OpenLDAP search base/cyrus admin dn/DIT layout.

Lauro Costa G. Borges lauro at npd.ufsc.br
Mon Nov 26 05:49:00 EST 2007 


  Hi,

  I'm using Cyrus with saslauthd/OpenLDAP.
  This is how my dit is now (test environment):

   [root]
   .ou=people
   ..<several user entries>
   ..cyrus admin dn
   ..ou=moodle
   ...ou=moodleinstall01
   ...<copy of some of the entries of "ou=people" with some modifications>


   I'm using one cyrus admin dn, since I'm using only one imap server  
at the moment. When I have more cyrus servers using this ldap, each  
one will have its own cyrus admin dn.

   /etc/saslauthd.conf:

  LDAP_BIND_DN: uid=cyrus,ou=people,dc=xx,dc=xx,dc=xx,dc=xx
  LDAP_SEARCH_BASE: ou=people,dc=xx,dc=xx,dc=xx,dc=xx
  LDAP_FILTER: uid=%u

    I would like to have an OU for the directory administrative tasks,  
and have the DN's related to Cyrus there. That does not seem to be  
possible, I can't get  it to work:

  1) If I set the search base for the directory root, so I can put the  
cyrus admin DN on one OU and the user entries on another like:

   [root]
   .ou=adm
   ..cyrus admin dn
   .ou=people
   ..<several user entries used by cyrus/saslauthd>
   ..ou=moodle
   ...ou=moodleinstall01
   ...<copy of some of the entries of "ou=people" with some modifications>


  LDAP_BIND_DN: uid=cyrus,ou=adm,dc=xx,dc=xx,dc=xx,dc=xx
  LDAP_SEARCH_BASE: dc=xx,dc=xx,dc=xx,dc=xx
  LDAP_FILTER: uid=%u


  the cyrus admin dn bind succeeds but saslauthd complains about  
having two DN's matching the UID attribute (remember I have copies of  
the user entries for the moodle service, since each moodle  
installation has/can see -only- the users using that moodle install  
(otherwise moodle adds -all- users it sees, which I don't want, on  
ou=people there will be more than 50k users, and each moodle has about  
500 users) and because of the duplicated match the bind for the user  
connecting to the imap server fails.

  2) If I set the search base for OU=people, and the cyrus admin DN is  
on some other place, say the root of the DIT, or some OU other the  
OU=people, the initial cyrus admin bind fails, I believe it's because  
of the search base being a place from where you cannot see the OU=adm  
subtree.


  What am I missing?


  thanks,

  Lauro

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Info-cyrus mailing list