sasl canon_user

Dan White dwhite at
Sat Aug 9 17:08:30 EDT 2008

Ashay Chitnis wrote:
> Hi all,
> I am having cyrus-imapd and cyrus-sasl running on the Mail Server with 
> saslauthd passing the authentication to ldap server. This is working fine.
> I have to integrate it with my AD server. The problem is my ldap 
> server uses the uid as "abc at <mailto:abc at>" to 
> authenticate. But the AD server takes the user name as "abc".  Is 
> there any way i can use mapping in saslauthd so that abc at 
> <mailto:abc at> is take by imapd but ONLY for authentication 
> abc at <mailto:abc at> is mapped to abc?
> On net i saw there is a canon_user plugin in cyrus sasl, anyone has 
> idea how to use it to achieve the above objective?

You may be able to accomplish this by specifying a defaultdomain of, assuming that you have virtdomains: userid' set.

If not, there is an ldapdb canon_user plugin in CVS (sasl). 
Documentation is included in the doc/options.html file.

It requires that your ldap server support authc/authz (proxy) 
authentication and the 'whoami' extended operation. It works 
independently of your authentication configuration, so you should not 
have to use the ldapdb auxprop plugin (but you may want to).

My imapd.conf looks like:

sasl_ldapdb_uri: ldap://
sasl_ldapdb_mech: GSSAPI
sasl_ldapdb_canon_attr: uid
imap_sasl_canon_user_plugin: ldapdb
pop3_sasl_canon_user_plugin: ldapdb

The ldapdb canon_user plugin works by authenticating as a user with 
escalated permissions (in my case a GSSAPI user) and using the submitted 
username 'abc' as the authorization identity. It will search for the 
attribute you specified in 'ldapdb_canon_attr' within the user's (abc's) 
entry, and return it as the canonicalized username. imapd with use the 
canonicalized username (abc at when searching for the user's mailbox.

- Dan

More information about the Info-cyrus mailing list