alternative login names
Marc Patermann
hans.moser at ofd-z.niedersachsen.de
Mon Feb 4 09:07:28 EST 2013
Wolfgang,
Wolfgang Rosenauer schrieb (04.02.2013 14:25 Uhr):
> On Mon, Feb 4, 2013 at 10:07 AM, Marc Patermann
> <hans.moser at ofd-z.niedersachsen.de
> <mailto:hans.moser at ofd-z.niedersachsen.de>> wrote:
>
> Wolfgang Rosenauer schrieb (03.02.2013 20
> <tel:%2803.02.2013%2020>:29 Uhr):
>
>
> I'm running Cyrus imapd 2.3.x since quite some time for a group
> of users.
> My setup is LDAP based using saslauthd to pam_ldap currently and
> works just fine. But now I want to allow access to the mailboxes
> using the email address as an alternative to the system username.
>
> I have no real idea where to start how I could achieve that w/o
> changing the whole architecture of the system.
> Someone got a hint for me what to look at?
>
> I don't know much about pam_ldap, but as you have all the data in
> LDAP, why not switch to auxprop ldapdb and configure your LDAP to
> map the existing logins and mail address to the same object?
>
>
> I actually needed a pointer into the right direction and I guess that is
> one.
> I've never used sasl ldapdb though and I have a hard time figuring out
> how and what to do.
There are not too much options specific to ldapdb in SASL:
http://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php
Mine is somewhat like that:
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_log_level: 5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://server.name
sasl_ldapdb_id: adminuser
sasl_ldapdb_pw: adminusersPW
sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_minimum_layer: 0
sasl_ldapdb_starttls: demand
There are a few threads in the archive here.
http://asg.andrew.cmu.edu/archive/index.php?mailbox=archive.info-cyrus
> From the documentation I found it's also not clear to me if a crypted
> userPassword as I use in my LDAP can be used in that setup.
Look at this thread:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchterm=auxprop%20ldap&msg=54167
> If I understand correctly all the hard work to match usernames in done
> via some regexp which should be powerful enough to let me search the
> login name in uid and mail attributes?
You have openLDAP, right?
Mostly yes. You need regex for "Mapping Authentication Identities"
http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities
You may need "SASL Proxy Authorization" to switch from your ldapdb_id to
the authenticating user.
> Or did you actually refer to a different mapping in LDAP?
>
> Is there some sort of HOWTO somewhere or is all the information really
> spread in openldap, sasl and imapd documentation only?
These are the tools involved. :)
But the least is IMAPd, SASL is few and most is openLDAP mapping.
Marc
More information about the Info-cyrus
mailing list