cyrus-imap: 'realm' is missing when authenticate against LDAP with ldapdb plugin
Dan White
dwhite at olp.net
Wed Feb 27 10:53:50 EST 2013
>On 102/2/26 下午 10:30, Dan White wrote:
>>On 02/26/13 13:26 +0800, Lingfeng Xiong wrote:
>>>>sasl_pwcheck_method: auxprop
>>>>sasl_auxprop_plugin: ldapdb
>>>>sasl_ldapdb_uri: ldap://MY-LDAP-SERVER
>>>>sasl_ldapdb_id: CYRUS-PROXY-USER-NAME
>>>>sasl_ldapdb_pw: CYRUS-PROXY-USER-PASSWORD
>>>>sasl_ldapdb_mech: DIGEST-MD5
>>>>sasl_log_level: 7
>>>
>>>When I tried to login with a user like 'test at example.net', I desire it
>>>look for 'uid=test at example.net,cn=digest-md5,cn=auth' in OpenLDAP. But
>>>according to OpenLDAP's log, it passed 'uid=test,cn=digest-md5,cn=auth'
>>>to it. Apparently, 'realm' has been ignored. Is there anyway for me to
>>>make cyrus-imapd query the username with it's realm to OpenLDAP? Or my
>>>methodology is completely incorrect?
>>
>>Do you have virtdomains enabled (or set to userid)?
>>
>>Does this only happen with one domain (@example.net)? If so, then do you
>>have a defaultdomain option set?
On 02/27/13 20:54 +0800, Bear wrote:
>Hi Dan,
>Thanks for your reply. I found no matter I set the virtdomains and
>default domains, I always got 'uid=test,cn=digest-md5,cn=auth'-like
>dn in LDAP when running 'imtest'.
>I tried to set '-r' argument or just append the domain with username
>in '-u', both are just the same...
You should be using a -a option here, such as:
imtest -m DIGEST-MD5 -a test at example.net imap_host
Compare the slapd logs to when running this command:
ldapwhoami -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U test at example.net
If you want to simulate the function of the ldapdb auxprop plugin, try:
ldapwhoami -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U CYRUS-PROXY-USER-NAME
-X u:test at example.net -w CYRUS-PROXY-USER-PASSWORD
Which should return the DN for test at example.net. Then do:
ldapsearch -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U CYRUS-PROXY-USER-NAME
-X u:test at example.net -w CYRUS-PROXY-USER-PASSWORD -b "$user_dn"
userPassword
Which should return the user's password. Add a '-d -1' option to
ldapwhoami/ldapsearch commands for detailed debugging information.
--
Dan White
More information about the Info-cyrus
mailing list