ldapdb auxprop configuration

Dan White dwhite at olp.net
Fri Jan 2 14:58:50 EST 2009

Lars Hanke wrote:
> I'm trying set up cyrus-imap using the ldapdb auxprop. I guess I've the 
> LDAP part up and running, but somehow imap does not really request for 
> authentication. So probably I still have something messed in the 
> configuration, which apparently has changed with respect to my last 
> install a couple of years ago.
> Any ideas for systematic troubleshooting are welcome.
> Regards,
>  - lars.
> This is the sasl related part of the imap configuration:
> hermod:~# grep sasl /etc/imapd.conf | grep -v '^#' | grep -v '^\s*$'
> sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldaps://hel.mgr
> sasl_ldapdb_id: mailadmin
> sasl_ldapdb_pw: *********
> sasl_ldapdb_mech: DIGEST-MD5
> sasl_auto_transition: no

I don't see anything that sticks out.

You may want to experiment with the ldapdb_starttls and ldapdb_rc 
options (see sasl's options.html doc).  See 'man ldap.conf' for options 
that you can place in ldaprc. If you do choose to use starttls, you'll 
need to replace ldaps://hel.mgr with ldap://hel.mgr.

To make sure that the ldapdb plugin is installed correctly:

# cat > /usr/lib/sasl2/pluginview.conf

pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldaps://hel.mgr
ldapdb_id: mailadmin
ldapdb_pw: *********
ldapdb_mech: DIGEST-MD5
auto_transition: no

# pluginviewer | grep ldapdb

> The following is running as expected:
> hermod:~# ldapwhoami -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -H 
> ldaps://hel.mgr
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> SASL username: u:cyrus
> SASL SSF: 128
> SASL data security layer installed.
> dn:uid=cyrus,ou=mailbox,dc=mgr
> and of course:
> ldapsearch -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -b 
> "ou=mailbox,dc=mgr" "(uid=cyrus)" 
> returns the password of cyrus, which is kept as plaintext inside the 
> LDAP repositiory. ldapsearch returns the base64 encoded plain password.
> So apparently imapd-ldapdb connects and establishes SSL. For the rest 
> I'm unsure, but it seems like it does not talk to LDAP anymore and 
> terminates, i.e. there is no authentication happening. The result is the 
> same for trying telnet localhost imap2 and a login for cyrus.

Does your /var/log/auth.log or /var/log/syslog give you anything useful?

- Dan

More information about the Info-cyrus mailing list