imapd + sasl + ldapdb problems

Peter Erickson redlamb19 at gmail.com
Thu Feb 6 21:50:32 EST 2014 

I got it working so thanks for clarifying the setup for the ldapdb  
auxprop module. I needed to add an additional authz-regexp option to  
the openldap config to map an email address to its proper ldap entry.  
Once that was added, everything started working. Thanks again for the  
help.

On Wed Feb  5 12:07:58 2014, Dan White <dwhite at olp.net> wrote:
> On 02/05/14 11:15 -0600, Peter Erickson wrote:
>>>> virtdomains: userid
>>>> defaultdomain: example.com
>>>
>>> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
>>> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
>>> instead, since example.com is the default domain. This command should
>>> succeed, and return the DN of the test user if your config is good:
>>
>> Just to make sure that I'm understanding the options right, is there a
>> good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
>> sure that I understand its purpose.
>
> sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
> to cyrus. The identity will be used to find the user's INBOX. Having a
> default domain complicates things a bit (and you may have to experiment. I
> don't define a default domain). Basically, the sasl_ldapdb_canon_attr
> should equal the user portion of their INBOX name. It's handy in scenarios
> where the authentication identity differs from the mailbox name (name
> change, for instance).
>
>> Based on the following, its possible that my problem isn't with cyrus
>> imapd/sasl, but a misunderstanding of the ldap proxy authorization
>> process and I need to recheck my ldap config. I'm more accustomed to
>> using ldap filters and a base instead of the proxy authorization.
>>
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
>> SASL/DIGEST-MD5 authentication started
>> SASL username: u:tuser
>> SASL SSF: 128
>> SASL data security layer installed.
>> dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com
>
> This looks good.
>
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X   
>> u:tuser at example.com -Z
>> SASL/DIGEST-MD5 authentication started
>> ldap_sasl_interactive_bind_s: Insufficient access (50)
>> 	additional info: SASL(-14): authorization failure: not authorized
>
> You may need a different or better authz-regexp rule here, or you may need
> to adjust your authzto/authzfrom rules. See:
>
> http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization

More information about the Info-cyrus mailing list