sasl canon_user

Dan White dwhite at olp.net
Sat Aug 9 17:08:30 EDT 2008


Ashay Chitnis wrote:
> Hi all,
>
> I am having cyrus-imapd and cyrus-sasl running on the Mail Server with 
> saslauthd passing the authentication to ldap server. This is working fine.
>
> I have to integrate it with my AD server. The problem is my ldap 
> server uses the uid as "abc at xyz.com <mailto:abc at xyz.com>" to 
> authenticate. But the AD server takes the user name as "abc".  Is 
> there any way i can use mapping in saslauthd so that abc at xyz.com 
> <mailto:abc at xyz.com> is take by imapd but ONLY for authentication 
> abc at xyz.com <mailto:abc at xyz.com> is mapped to abc?
>
> On net i saw there is a canon_user plugin in cyrus sasl, anyone has 
> idea how to use it to achieve the above objective?
Ashay,

You may be able to accomplish this by specifying a defaultdomain of 
xyz.com, assuming that you have virtdomains: userid' set.

If not, there is an ldapdb canon_user plugin in CVS (sasl). 
Documentation is included in the doc/options.html file.

It requires that your ldap server support authc/authz (proxy) 
authentication and the 'whoami' extended operation. It works 
independently of your authentication configuration, so you should not 
have to use the ldapdb auxprop plugin (but you may want to).

My imapd.conf looks like:

sasl_ldapdb_uri: ldap://ldap.example.net
sasl_ldapdb_mech: GSSAPI
sasl_ldapdb_canon_attr: uid
imap_sasl_canon_user_plugin: ldapdb
pop3_sasl_canon_user_plugin: ldapdb

The ldapdb canon_user plugin works by authenticating as a user with 
escalated permissions (in my case a GSSAPI user) and using the submitted 
username 'abc' as the authorization identity. It will search for the 
attribute you specified in 'ldapdb_canon_attr' within the user's (abc's) 
entry, and return it as the canonicalized username. imapd with use the 
canonicalized username (abc at xyz.com) when searching for the user's mailbox.

- Dan


More information about the Info-cyrus mailing list