Passing full userid or realm to SASL

Marcus I. Ryan marcus at
Wed Oct 5 11:40:30 EDT 2005

On FreeBSD, I've installed these ports:

imapd.conf includes:
virtdomains: userid
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
sasl_mech_list: plain login
unixhierarchysep: yes

The rest of the settings I would think aren't related; paths, etc.

The ldap filter in saslauthd is set for:
ldap_search_base: ou=%d,<base org>
ldap_scope: sub
ldap_auth_method: custom
ldap_filter: (mailRoutingAddress=%u)

Though I tried without to make sure that wasn't the problem, I run 
saslauthd with the -r flag, so realm should be appended to the userid 
if passed.

When I run testsaslauthd -u marcus at -p <password> I get:
0: OK "Success."

When I run imtest -s -a marcus at localhost, first it 
pauses for about 20 seconds, which I can't explain; happens with a 
standard imap client as well.  When I enter the password I get:
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256

If I look in the auth log, it shows:
Oct  5 15:30:10 testsrv saslauthd[85649]: do_auth         : auth 
failure: [user=marcus] [service=imap] [realm=] [mech=ldap] 

which I'm assuming means it was passed marcus in %u and no realm 
instead of marcus at in %u and/or marcus in %u and in %r/%d.

Marcus I. Ryan, marcus at
Hanlon's Razor:  Never attribute to malice that which is adequately
explained by stupidity.

Quoting Edward Rudd <eddie at>:

> On Wed, 2005-10-05 at 01:31 -0500, Marcus I. Ryan wrote:
>> I've set up SASL with an LDAP backend that checks for a user in either
>> the ou of the SASL realm, or the ou matching their domain (so
>> user at domain.tld as the username or user with domain.tld as the realm).
>> I got it working using testsaslauthd, but when I try it through IMAP it
>> appears IMAP strips the domain from the userid before it passes it to
>> SASL, and doesn't pass it as a realm.  I can handle it either way
>> (passing a username of userid at domain.tld or having it passed in as a
>> userid and a realm), but it doesn't seem to do either.  Am I missing a
>> setting/configuration option, or does this require some kind of code
>> patch?
> [snip]
>> Any thoughts are appreciated.  Thanks.
> What version of SASL are you using? What version of Cyrus IMAP?
> Are you using %u and %f in the ldap_filter configuration in
> saslauthd,.conf? The userid is sent in %u and the realm (domain) in %r.
> (this is in cyrus sasl version 2.1.20, cyrus imapd 2.2.12)
> Also try setting the virtdomains: userid in /etc/imapd.conf (if using
> cyrus 2.2.x) That will ensure that cyrus sends the whole userid to
> sasl.
> --
> Edward Rudd <eddie at>

More information about the Info-cyrus mailing list