groups, members, LDAP and ptloader

Luca Olivetti luca at
Thu May 31 03:19:08 EDT 2007

En/na Warren Turkal ha escrit:
> On Wednesday 30 May 2007 14:30, Milen Dimov wrote:
>> We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
>> authentication and authorization utilizing respectively saslauthd and
>> ptloader with LDAP support.
> I was under the impression that you could avoid saslauthd for authentication. 
> Is this impression true?

Yes you can, but then you need to store passwords in plain-text, and be 
prepared for a rough series of trial & error sessions, trying do 
decypher obsolete and/or incomplete ldap documentation and its esoteric 
interactions with sasl and cyrus ;-) :

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
sasl_ldapdb_mech: EXTERNAL

(accessing ldap through a unix socket avoids the need to store a 
password in imapd.conf, that's what the sasl_ldapdb_mech: EXTERNAL 
does). For this to work I have this in my slapd.conf (uid 106 is cyrus):

sasl-regexp "gidNumber=(.*)\\+uidNumber=106,cn=peercred,cn=external,cn=auth"

sasl-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"

sasl-regexp "uid=(.*),cn=external,cn=auth"

sasl-authz-policy to

then I have one record in ldap for cyrus (under a different ou, so that 
it won't mix with normal users for authentication)

dn: uid=cyrus,ou=System,dc=ventoso,dc=org
uid: cyrus
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
authzTo: ldap://ou=People,dc=ventoso,dc=org??sub?(objectclass=person)

Don't ask me what all of this means, I don't remember (and I doubt that 
the folks that designed the system do ;-)
And remember: passwords have to be stored in plain text for this to work.

Luca Olivetti
Wetron Automatización S.A.
Tel. +34 93 5883004      Fax +34 93 5883007

More information about the Info-cyrus mailing list