Passing full userid or realm to SASL
Marcus I. Ryan
marcus at riboflavin.net
Wed Oct 5 11:40:30 EDT 2005
On FreeBSD, I've installed these ports:
cyrus-imapd-2.2.12_1
cyrus-sasl-2.1.21
cyrus-sasl-saslauthd-2.1.21
imapd.conf includes:
virtdomains: userid
defaultdomain: riboflavin.net
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
sasl_mech_list: plain login
unixhierarchysep: yes
The rest of the settings I would think aren't related; paths, etc.
The ldap filter in saslauthd is set for:
ldap_search_base: ou=%d,<base org>
ldap_scope: sub
ldap_auth_method: custom
ldap_filter: (mailRoutingAddress=%u)
Though I tried without to make sure that wasn't the problem, I run
saslauthd with the -r flag, so realm should be appended to the userid
if passed.
When I run testsaslauthd -u marcus at riboflavin.net -p <password> I get:
0: OK "Success."
When I run imtest -s -a marcus at riboflavin.net localhost, first it
pauses for about 20 seconds, which I can't explain; happens with a
standard imap client as well. When I enter the password I get:
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
If I look in the auth log, it shows:
Oct 5 15:30:10 testsrv saslauthd[85649]: do_auth : auth
failure: [user=marcus] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
which I'm assuming means it was passed marcus in %u and no realm
instead of marcus at riboflavin.net in %u and/or marcus in %u and
riboflavin.net in %r/%d.
--
Marcus I. Ryan, marcus at riboflavin.net
--------------------------------------------------------------------
Hanlon's Razor: Never attribute to malice that which is adequately
explained by stupidity.
--------------------------------------------------------------------
Quoting Edward Rudd <eddie at omegaware.com>:
> On Wed, 2005-10-05 at 01:31 -0500, Marcus I. Ryan wrote:
>> I've set up SASL with an LDAP backend that checks for a user in either
>> the ou of the SASL realm, or the ou matching their domain (so
>> user at domain.tld as the username or user with domain.tld as the realm).
>>
>> I got it working using testsaslauthd, but when I try it through IMAP it
>> appears IMAP strips the domain from the userid before it passes it to
>> SASL, and doesn't pass it as a realm. I can handle it either way
>> (passing a username of userid at domain.tld or having it passed in as a
>> userid and a realm), but it doesn't seem to do either. Am I missing a
>> setting/configuration option, or does this require some kind of code
>> patch?
>
> [snip]
>
>>
>> Any thoughts are appreciated. Thanks.
>
>
> What version of SASL are you using? What version of Cyrus IMAP?
>
> Are you using %u and %f in the ldap_filter configuration in
> saslauthd,.conf? The userid is sent in %u and the realm (domain) in %r.
> (this is in cyrus sasl version 2.1.20, cyrus imapd 2.2.12)
>
> Also try setting the virtdomains: userid in /etc/imapd.conf (if using
> cyrus 2.2.x) That will ensure that cyrus sends the whole userid to
> sasl.
>
> --
> Edward Rudd <eddie at omegaware.com>
>
>
>
More information about the Info-cyrus
mailing list