Unqualified users are qualified by server FQDN instead of defaultdomain
thomas.preudhomme at celest.fr
Thu Mar 11 15:24:18 EST 2010
I have a little and annoying problem that I hope you can help me to solve. I
have a cyrus server with virtual domains. Everything works pretty well except
that user authenticating without realm (people from the default domain) aren't
authenticated as if they were from the defaultdomain but as if they were from
the server FQDN.
To fix idea, the default domain is lm7.fr and its FQDN (as returned by hostname
--fqdn) is adagio.lm7.fr
Its hostname is adagio (as returned by hostname without arguments)
The user foo exists in /etc/sasldb2 as :
- foo at adagio.lm7.fr
- foo at lm7.fr
- foo at adagio
Each of these entries as a difference passwords. The password that works is the
one associated with adagio.lm7.fr
I tried to look the code of libsasl a bit and found that sasldb_auxprop_lookup
call _plug_parseuser which :
- try to get the realm from the user
- try to get the realm from another source given by sasldb_auxprop_lookup when
the user don't specify any realm
If none of these sources gives a realm, it uses the server FQDN. I expect the
second source to be the defaultdomain but couldn't verify that as I was lost
after many function pointers.
What I found in the sasl code was more interesting. The default domain is put
in config_defdomain variable which is then only used to ignore the domain in
the userid sent if it is the defaultdomain. cyrus doesn't seem to give the
default domain to the libsasl (it doesn't copy the value in config_defdomain
anywhere) and delete the domain part when canonifying the userid if it is the
default domain. Thus, I don't see how the libsasl, and a fortiori the auxprop
plugin, could try to match the password against the password associated to
foo at lm7.fr
Did I miss something in my config and in the code or is it a bug (which may
have been corrected since, as I'm using cyrus 2.2.13 found in Debian lenny).
Thanks for your help.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100311/4a53322d/attachment.bin
More information about the Info-cyrus