ptloader, virtualdomain and amin config problem

Marco falon at ruparpiemonte.it
Fri Jan 14 05:59:59 EST 2011 

Hi,
I have cyrus-imapd-2.3.16 with virtualdomain and a total administrator  
in default domain (username without '@%d').
I use saslauthd for authentication and ptloader for authorization, all  
with LDAP.

My problem stays on ptloader conf.
To optimize query I would like to restrict searches using '%d' metacharacter.
But if I set

   ldap_base: o=%d,ou=People,o=MainOrg,c=it
   ldap_member_base: o=%d,ou=People,o=MainOrg,c=it

then admin has no authorization, because ptload fails basedn filter, resulting
   "o=,ou=People,o=MainOrg,c=it"

Is there a way to restrict base search without loose admin authorization?
I wouldn't add a prefix to my LDAP Org, like o=cyr-%d,ou=People,o=MainOrg,c=it

This is my working conf:

on LDAP Server I have (also) these dn:
dn: uid=oxcyrus,o=admin.invalid,ou=People,o=MainOrg,c=it
dn: o=%d,ou=People,o=MainOrg,c=it
dn: ou=MailGroups,o=%d,ou=People,o=MainOrg,c=it

where %d is the domain part of username.

on Cyrus Server:
saslauthd.conf
ldap_servers: ldap://ldap.example.net:489
ldap_version:     3
ldap_timeout:     10
ldap_time_limit:  10
ldap_search_base: ou=People,o=MainOrg,c=IT
ldap_bind_dn:     uid=sasladmin,o=admin.invalid,ou=People,o=MainOrg,c=it
ldap_password:    ****
ldap_scope:       sub
ldap_uidattr:     uid
ldap_filter_mode: yes
ldap_filter:      (&(uid=%u)(objectClass=mailRecipient))
ldap_restart:          yes
ldap_cache_ttl:   30
ldap_cache_mem:   32768

imapd.conf
[...]
admins: oxcyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
quotawarn: 80
normalizeuid: 1
unixhierarchysep: 1
autocreatequota: 0
createonpost: 0
autosubscribe_all_sharedfolders: yes
singleinstancestore: 1
defaultdomain: admin.invalid
improved_mboxlist_sort: 1
virtdomains: userid
[...]
# PTS Section
auth_mech: pts
pts_module: ldap
ptloader_sock: /var/lib/imap/socket/ptsock
ldap_uri: ldap://ldap.example.net:489
ldap_version: 3
ldap_bind_dn: uid=oxcyrus,o=admin.invalid,ou=People,o=MainOrg,c=it
ldap_password: ****
ldap_sasl: 0
ldap_size_limit: 20000
ldap_filter: (&(objectclass=mailrecipient)(uid=%u))
ldap_group_filter: (&(objectclass=groupofuniquenames)(mail=%u))
ldap_member_method: filter
ldap_member_filter: (uniquemember=%D)
ldap_member_attribute: mail
ldap_base: ou=People,o=MainOrg,c=it
ldap_group_base: ou=MailGroups,o=%d,ou=People,o=MainOrg,c=it
ldap_member_base: ou=People,o=MainOrg,c=it
unix_group_enable: no


If I set
   ldap_base: o=%d,ou=People,o=MainOrg,c=it
   ldap_member_base: o=%d,ou=People,o=MainOrg,c=it
cyrus works for all users except the admin oxcyrus.

Thank you very much for every hints...
Regards
marco

More information about the Info-cyrus mailing list