Virtual domain problem - POP/IMAP, SASL & LDAP

Igor Brezac igor at ipass.net
Tue Mar 15 12:52:17 EST 2005


On Tue, 15 Mar 2005, Julian W H Osborne wrote:

> Dear All,
>
> I'm having some problems getting Cyrus imap to work correctly with sasl and 
> ldap.  Using the testsaslauthd command all is okay, username and domain
> is passed through.  However, when using the imap or pop client only the user 
> part of the login name is passed through, e.g. if username is
> test at imsmaxims.com only test is being passed through.  I've pasted everything 
> I think is useful.
>
> System details are:
>
> Linux localhost.localdomain 2.6.10-1.770_FC2 #1 Sat Feb 26 21:40:22 EST 2005 
> i686 i686 i386 GNU/Linux
> Fedora Core release 2 (Tettnang)
> cyrus-imapd-2.2.10-3.fc2
> cyrus-sasl-2.1.18-2.2
>
>
> Thanks
>
> Julian
>
>
> testsaslauthd
> =============
>
> testsaslauthd -u test at imsmaxims.com -p password
> 0: OK "Success."
>
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND anonymous 
> mech=implicit ssf=0
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND 
> dn="cn=manager,o=virtual_domain" method=128
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 BIND 
> dn="cn=Manager,o=virtual_domain" mech=SIMPLE ssf=0
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=3 RESULT tag=97 err=0 text=
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SRCH 
> base="o=virtual_domain" scope=2 filter="(uid=test at imsmaxims.com)"
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SRCH attr=dn
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=4 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND anonymous 
> mech=implicit ssf=0
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND 
> dn="uid=test at imsmaxims.com,ou=it-dept,ou=uk,ou=imsmaxims.com,o=virtual_domain" 
> method=128
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 BIND 
> dn="uid=test at imsmaxims.com,ou=it-dept,ou=uk,ou=imsmaxims.com,o=virtual_domain" 
> mech=SIMPLE ssf=0
> Mar 15 16:37:17 localhost slapd[3234]: conn=18 op=5 RESULT tag=97 err=0 text=
>
>
> IMAP Connection
> ===============
> telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK IMAP
> . login test at imsmaxims.com password
> . NO Login failed: authentication failure
> . logout
> * BYE LOGOUT received
> . OK Completed
> Connection closed by foreign host.
>
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND anonymous 
> mech=implicit ssf=0
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND 
> dn="cn=manager,o=virtual_domain" method=128
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 BIND 
> dn="cn=Manager,o=virtual_domain" mech=SIMPLE ssf=0
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=3 RESULT tag=97 err=0 text=
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SRCH 
> base="o=virtual_domain" scope=2 filter="(uid=test)"
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SRCH attr=dn
> Mar 15 16:38:45 localhost slapd[3234]: conn=19 op=4 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
>
> imapd.conf (/etc/)
> ==================
>
> # SASL Features
> sasl_maximum_layer:             256
> sasl_minimum_layer:             0
> sasl_pwcheck_method:            saslauthd
> sasl_mech_list:                 PLAIN
>
> # Virtual Domain Support
> # Default domain
> defaultdomain:                  imsmaxims.com
>
> # Toggle virtual domains or or off
> # tried both userid and yes and on
> virtdomains:                    userid
>
> saslauthd.conf (/etc/)
> ======================
> ldap_servers:   ldap://127.0.0.1/
> ldap_bind_dn:   cn=manager, o=virtual_domain
> ldap_bind_pw:   secret
> ldap_search_base: o=virtual_domain
> ldap_version:   3
> ldap_filter:    (uid=%u) --------> have tried %U@%d also

Use the following params:

ldap_default_domain: imsmaxims.com
ldap_filter: %U@%d

cyrus-imapd will drop the domain part if it is the same as defaultdomain. 
In addition, libsasl will pass fully qualified userids as two separate 
tokens (user and domain) to saslauthd.  So, %u will always be just user 
without the domain part.  You can pass -r to saslauthd for the userid 
reassembly, but you will still have problems with defaultdomain logins. 
The above changes to saslauthd.conf should work for you.

-Igor


> ldap_scope:     sub
>
> Cyrus.conf (/usr/lib/sasl2/)
> ============================
> pwcheck_method:saslauthd
>
>
>

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list