imapd + sasl + ldapdb problems
Peter Erickson
redlamb19 at gmail.com
Tue Feb 4 21:15:29 EST 2014
I'm trying to configure imapd to authenticate against an ldap
directory using ldapdb and am running into problems. I provide hosting
services (i.e. ftp, svn, mail, etc) for several people where user
account information is stored in an openldap directory. In addition to
having a username/password, each user also has a primary email account
and a list of services that they are authorized to use. I've got
authentication working using the a user's uid, but I need to change
this so that users are only allowed access using their email address.
I believe I need this to happen as well since I'm using the Cyrus'
virtdomains option. Once that is done, I'll attempt to restrict access
based on the existence of the proper "authorizedService" attribute.
In hopes of requiring users login using their email address I set
sasl_ldapdb_canon_attr, however that resulted in the following syslog
messages (These same messages occur if comment out the canonuser_attr
options in imapd.conf as well):
imtest: ldapdb_canonuser_plug_init() failed in
sasl_canonuser_add_plugin(): invalid parameter supplied
imap[16385]: SQL engine 'mysql' not supported
imap[16385]: auxpropfunc error no mechanism available
imap[16385]: unable to canonify user and get auxprops
imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1):
generic failure: unable to canonify user and get auxprops]
I tracked down the ldapdb_canonuser_plug_init() error to
ldapdb_config(). When the "ldapdb_uri" option is read, it apparently
returns a null string reference which results in the SASL_BADPARAM
being returned. Unfortunately, not fully understanding the SASL
package, I'm not really sure where to go from here nor do I know if
this will even solve my problem if it returns successfully.
Any help in configuring this would be greatly appreciated.
imapd.conf:
configdirectory: /var/cyrus/config
partition-default: /var/cyrus/spool
admin: cyrusadmin
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldaps://localhost
sasl_ldapdb_id: imapd-user
sasl_ldapdb_pw: password
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_canon_attr: mail
sasl_mech_list: cram-md5 digest-md5
virtdomains: userid
defaultdomain: example.com
example ldap entry:
dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com
objectclass: top
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
cn: test user
sn: user
uid: tuser
mail: tuser at example.com
userPassword: password
authorizedService: mail
authorizedService: svn
--
Peter Erickson
redlamb19 at gmail.com
More information about the Info-cyrus
mailing list