Authentication in LDAP with different UID
Guus Leeuw jr.
Guus.Leeuw at guusleeuwit.com
Wed Jan 10 13:39:41 EST 2007
Hello,
OK.
You want user 12345 to log in through IMAP, and not 12345 at domain.com.
Thus, you need a mailbox 12345 in Cyrus, that it will authenticate against
SASL (eventually hitting LDAP).
The problem:
User 12345 cannot receive mail, because postfix doesn't know the guy.
On the other hand, 12345 at domain.com cannot login because LDAP doesn't know
the guy ;)
The solution:
Change you recipient canonical settings to virtual maps.
Your LDAP query filter would then be something to the effect of
(&(|(mail=%s)(mailAlternateAddress=%s))(enableMail=Y))
And get rid of the "result_filter = %s at domain.com"
What this will allow is:
1) A user called 12345 in LDAP and Cyrus
2) A postfix lookup for *any* email address, as long as enableMail=Y
3) A postfix mapping of the email address to %s (12345).
4) Email addresses of 12345 at domain.com will result in 12345 (=uid)
Problem solved. ;)
Hope this will work for you. It does for me! (guus.leeuw at guusleeuwit.com is
an alias and receives mail for leeuwg at guusleeuwit.com,
leeuwg1 at guusleeuwit.com, however, since guus.leeuw at guusleeuwit.com is the
mail attribute, and the other two are kept in mailAlternateAddress, my
sender_canonical_map tells postfix that my mail address is
guus.leeuw at guusleeuwit.com, *although* I only login to Cyrus/SSH/Whatnot
with leeuwg!!
And I guess, that is what you want ;)
Have fun,
Guus
(Ah, and you could even accept mail for guus_leeuw_jr at myotherdomain.com, as
long as postfix knows myotherdomain.com is a mydestination ;)
> -----Original Message-----
> From: info-cyrus-bounces at lists.andrew.cmu.edu [mailto:info-cyrus-
> bounces at lists.andrew.cmu.edu] On Behalf Of Jose Morelli Neto
>
> 2007/1/8, Guus Leeuw jr. <Guus.Leeuw at guusleeuwit.com>:
> >
> > Hello,
>
> Hi Guus!
>
> >
> > First of all a couple of questions:
> >
> > 1) Are you planning to manage multiple domains' mail, or just the
> domain.com mail?
>
> Yes, I need to manage more two domains, like lists.domain.com and
> domain.org.
>
> >
> > 2) Can you post the contents of the canonical.cf file that postfix
> uses for canonical mapping?
>
> I needed to modify the configurations of canonical, because I wasn't
> send mail. Now it is thus:
> main.cf --------
> recipient_canonical_maps =
> proxy:ldap:/etc/postfix/ldap/recipient_canonical.cf
> sender_canonical_maps = proxy:ldap:/etc/postfix/ldap/sender_canonical.cf
> main.cf --------
>
> recipient_canonical.cf ----------
> server_host = ldap://ldap.domain.com:389
> bind = yes
> bind_dn = cn=admin,dc=domain,dc=com
> bind_pw = password
>
> search_base = ou=users,dc=domain,dc=com
> query_filter = (&(mail=%s)(objectClass=CourierMailAccount)(enableMail=Y))
> result_attribute = uid
> result_filter = %s at domain.com
> recipient_canonical.cf ----------
>
> sender_canonical.cf --------
> server_host = ldap://ldap.domain.com:389
> bind = yes
> bind_dn = cn=admin,dc=domain,dc=com
> bind_pw = password
>
> search_base = ou=users,dc=domain,dc=com
> query_filter = (&(uid=%s)(objectClass=CourierMailAccount)(enableMail=Y))
> result_attribute = mail
> sender_canonical.cf --------
>
> As you can see in file recipient_canonical.cf, the result_filter have
> @domain.com fixed. This way, it wouldn't work with virtual domains,
> i'll need to add an attribute with code+domain like 12345 at domain.com.
>
> >
> > 3) Why would you want SASL to talk to PAM for PAM to talk to LDAP?
> Why not do the whole thing in 1 go?
>
>
> Yes, the reason is that this server directly effects the
> authentication of ssh in LDAP. I Tried authenticate SASL directly in
> LDAP, with this saslauthd configuration:
> ldap_servers: ldap://ldap.domain.com/
> ldap_version: 3
> ldap_search_base: ou=users,dc=domain,dc=com
> ldap_filter: uid=%u
> ldap_auth_method: bind
>
>
> It's works normally.
>
> >
> > I belief, you told imapd to use the PLAIN mechanism
AFAIK PLAIN is not
> equal to PAM in terms of mechanism
OK, PAM method, I could understand,
> but then again, that raises question 3.
>
> Yes, I understand that using salauthd as method this will autenticate
> on PAM (and this work). I see in imapd.conf manual, that this can
> autenticate (or get an attribute) directly in LDAP, but i don't found
> any example of this.
>
> If I can get the UID from LDAP after postfix deliver via LMTP to
> Cyrus, and before the Cyrus verify that the mailboxes exist (and
> verify using the UID), this will work perfectly. The tests with
> canonical worked, but I will need to convert the mail address
> everytime, and I will have to modify my LDAP Base (~ 150.000
> registers). I belive that there is an "corret way" to make this.
