn="cn=Manager,o=virtual_domain" mech=SIMPLE ssf=0
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 RESULT tag=97 
>> err=0 text=
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SRCH 
>> base="o=virtual_domain" scope=2 filter="(uid=test)"
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SRCH attr=dn
>> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SEARCH RESULT 
>> tag=101 err=0 nentries=0 text=
>>
>> imapd.conf (/etc/)
>> ==================
>>
>> # SASL Features
>> sasl_maximum_layer:             256
>> sasl_minimum_layer:             0
>> sasl_pwcheck_method:            saslauthd
>> sasl_mech_list:                 PLAIN
>>
>> # Virtual Domain Support
>> # Default domain
>> defaultdomain:                  imsmaxims.com
>>
>> # Toggle virtual domains or or off
>> # tried both userid and yes and on
>> virtdomains:                    userid
>>
>> saslauthd.conf (/etc/)
>> ======================
>> ldap_servers:   ldap://127.0.0.1/
>> ldap_bind_dn:   cn=manager, o=virtual_domain
>> ldap_bind_pw:   secret
>> ldap_search_base: o=virtual_domain
>> ldap_version:   3
>> ldap_filter:    (uid=%u) --------> have tried %U@%d also
> 
> 
> Use the following params:
> 
> ldap_default_domain: imsmaxims.com
> ldap_filter: %U@%d

Made those changes and got:

Mar 15 18:00:06 localhost slapd[3234]: conn=29 fd=8 ACCEPT from 
IP=127.0.0.1:32845 (IP=0.0.0.0:389)
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=0 BIND 
dn="cn=manager,o=virtual_domain" method=128
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=0 BIND 
dn="cn=Manager,o=virtual_domain" mech=SIMPLE ssf=0
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=0 RESULT tag=97 err=0 
text=
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=1 SRCH 
base="o=virtual_domain" scope=2 filter="(uid=test at localdomain)"
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=1 SRCH attr=dn
Mar 15 18:00:06 localhost slapd[3234]: conn=29 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=

> 
> cyrus-imapd will drop the domain part if it is the same as 
> defaultdomain. In addition, libsasl will pass fully qualified userids as 
> two separate tokens (user and domain) to saslauthd.  So, %u will always 
> be just user without the domain part.  You can pass -r to saslauthd for 
> the userid reassembly, but you will still have problems with 
> defaultdomain logins. The above changes to saslauthd.conf should work 
> for you.
> 
> -Igor
> 
> 
>> ldap_scope:     sub
>>
>> Cyrus.conf (/usr/lib/sasl2/)
>> ============================
>> pwcheck_method:saslauthd
>>
>>
>>
> 


-- 

====================================================================
Julian W H Osborne
IMS MAXIMS Plc
Sandymount, Station Road, Woburn Sands, MK17 8RR, UK
Tel: +44 (0)1908 588800 Fax: +44 (0)1908 588819

Clara House, Glenageary Park, Glenageary, Dublin, Ireland
Tel: +353 (0)1 2840555 Fax: +353 (0)1 2840829

http://www.imsmaxims.com/
====================================================================
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list