ldapdb auxprop configuration
Dan White
dwhite at olp.net
Fri Jan 2 14:58:50 EST 2009
Lars Hanke wrote:
> I'm trying set up cyrus-imap using the ldapdb auxprop. I guess I've the
> LDAP part up and running, but somehow imap does not really request for
> authentication. So probably I still have something messed in the
> configuration, which apparently has changed with respect to my last
> install a couple of years ago.
>
> Any ideas for systematic troubleshooting are welcome.
> Regards,
> - lars.
>
> This is the sasl related part of the imap configuration:
> hermod:~# grep sasl /etc/imapd.conf | grep -v '^#' | grep -v '^\s*$'
> sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> sasl_ldapdb_uri: ldaps://hel.mgr
> sasl_ldapdb_id: mailadmin
> sasl_ldapdb_pw: *********
> sasl_ldapdb_mech: DIGEST-MD5
> sasl_auto_transition: no
>
>
I don't see anything that sticks out.
You may want to experiment with the ldapdb_starttls and ldapdb_rc
options (see sasl's options.html doc). See 'man ldap.conf' for options
that you can place in ldaprc. If you do choose to use starttls, you'll
need to replace ldaps://hel.mgr with ldap://hel.mgr.
To make sure that the ldapdb plugin is installed correctly:
# cat > /usr/lib/sasl2/pluginview.conf
mech_list: PLAIN DIGEST-MD5 CRAM-MD5
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldaps://hel.mgr
ldapdb_id: mailadmin
ldapdb_pw: *********
ldapdb_mech: DIGEST-MD5
auto_transition: no
# pluginviewer | grep ldapdb
> The following is running as expected:
> hermod:~# ldapwhoami -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -H
> ldaps://hel.mgr
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> SASL username: u:cyrus
> SASL SSF: 128
> SASL data security layer installed.
> dn:uid=cyrus,ou=mailbox,dc=mgr
>
> and of course:
> ldapsearch -U mailadmin -X u:cyrus -W -Y DIGEST-MD5 -b
> "ou=mailbox,dc=mgr" "(uid=cyrus)"
> returns the password of cyrus, which is kept as plaintext inside the
> LDAP repositiory. ldapsearch returns the base64 encoded plain password.
>
> So apparently imapd-ldapdb connects and establishes SSL. For the rest
> I'm unsure, but it seems like it does not talk to LDAP anymore and
> terminates, i.e. there is no authentication happening. The result is the
> same for trying telnet localhost imap2 and a login for cyrus.
>
Does your /var/log/auth.log or /var/log/syslog give you anything useful?
- Dan
More information about the Info-cyrus
mailing list