saslauthd and multiple dc levels

Dan White dwhite at
Tue Dec 23 10:52:46 EST 2014

On 12/23/14 16:07 +0100, Willy Offermans wrote:
>Hello Dan,
>On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote:
>> On 12/23/14 15:22 +0100, Gabriele Bulfon wrote:
>> >How can I let saslauthd support both configurations?
>> Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more
>> flexible way to handle this scenario. Within saslauthd's ldap config, use
>> 'ldap_use_sasl' without specifying a search filter or base.
>> Within slapd, your regex rules could perform a subtree search, or a simple
>> string replacement for each domain. See
>> and slapd-config(5).
>I don't understand how this works.
>ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server
>via sasl protocol directly. Is this correct?

Correct. The ldap backend to saslauthd itself performs sasl authentication.

>And what happens then? How do saslauthd and slapd communicate and how is
>authentication performed?

The communication between Cyrus IMAP and saslauthd would not change. imapd
would still communicate with saslauthd in the same manor, by submitting a
username and password via the saslauthd mux.

The ldap backend to saslauthd can be configured to perform SASL over LDAP
authentication to slapd (not to be confused with SASL over IMAP
authentication). slapd would simply return a successful bind code back to
the saslauthd backend, which in turn would respond with an 'OK' to cyrus

Using SASL within the LDAP saslauthd backend is a much simpler
configuration. i.e.:

ldap_servers: ldap://
ldap_use_sasl: yes
ldap_mech: PLAIN

(This may require you to configure olcSaslSecProps)

The '-r' option to saslauthd may be necessary, if you're not already using

Use ldapwhoami to test your slapd config:

ldapsearch -Y PLAIN -U jsmith at -H ldap:// \

And if that works, verify your saslauthd configuration with:

testsaslauthd -u jsmith at -p password

Dan White

More information about the Info-cyrus mailing list