imapd + sasl + ldapdb problems

Peter Erickson redlamb19 at gmail.com
Tue Feb 4 21:15:29 EST 2014


I'm trying to configure imapd to authenticate against an ldap  
directory using ldapdb and am running into problems. I provide hosting  
services (i.e. ftp, svn, mail, etc) for several people where user  
account information is stored in an openldap directory. In addition to  
having a username/password, each user also has a primary email account  
and a list of services that they are authorized to use. I've got  
authentication working using the a user's uid, but I need to change  
this so that users are only allowed access using their email address.  
I believe I need this to happen as well since I'm using the Cyrus'  
virtdomains option. Once that is done, I'll attempt to restrict access  
based on the existence of the proper "authorizedService" attribute.

In hopes of requiring users login using their email address I set  
sasl_ldapdb_canon_attr, however that resulted in the following syslog  
messages (These same messages occur if comment out the canonuser_attr  
options in imapd.conf as well):
imtest: ldapdb_canonuser_plug_init() failed in  
sasl_canonuser_add_plugin(): invalid parameter supplied
imap[16385]: SQL engine 'mysql' not supported
imap[16385]: auxpropfunc error no mechanism available
imap[16385]: unable to canonify user and get auxprops
imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):  
generic failure: unable to canonify user and get auxprops]

I tracked down the ldapdb_canonuser_plug_init() error to  
ldapdb_config(). When the "ldapdb_uri" option is read, it apparently  
returns a null string reference which results in the SASL_BADPARAM  
being returned. Unfortunately, not fully understanding the SASL  
package, I'm not really sure where to go from here nor do I know if  
this will even solve my problem if it returns successfully.

Any help in configuring this would be greatly appreciated.


imapd.conf:
configdirectory: /var/cyrus/config
partition-default: /var/cyrus/spool
admin: cyrusadmin
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://localhost
sasl_ldapdb_id: imapd-user
sasl_ldapdb_pw: password
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_canon_attr: mail
sasl_mech_list: cram-md5 digest-md5
virtdomains: userid
defaultdomain: example.com

example ldap entry:
dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
objectclass: top
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
cn: test user
sn: user
uid: tuser
mail: tuser at example.com
userPassword: password
authorizedService: mail
authorizedService: svn

-- 
Peter Erickson
redlamb19 at gmail.com


More information about the Info-cyrus mailing list