groups, members, LDAP and ptloader
Luca Olivetti
luca at wetron.es
Thu May 31 03:19:08 EDT 2007
En/na Warren Turkal ha escrit:
> On Wednesday 30 May 2007 14:30, Milen Dimov wrote:
>> We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
>> authentication and authorization utilizing respectively saslauthd and
>> ptloader with LDAP support.
>
> I was under the impression that you could avoid saslauthd for authentication.
> Is this impression true?
Yes you can, but then you need to store passwords in plain-text, and be
prepared for a rough series of trial & error sessions, trying do
decypher obsolete and/or incomplete ldap documentation and its esoteric
interactions with sasl and cyrus ;-) :
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
sasl_ldapdb_mech: EXTERNAL
(accessing ldap through a unix socket avoids the need to store a
password in imapd.conf, that's what the sasl_ldapdb_mech: EXTERNAL
does). For this to work I have this in my slapd.conf (uid 106 is cyrus):
sasl-regexp "gidNumber=(.*)\\+uidNumber=106,cn=peercred,cn=external,cn=auth"
"uid=cyrus,ou=System,dc=ventoso,dc=org"
sasl-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=ventoso,dc=org"
sasl-regexp "uid=(.*),cn=external,cn=auth"
"ldap:///dc=ventoso,dc=org??sub?(uid=$1)"
sasl-authz-policy to
then I have one record in ldap for cyrus (under a different ou, so that
it won't mix with normal users for authentication)
dn: uid=cyrus,ou=System,dc=ventoso,dc=org
uid: cyrus
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
[....]
authzTo: ldap://ou=People,dc=ventoso,dc=org??sub?(objectclass=person)
Don't ask me what all of this means, I don't remember (and I doubt that
the folks that designed the system do ;-)
And remember: passwords have to be stored in plain text for this to work.
Bye
--
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004 Fax +34 93 5883007
More information about the Info-cyrus
mailing list