> >
> > Can you bind to the LDAP server with the uid 12345? Can you bind to LDAP
> with user.12345 at domain.com?
>
> yes with uid 12345, and no with user.12345 at domain.com.
>
> >
> >
> >
> >
> > Without answers, it would be difficult to help (for me).
> >
> >
>
> I understand, also it's difficult for me to explain :)
>
> >
> > Regards,
> >
> > Guus
> >
>
> Thank's for your interest in this problem!
>
> Neto.
>
>
> >
> > From: info-cyrus-bounces at lists.andrew.cmu.edu [mailto:info-cyrus-
> bounces at lists.andrew.cmu.edu] On Behalf Of Jose Morelli Neto
> > Sent: 08 January 2007 12:07
> > To: info-cyrus at lists.andrew.cmu.edu
> > Subject: Authentication in LDAP with different UID
> >
> >
> >
> >
> > Hello,
> >
> > I am updating the mail server at my work and in this process I decided
> to change the Courier-IMAP for the Cyrus-IMAP, however I still came across
> myself with a problem without solution (at least for me). Here, all users
> have an personal ID who is used to effect the authentication in some
> systems (also in the mail). For example, an user with the personal ID
> 12345 possess the mail user at domain.com
> >
> >
> > If I create the mailbox in cyrus with the personal ID (cm user.12345),
> I can connect through imap/pop3 and cyrus get access to the mailbox
> without problems (using as user 12345), however when sending a message for
> this user, postfix delivery saw LMTP for cyrus, that does not locate
> mailbox (with the error: lmtpunix [5514]: to verify_user (user.12345)
> failed: Mailbox you donate not exist). Then if I create mailbox with the
> user's mail ( cm user.user at domain.com), the message is delivery without
> problems from postfix to cyrus (that it finds mailbox), however I can't
> have access to mailbox saw IMAP/POP using as login the person code (12345)
> and only the email ( user at domain.com).
> >
> > The authentication of cyrus is made by SASL using the mechanism PAM
> (that it validates through LDAP).
> >
> >
> > It follows some configurations to facilitate the understanding:
> > /etc/imapd.conf --------------------------------------
> > configdirectory: /var/lib/imap
> > partition-default: /var/spool/imap
> > admins: cyrus
> > sievedir: /var/lib/imap/sieve
> > sendmail: /usr/sbin/sendmail
> > hashimapspool: true
> > sasl_pwcheck_method: saslauthd
> > sasl_mech_list: PLAIN
> > tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > tls_ca_file: /usr/share/ssl/certs/ca- bundle.crt
> > virtdomains: userid
> > defaultdomain: domain.com
> > /etc/imapd.conf --------------------------------------
> >
> > /etc/postfix/main.cf --------------------------------
> > virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> > canonical_maps = proxy:ldap:/etc/postfix/ldap/canonical.cf
> > /etc/postfix/main.cf --------------------------------
> >
> > usuário.ldif -------------------------
> > dn: uid=12345,ou=users,dc=domain,dc=com
> > uid: 12345
> > cn: Test User
> > sn: test
> > loginShell: /bin/false
> > uidNumber: 90001
> > mail: user at domain.com
> > quota: 20971520
> > gidNumber: 513
> > homeDirectory: /home/user
> > mailbox: /home/user/Maildir/
> > mailHost: siaimail10.domain.com
> > description: description
> > enableMail: S
> > objectClass: top
> > objectClass: person
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: CourierMailAccount
> > objectClass: inetLocalMailRecipient
> > usuário.ldif -------------------------
> >
> >
> > I tried through postfix, modify/create/use some macro (those used in
> master.cf: ${user} ${extension}) that it passed to cyrus the personal ID
> (in the place of the address) but I did not have success.
> >
> > I made with the SASL authenticate in LDAP using the UID, but did not
> give very certain, therefore cyrus uses proper login to locate mailbox,
> and thus I don't deliver the message saw lmtp (therefore mailbox was with
> the name of the user).
> >
> >
> > The only thing next than I found of what necessary patch of the Kolab
> was one that allows (theoretically, I did not make tests) to consult the
> virtual domínios through ldap.
> >
> > I used canonical_maps in postfix quering ldap for the mail (
> user at domain.com) and returning email (12345 at dominio.com), but for virtual
> domains I would have to add a new attribute in LDAP with the personal ID +
> the domain.
> >
> > Someone has experience in this integration and that it can help me?
> >
> >
> > thank's for attention.
> > Neto.
> >
> >
> > --
> > José Morelli Neto
> > http://josemorelli.net
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date:
> 07/01/2007 18:29
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG.
> > Version: 7.5.433 / Virus Database: 268.16.7/619 - Release Date:
> 07/01/2007 18:29
> >
>
>
>
> --
> José Morelli Neto
> http://josemorelli.net
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
> --
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007
> 13:37
>
--
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.433 / Virus Database: 268.16.8/621 - Release Date: 09/01/2007
13:37
More information about the Info-cyrus
mailing list