Same mailbox with different logins

Dan White dwhite at olp.net
Mon Sep 21 10:28:49 EDT 2009


On 21/09/09 12:11 +0300, Evgeniy Arbatov wrote:
>Thank you for your replies! I've decided to go with canon_user plugin.
>My next  question is how to use this plugin. I am trying to use LDAP
>as authentication backend. What I could find are following imapd.conf
>settings:
>
>sasl_pwcheck_method: saslauthd
>sasl_mech_list: login plain
>sasl_auxprop_plugin: ldapdb
>sasl_ldapdb_uri: ldap://ldap.example.net/
>sasl_ldapdb_canon_attr: mail
>sasl_canon_user_plugin: ldapd
>imap_sasl_canon_user_plugin: ldapdb
>pop3_sasl_canon_user_plugin: ldapdb
>
>Will this give me canonified username -> firstname.lastname at domain? Do
>I need to make changes to LDAP for those settings to work?
>
>After I configure this ldapdb plugin  I see in logs:
>
>mail imaps[10161]: canonified earbatov -> earbatov
>mail imaps[10161]: badlogin: host [10.10.10.10] plain [SASL(-4): no
>mechanism available: desired canon_user plugin ldapdb not found]
>mail imaps[10161]: badlogin: host [10.10.10.10] plaintext earbatov
>SASL(-4): no mechanism available: desired canon_user plugin ldapdb not
>found
>
>I put my complete imapd.conf here http://pastebin.com/m2dbf3951

Evgeniy,

ldapdb, as a canon_user plugin, is not currently found in the 2.1.23 cyrus
sasl release. You will need to obtain cyrus sasl source from CVS.

There is an upcoming 2.1.24 sasl release that hopefully includes this
functionality. Documentation is found within 'docs/options.html' in the
sasl source.

You will need to configure your openldap server to support proxy
authorization, as discussed here:

"http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization"

'sasl_auxprop_plugin: ldapdb' is probably not necessary, since you are
using saslauthd for login/plain (only) authentication.

Assuming you have openldap proxy authorization set up properly for your
environment, the mail attribute (per your config) should return the
username you wish to ultimately use. cyrus imap will pretty much remain
ignorant of which username you originally authenticated as, and use the
identity returned from sasl when searching for mailboxes and applying
ACLs.

-- 
Dan White


More information about the Info-cyrus mailing list