saslauthd and multiple dc levels
dwhite at olp.net
Tue Dec 23 10:52:46 EST 2014
On 12/23/14 16:07 +0100, Willy Offermans wrote:
>On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote:
>> On 12/23/14 15:22 +0100, Gabriele Bulfon wrote:
>> >How can I let saslauthd support both configurations?
>> Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more
>> flexible way to handle this scenario. Within saslauthd's ldap config, use
>> 'ldap_use_sasl' without specifying a search filter or base.
>> Within slapd, your regex rules could perform a subtree search, or a simple
>> string replacement for each domain. See
>> http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5).
>I don't understand how this works.
>ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server
>via sasl protocol directly. Is this correct?
Correct. The ldap backend to saslauthd itself performs sasl authentication.
>And what happens then? How do saslauthd and slapd communicate and how is
The communication between Cyrus IMAP and saslauthd would not change. imapd
would still communicate with saslauthd in the same manor, by submitting a
username and password via the saslauthd mux.
The ldap backend to saslauthd can be configured to perform SASL over LDAP
authentication to slapd (not to be confused with SASL over IMAP
authentication). slapd would simply return a successful bind code back to
the saslauthd backend, which in turn would respond with an 'OK' to cyrus
Using SASL within the LDAP saslauthd backend is a much simpler
(This may require you to configure olcSaslSecProps)
The '-r' option to saslauthd may be necessary, if you're not already using
Use ldapwhoami to test your slapd config:
ldapsearch -Y PLAIN -U jsmith at example.com -H ldap://ldap.example.com \
And if that works, verify your saslauthd configuration with:
testsaslauthd -u jsmith at example.com -p password
More information about the Info-cyrus