sasl canon_user
Dan White
dwhite at olp.net
Sat Aug 9 17:08:30 EDT 2008
Ashay Chitnis wrote:
> Hi all,
>
> I am having cyrus-imapd and cyrus-sasl running on the Mail Server with
> saslauthd passing the authentication to ldap server. This is working fine.
>
> I have to integrate it with my AD server. The problem is my ldap
> server uses the uid as "abc at xyz.com <mailto:abc at xyz.com>" to
> authenticate. But the AD server takes the user name as "abc". Is
> there any way i can use mapping in saslauthd so that abc at xyz.com
> <mailto:abc at xyz.com> is take by imapd but ONLY for authentication
> abc at xyz.com <mailto:abc at xyz.com> is mapped to abc?
>
> On net i saw there is a canon_user plugin in cyrus sasl, anyone has
> idea how to use it to achieve the above objective?
Ashay,
You may be able to accomplish this by specifying a defaultdomain of
xyz.com, assuming that you have virtdomains: userid' set.
If not, there is an ldapdb canon_user plugin in CVS (sasl).
Documentation is included in the doc/options.html file.
It requires that your ldap server support authc/authz (proxy)
authentication and the 'whoami' extended operation. It works
independently of your authentication configuration, so you should not
have to use the ldapdb auxprop plugin (but you may want to).
My imapd.conf looks like:
sasl_ldapdb_uri: ldap://ldap.example.net
sasl_ldapdb_mech: GSSAPI
sasl_ldapdb_canon_attr: uid
imap_sasl_canon_user_plugin: ldapdb
pop3_sasl_canon_user_plugin: ldapdb
The ldapdb canon_user plugin works by authenticating as a user with
escalated permissions (in my case a GSSAPI user) and using the submitted
username 'abc' as the authorization identity. It will search for the
attribute you specified in 'ldapdb_canon_attr' within the user's (abc's)
entry, and return it as the canonicalized username. imapd with use the
canonicalized username (abc at xyz.com) when searching for the user's mailbox.
- Dan
More information about the Info-cyrus
mailing list