Date: Thu, 4 Nov 2004 18:45:19 +0100 From: Ralph Roessner <[EMAIL PROTECTED]> Subject: Re: using ldap for obtaining group membership information
Cyrus IMAP with LDAP ptloader still uses saslauthd for authentication. But before it does authentication, it uses LDAP to canonify the user name. That is what you are seeing here:
First it binds with admin rights:
Then it changes uid to the user that is being canonified and asks for its own user name. The assumption is that the LDAP server will return the canonical user name. (In LDAPish this reads: execute a "who am i" extended operation with "proxyauthz" control in place).
Note the error 32. This is called LDAP_NO_SUCH_OBJECT and means in this case that the search base ("uid=jon,cn=simple,cn=auth") does not exist. You probably need to adjust the SASL -> uid mapping in the LDAP configuration so that "The user with authcid 'jon' authenticated by the simple mechanism" gets translated to "uid=jon,cn=people,dc=mydomain,dc=com" or whatever your user subtree is called. See the slapd.conf man page, keyword "sasl-regexp".
To summarize: The Cyrus IMAP ptloader does not find your users in the LDAP tree. Neither authentication nor group lookup is even tried.
OK. That makes sense. What confuses me is that I have "ldap_sasl: 0" in imapd.conf, no SASL support in my LDAP server, and "sasl-authz-policy none" in slapd.conf (just for good measure). So why is ptloader trying to do proxyauth at all?
It looks like I am being forced to use SASL and proxyauthz when using ptloader. Is this correct?
Then try turning SASL off: option "ldap_sasl: 0". This may save you the trouble of finding a working "sasl-regexp".
Have done, see below
Date: Thu, 4 Nov 2004 13:46:50 -0500 (EST) From: Igor Brezac <[EMAIL PROTECTED]> Subject: Re: using ldap for obtaining group membership information
Show us your config and I can help you from there. There are quite a few ways you can configure ptloader.
######## imapd.conf ############
configdirectory: /var/imap partition-default: /home/cyrus/mail admins: cyradmin plaintextloginpause: 0 sieveusehomedir: false sievedir: /home/cyrus/sieve sasl_pwcheck_method: saslauthd sasl_mech_list: plain login allowplaintext: 0 ptloader_sock: /var/imap/ptclient/ptsock ldap_base: dc=mydomain,dc=com ldap_deref: never lmtp_downcase_rcpt: 1 ldap_filter: "&(objectclass=inetOrgPerson)(uid=%u))" ldap_group_base: "ou=groups,dc=mydomain,dc=com" ldap_group_filter: "&(objectclass=posixGroup)(cn=%u)" ldap_group_scope: sub ldap_member_base: "ou=groups,dc=mydomain,dc=com" ldap_member_atttribute: memberUid ldap_member_method: attribute ldap_member_scope: sub ldap_bind_dn: cn=Manager,dc=mydomain,dc=com ldap_password: p ldap_uri: ldap://localhost/ ldap_sasl: 0 ldap_authz: 0 tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem
###### cyrus.conf ############
START { recover cmd="ctl_cyrusdb -r" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0 lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 ptloader cmd="ptloader" listen="/var/imap/ptclient/ptsock" prefork=1 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 }
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html