Unqualified users are qualified by server FQDN instead of defaultdomain

Thomas Preud'homme thomas.preudhomme at celest.fr
Thu Mar 11 15:24:18 EST 2010

Hello everybody,

I have a little and annoying problem that I hope you can help me to solve. I 
have a cyrus server with virtual domains. Everything works pretty well except 
that user authenticating without realm (people from the default domain) aren't 
authenticated as if they were from the defaultdomain but as if they were from 
the server FQDN.

To fix idea, the default domain is lm7.fr and its FQDN (as returned by hostname 
--fqdn) is adagio.lm7.fr
Its hostname is adagio (as returned by hostname without arguments)

The user foo exists in /etc/sasldb2 as :

- foo at adagio.lm7.fr
- foo at lm7.fr
- foo at adagio

Each of these entries as a difference passwords. The password that works is the 
one associated with adagio.lm7.fr

I tried to look the code of libsasl a bit and found that sasldb_auxprop_lookup 
call _plug_parseuser which :

- try to get the realm from the user
- try to get the realm from another source given by sasldb_auxprop_lookup when 
the user don't specify any realm

If none of these sources gives a realm, it uses the server FQDN. I expect the 
second source to be the defaultdomain but couldn't verify that as I was lost 
after many function pointers.

What I found in the sasl code was more interesting. The default domain is put 
in config_defdomain variable which is then only used to ignore the domain in 
the userid sent if it is the defaultdomain. cyrus doesn't seem to give the 
default domain to the libsasl (it doesn't copy the value in config_defdomain 
anywhere) and delete the domain part when canonifying the userid if it is the 
default domain. Thus, I don't see how the libsasl, and a fortiori the auxprop 
plugin, could try to match the password against the password associated to 
foo at lm7.fr

Did I miss something in my config and in the code or is it a bug (which may 
have been corrected since, as I'm using cyrus 2.2.13 found in Debian lenny).

Thanks for your help.

Best regards.

Thomas Preud'homme
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100311/4a53322d/attachment.bin 

More information about the Info-cyrus mailing list