I got it working so thanks for clarifying the setup for the ldapdb  
auxprop module. I needed to add an additional authz-regexp option to  
the openldap config to map an email address to its proper ldap entry.  
Once that was added, everything started working. Thanks again for the  

On Wed Feb  5 12:07:58 2014, Dan White <dwh...@olp.net> wrote:
> On 02/05/14 11:15 -0600, Peter Erickson wrote:
>>>> virtdomains: userid
>>>> defaultdomain: example.com
>>> Other than that, your config looks reasonable. Include an 'ldapdb_mech'
>>> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid'
>>> instead, since example.com is the default domain. This command should
>>> succeed, and return the DN of the test user if your config is good:
>> Just to make sure that I'm understanding the options right, is there a
>> good explanation for what sasl_ldapdb_canon_attr does? I'm not quite
>> sure that I understand its purpose.
> sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back
> to cyrus. The identity will be used to find the user's INBOX. Having a
> default domain complicates things a bit (and you may have to experiment. I
> don't define a default domain). Basically, the sasl_ldapdb_canon_attr
> should equal the user portion of their INBOX name. It's handy in scenarios
> where the authentication identity differs from the mailbox name (name
> change, for instance).
>> Based on the following, its possible that my problem isn't with cyrus
>> imapd/sasl, but a misunderstanding of the ldap proxy authorization
>> process and I need to recheck my ldap config. I'm more accustomed to
>> using ldap filters and a base instead of the proxy authorization.
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z
>> SASL/DIGEST-MD5 authentication started
>> SASL username: u:tuser
>> SASL SSF: 128
>> SASL data security layer installed.
>> dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com
> This looks good.
>> # ldapwhoami -Y digest-md5 -U imapd-user -w password -X   
>> u:tu...@example.com -Z
>> SASL/DIGEST-MD5 authentication started
>> ldap_sasl_interactive_bind_s: Insufficient access (50)
>>      additional info: SASL(-14): authorization failure: not authorized
> You may need a different or better authz-regexp rule here, or you may need
> to adjust your authzto/authzfrom rules. See:
> http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:

Reply via email to