domain mode mailbox aliasing

[Dan White]

On 02/18/13 15:35 +0100, Gabriele Bulfon wrote:
>Hi,
>I recently reimplemented cyrus+postfix+ldap in multi domain mode, and everything works fine.
>I found my self needing to convert a situation where a dom1.com is same as dom2.com,
>and every user in 1st domain are actually the same users of 2nd domain.
>On postfix, I can manage this with virtual aliases.
>On ldap, I could manage common authentication through relay / rwm, so that user at dom1.com
>can still authenticate as user at dom2.com, with same password (and this works for any service
>trying to authenticate on ldap).
>Being cyrus authentication routed through saslauthd+ldap, I can authenticate on imap both
>as user at dom1.com and user at dom2.com, but then cyrus look for a different mailbox as it doesn't
>actually know the two domains are the same one.
>Is there any way to instruct cyrus to treat dom2.com as dom1.com?
>Thanx for any help.
>Gabriele.

You can use the ldapdb canonicalization plugin to transform the
authentication identity (user at dom2.com) into user at dom1.com.

To configure (in /etc/imapd.conf):

sasl_ldapdb_uri: ldap://ldap.example.com
sasl_ldapdb_mech: DIGEST-MD5
sasl_ldapdb_id: searcher
sasl_ldapdb_pw: searcher_secret
sasl_ldapdb_canon_attr: maildrop
sasl_canon_user_plugin: ladpdb

The logic is basically:

ldapwhoami -Y DIGEST-MD5 -U searcher -X u:user at dom2.com
<provide password of searcher_secret>
uid=user at dom2.com,ou=people,dc=example,dc=com

ldapsearch -Y DIGEST-MD5 -U searcher -b \
     "uid=user at dom2.com,ou=people,dc=example,dc=com" maildrop
<provide password of searcher_secret>
maildrop: user at dom1.com

You will need to configure your 'searcher' identity with an authzTo capable
of authorizing as any of your user at dom2.com identities. And you will need
to configure appropriate authz-regexp rules in your slapd config to map
sasl identities (searcher, and user at dom2.com) into DNs. Getting all the
ACLs correct can take a little trial and error.

-- 
Dan White