Hi, I'm trying to follow your suggestion. So, first I changed openldap configuration with "sasl-secprops none" to have also plain auth enabled. Running pluginviewer to see the plugins: Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014 sonicle@www:~$ pluginviewer -m PLAIN Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 8 supports store: yes Installed and properly configured SASL (server side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (server side) mechanisms matching your criteria are: PLAIN List of server plugins follows Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Installed and properly configured SASL (client side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS List of client plugins follows Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0 security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Now running a search of SASL mechs: sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms' dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS Now, try plain auth doing a earch of an existing user: sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H ldap://localhost -W Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Can't find a reason for ldapsearch not finding the plain mech. Also, slapd has been built with sasl: sonicle@www:~$ ldd /sonicle/libexec/slapd libdb-4.8.so =/sonicle/lib/libdb-4.8.so libpthread.so.1 =/lib/libpthread.so.1 libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 libdl.so.1 =/lib/libdl.so.1 libssl.so.0.9.8 =/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 libresolv.so.2 =/lib/libresolv.so.2 libgen.so.1 =/lib/libgen.so.1 libnsl.so.1 =/lib/libnsl.so.1 libsocket.so.1 =/lib/libsocket.so.1 libc.so.1 =/lib/libc.so.1 libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 libmd.so.1 =/lib/libmd.so.1 libmp.so.2 =/lib/libmp.so.2 libm.so.2 =/lib/libm.so.2 Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base depending on the number of dc arguments determined? Thanks for your help! Gabriele. ---------------------------------------------------------------------------------- Da: Dan White A: Willy Offermans Cc: Gabriele Bulfon Raffaele Fullone info-cyrus@lists.andrew.cmu.edu Data: 23 dicembre 2014 16.52.46 CET Oggetto: Re: saslauthd and multiple dc levels On 12/23/14 16:07 +0100, Willy Offermans wrote: Hello Dan, On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). I don't understand how this works. ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server via sasl protocol directly. Is this correct? Correct. The ldap backend to saslauthd itself performs sasl authentication. And what happens then? How do saslauthd and slapd communicate and how is authentication performed? The communication between Cyrus IMAP and saslauthd would not change. imapd would still communicate with saslauthd in the same manor, by submitting a username and password via the saslauthd mux. The ldap backend to saslauthd can be configured to perform SASL over LDAP authentication to slapd (not to be confused with SASL over IMAP authentication). slapd would simply return a successful bind code back to the saslauthd backend, which in turn would respond with an 'OK' to cyrus IMAP. Using SASL within the LDAP saslauthd backend is a much simpler configuration. i.e.: ldap_servers: ldap://ldap.example.com ldap_use_sasl: yes ldap_mech: PLAIN (This may require you to configure olcSaslSecProps) The '-r' option to saslauthd may be necessary, if you're not already using it. Use ldapwhoami to test your slapd config: ldapsearch -Y PLAIN -U jsm...@example.com -H ldap://ldap.example.com \ -W And if that works, verify your saslauthd configuration with: testsaslauthd -u jsm...@example.com -p password -- Dan White
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus