imapd + sasl + ldapdb problems

Dan White dwhite at olp.net
Wed Feb 5 13:07:58 EST 2014 

On 02/05/14 11:15 -0600, Peter Erickson wrote:
>> >virtdomains: userid
>> >defaultdomain: example.com
>>
>> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
>> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
>> instead, since example.com is the default domain. This command should
>> succeed, and return the DN of the test user if your config is good:
>
>Just to make sure that I'm understanding the options right, is there a
>good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
>sure that I understand its purpose.

sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
to cyrus. The identity will be used to find the user's INBOX. Having a
default domain complicates things a bit (and you may have to experiment. I
don't define a default domain). Basically, the sasl_ldapdb_canon_attr
should equal the user portion of their INBOX name. It's handy in scenarios
where the authentication identity differs from the mailbox name (name
change, for instance).

>Based on the following, its possible that my problem isn't with cyrus
>imapd/sasl, but a misunderstanding of the ldap proxy authorization
>process and I need to recheck my ldap config. I'm more accustomed to
>using ldap filters and a base instead of the proxy authorization.
>
># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
>SASL/DIGEST-MD5 authentication started
>SASL username: u:tuser
>SASL SSF: 128
>SASL data security layer installed.
>dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com

This looks good.

># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser at example.com -Z
>SASL/DIGEST-MD5 authentication started
>ldap_sasl_interactive_bind_s: Insufficient access (50)
>	additional info: SASL(-14): authorization failure: not authorized

You may need a different or better authz-regexp rule here, or you may need
to adjust your authzto/authzfrom rules. See:

http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization

-- 
Dan White

More information about the Info-cyrus mailing list