R: Writeup on Cyrus authentication config

Toschi Pietro Pietro.Toschi at actalis.it
Mon Jun 11 13:37:07 EDT 2007

Hi Dmitriy and Hi list members,

Cyrus authentication and authorization is a matter of great confusion to me too. I previously asked this list about that topic (see "groups, members, LDAP and ptloader" thread) and had some interesting replays but I feel I'm still missing much knowledge.
For my first time, I contributed to those topics by editing the cyrus wiky and adding (my personal) knowledge about authentication with a very small example of saslauthd+LDAP configuration section, taken from my (perfectly) working configuration.

New questions that arise now are:
1) many authentication and authorization options may appear (apparently) in both saslauthd.conf and imapd.conf. What exactly are that options and where they should better be listed?
2) what are the differences between ldap_member_* and ldap_group_* options?
3) what does "ptloader" means? What "pt" stands for? (just curiosity, not really important)

I would like to add a more complete list of configuration options to that wiky, along with a comprehensive and exhaustive
explanation of every of them but I need to make them clear to myself first.

Additional questions that are more specific to the examples below are specified just after your examples...

> -----Messaggio originale-----
> Da: info-cyrus-bounces at lists.andrew.cmu.edu
> [mailto:info-cyrus-bounces at lists.andrew.cmu.edu]Per conto di Dmitriy
> Kirhlarov
> Inviato: venerdì 8 giugno 2007 19.04
> A: info-cyrus at lists.andrew.cmu.edu
> Oggetto: Re: Writeup on Cyrus authentication config
> Hi, list
> Torsten Schlabach wrote:
> > 
> http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/CyrusAuthentication
> > 
> > and comment or correct.
> > 
> > I am especially keen on that last section when it comes to LDAP.
> > 
> > A lot of what I have written is a bit based on guesswork an 
> conclusion 
> > and it would be nice if someone could confirm or deny.
> I'm using only saslauthd authentication. This part looks fine.
> With saslauthd also possible build authorization
> saslauthd.conf:
> ...
> ldap_group_attr: uniqueMember
> ldap_group_dn: cn=imap,ou=mail,o=domain
> ldap_group_match_method: attr
> ...
Please confirm if I correctly understand that above example: with that configuration you are telling saslauthd that:
1) the list of groups a user is a member of is listed in a (possibly multivalue?) attribute (ldap_group_match_method: attr) in each user entry
2) the name of the that mentioned attribute is "uniqueMember" (ldap_group_attr: uniqueMember)
3) it must bind to LDAP as "cn=imap,ou=mail,o=domain" in order to search that attribute, similar to ldap_bind_dn must be used in order to verify user password

Other related questions are:
4) is there an equivalent ldap_group_password option used to specify the password saslauthd should use to bind LDAP or it falls back to ldap_password?
5) you did not specify how saslauthd shoud filter the user entry in order to find the "uniqueMember" attribute, maybe it uses ldap_filter option as per user authentication?
6) are that options enough for user authorization and for using group-based ACLs in Cyrus, or you NEED also the options below?

> I'm not sure about topic, but cyrus group ACL's also can be creating 
> with ldap-based groups
> imapd.conf:
> ...
> ldap_group_base: ou=cyrus,ou=mail,o=domain
> ldap_group_filter: (cn=%U)
> ldap_group_scope: one
> ldap_member_attribute: cn
> ldap_member_base: ou=cyrus,ou=mail,o=domain
> ldap_member_filter: (uniqueMember=%D)
> ldap_member_method: filter
> ...
I think you are missing two important configs:
- auth_mech:	pts
- pts_module:	ldap
Is it right?
I really can't figure out how to explain your example. I'll try..
1) You are saying that, in order to find what groups a user is a meber of, Cyrus (or saslauthd?) should search your LDAP under "ou=cyrus,ou=mail,o=domain" (specified in ldap_group_base) for user entries matching "(cn=%U)" filter. But you are missing (among many other required informations, in my understaing) to specify what attribute contains the list of groups (or is it taken from saslauthd.conf above along with other configs?)
2) Additionally, you are saying that:
2a) in order to find the list of users that are members of a specified group, Cyrus (or saslauthd?) should search your LDAP under "ou=cyrus,ou=mail,o=domain" specified in "ldap_member_base" config?
2b) that Cyrus (or saslauthd?) must use a filter for selecting user entries matching "(uniqueMember=%D)", and that the user name is specified in the "cn" attribute of any user entry returned by the LDAP server (possibly a very big number!)?

> cyradm:
> lam shared/design
> group:boss lrswipktecd
> group:info lrswipktecd
> anyone p
> But user can be membered only one group! If it's not true, ptloader 
> can't authenticate user (yes. user cant bind to server) with strange 
> diagnose.
> WBR.
> Dmitriy
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list